Signature verification failed error on openSUSE repository

stanski · October 21, 2019, 2:00pm

I’m unable to refresh the openSUSE_Leap_15.1 repo of owncloud (http://download.owncloud.org/download/repositories/stable/openSUSE_Leap_15.1) with zypper.

zypper refresh results in this error:

Signature verification failed for file 'repomd.xml' from repository 'ownCloud Server Version stable (openSUSE_Leap_15.1)'.

Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.

Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.

Warning: This file was modified after it has been signed. This may have been a malicious change,
so it might not be trustworthy anymore! You should not continue unless you know it's safe.

stanski · October 28, 2019, 1:11pm

Is there a better place to report this issue? A contact for the repo maintainers?

anon21401411 · October 31, 2019, 12:11pm

Hey,

from what i know / have read in the past the ownCloud team is not frequently reading this forums and a contact is better done via GitHub · Where software is built. In your specific case i had found the following statement of a repository maintainer in the past, i think this is valid for the unsupported LEAP 15.1 repo as well:

stanski · November 1, 2019, 12:38pm

Thanks, tom42. I’ll try there.
Not sure why you mentioned the repo is unsupported though. LEAP 15.1 is the current OpenSUSE version.

Also in this case the problem isn’t an expired key but a modification that was made after the release was signed.

anon21401411 · November 1, 2019, 5:00pm

Hey,

i think this was a mistake from my side. I thought that LEAP 15.1 isn’t supported or an outdated release because it isn’t listed on the owncloud.org repository page here:

https://download.owncloud.org/download/repositories/production/owncloud/

(which gets linked from https://owncloud.org/download/#owncloud-server-linux-packages). But it seems this link is redirecting to:

https://attic.owncloud.org/download/repositories/production/owncloud/

including “attic” in the domain name. I’m not sure if the ownCloud team is phasing out the support of the repository.

stanski · November 4, 2019, 3:19pm

Gotcha. Doesn’t help that 42.3 > 15.1 but it is in fact older, thanks to the versioning change on openSUSE’s part.

I’ve posted the issue on github; we’ll see if it receive any attention there.