On Friday 28 June 2024 00:52:09 masber masber wrote:
> Dear zypper community,
>
> I have a community sonatype nexus repository, I would like to install a
> package but I am getting the following error:
>
> HEADER V3 RSA/SHA256 Signature, Key ID: XXXXX NOKEY
>
> I have the impression this is a sonatype error but I don't know what to
> explain to them so they can tell me whats wrong or how to fix it since this
> may be a zypper error message and other developers may not be familiar with
> it.
>
> could you please guide on what this error means and triggers it so I can
> explain to sonatype community?
The error message originates from rpm:
Rpm packages may be signed by the issuer using his gpg-key. When the package is
to be installed on a system, rpm tries to check this signature to be sure
no-one tampered with the package on it's way from the issuer to the user.
Rpm maintains a set of known and trusted gpg-keys in it's database. They are
stored as gpg-pubkey pseudo packages (rpm -qi gpg-pubkey). These keys can be
removed like packages (rpm -e) and added via (rpm --import KEYFILE).
The above message tells that the package was signed by a gpg-key with ID:
XXXXX.
The key however is not available in the rpmdb (NOKEY). So rpm is not able to
verify the authenticity of the package.
In an ideal zypper-world, the repositories metadata are also signed with the
issuers key. When you add the repository and the signing key is not in the
rpmdb, zypper asks whether you want to trust the issuers key - if this key is
shipped along with the repo.
Your job is to make sure the key's fingerprint is actually the one used by the
issuer. Many issuers e.g. publish the keys they use on their website.
Once confirmed, zypper imports this key into the rpm database. Packages signed
with this key can now be installed without his warning.
In addition zypper (as default) allows to install packages with a missing key,
IF the repository metadata describing the package were signed with a trusted
key AND the local rpm package matches the checksum mentioned in the signed
metadata.
So if the sonatype community repo signs it's packages, they will also have the
gpg-key published somewhere (on their website or along with the repo...).
Download the key to a local KEYFILE; call (as root) `rpm --import KEYFILE` and
packages signed with this key will be installed without this warning.
--
cu,
Michael Andres
+------------------------------------------------------------------+
Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4
+------------------------------------------------------------------+
Michael Andres (he/him/his), Engineering & Innovation, [email protected]
+------------------------------------------------------------------+
SUSE Software Solutions Germany GmbH www.suse.com
Frankenstr. 146, 90461 Nuernberg, Germany
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)
+------------------------------------------------------------------+
