[BUG REPORT] openSUSE zypper failure with all gpg versions > 2.2.6

James Bottomley James.Bottomley at HansenPartnership.com
Fri Mar 27 20:37:00 CET 2020

On Thu, 2020-03-26 at 09:57 -0700, James Bottomley via Gnupg-devel
> On Thu, 2020-03-26 at 09:44 -0400, Daniel Kahn Gillmor wrote:
> > Also, you say that zypper works if you revert this patch.  have you
> > tested this "working" configuration against a deliberately tampered
> > message body?  To test that it is working, it's best to verify both
> > that a valid message is accepted *and* that a tampered message is
> > rejected.
> I can check ... I just have to set up a corrupt repo, hang on.

OK, I've created a repo under my control and pointed zypper to it and
verified it works OK.  Corrupting the repomd.xml file to cause the
signature to fail gets a warning message from zypper and signing it
with a different key also gets a message asking me to accept the new
key, so I think its operating correctly with the patch reverted.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20200327/0ab4dd63/attachment.sig>

More information about the Gnupg-devel mailing list