Signature verification failed for file 'repomd.xml'

Hi. it appears that multiple servers, after a successful update yesterday, report the following issue with ‘repomd.xml’:

host:~ # zypper lu Refreshing service 'nu_novell_com'. Removing repository 'SLE11-Security-Module' [done] Retrieving repository 'SLES11-SP3-Updates' metadata [-] Signature verification failed for file 'repomd.xml' from repository 'SLES11-SP3-Updates'. Warning: This might be caused by a malicious change in the file! Continuing might be risky. Continue anyway? [yes/no] (no): Retrieving repository 'SLES11-SP3-Updates' metadata [error] Repository 'SLES11-SP3-Updates' is invalid. [|] Valid metadata not found at specified URL(s) Please check if the URIs defined for this repository are pointing to a valid repository. Warning: Disabling repository 'SLES11-SP3-Updates' because of the above error. Loading repository data... Reading installed packages... No updates found. host:~ #

Anyone observing similar effects?

What would be the most appropriate reaction?

Thanks and regards, Thomas

Hi!
Tried to run online update on a bunch of Novell-delivered SLES 11 SP3 64-bit this morning. This came out:

Validation Check Failed

File repomd.xml from repository SLES11-SP3-Updates
https://nu.novell.com/repo/$RCE/SLES11-SP3-Updates/sle-11-x86_64?credentials=N
is signed with the following GnuPG key, but the integrity check failed:

ID: E3A5C360307E3D54
Fingerprint: 4E98 E675 19D9 8DC7 362A 5990 E3A5 C360 307E 3D54
Name: SuSE Package Signing Key build@suse.de
Created: 03/18/14
Expires: 03/17/18

This means that the file has been changed by accident or by an attacker
since the repository creator signed it. Using it is a big risk
for the integrity and security of your system.

Use it anyway?

                               [Yes] [No]

In this situation I’m not so happy answering “yes” to this one.

Hi,

I have the same issue here:

[QUOTE]Checking whether to refresh metadata for SLES11-SP3-Updates
Retrieving: repomd.xml [done]
Repository ‘SLES11-SP3-Updates’ is up to date.
Building repository ‘SLES11-SP3-Updates’ cache [done]
Error building the cache:
[|] Failed to cache repo (1).
History:

• Project-Id-Version: YaST (@memory@)
  Report-Msgid-Bugs-To:
  POT-Creation-Date: 2011-08-04 01:13+0200
  PO-Revision-Date: 2007-08-22 14:13+0200
  Last-Translator: proofreader i18n@suse.de
  Language-Team: English i18n@suse.de
  Language: en
  MIME-Version: 1.0
  Content-Type: text/plain; charset=UTF-8
  Content-Transfer-Encoding: 8bit
  Plural-Forms: nplurals=2; plural=n != 1;

Skipping repository ‘SLES11-SP3-Updates’ because of the above error.
Some of the repositories have not been refreshed because of an error.[/QUOTE]

Any ideas?

Hi
I have asked my SUSE contacts if there are any known issues, with
mirrors etc. Stay tuned

I can’t even mirror it at all …

Mirroring: https://nu.novell.com/repo/$RCE/SLES11-SP3-Updates/sle-11-x86_64/
Target: /srv/www/htdocs/repo/$RCE/SLES11-SP3-Updates/sle-11-x86_64
D /srv/www/htdocs/repo/$RCE/SLES11-SP3-Updates/sle-11-x86_64/.repodata/repomd.xml
[COLOR="#FF0000"]SMT::Parser::RpmMdLocation Invalid XML in ‘/srv/www/htdocs/repo/$RCE/SLES11-SP3-Updates/sle-11-x86_64/.repodata/repomd.xml’: [/COLOR]
not well-formed (invalid token) at line 1, column 0, byte 0 at /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi/XML/Parser.pm line 187
Finished downloading and parsing the metadata, going to download the rest of the files…
D /srv/www/htdocs/repo/$RCE/SLES11-SP3-Updates/sle-11-x86_64/.repodata/repomd.xml.asc
D /srv/www/htdocs/repo/$RCE/SLES11-SP3-Updates/sle-11-x86_64/.repodata/repomd.xml.key
=> Finished mirroring ‘https://nu.novell.com/repo/$RCE/SLES11-SP3-Updates/sle-11-x86_64/’
=> Total files : 3
=> Total transferred files : 3
=> Total transferred file size : 1621 bytes (1.58 KB)
=> Total linked files : 0
=> Total copied files : 0
=> Files up to date : 0
=> Errors : 1
=> Mirror Time : 00:00:01
=> New security updates : 0
=> New recommended updates : 0

[QUOTE=malcolmlewis;23864]Hi
I have asked my SUSE contacts if there are any known issues, with
mirrors etc. Stay tuned ;)[/QUOTE]

Does anyone have a work-around to get a known good copy of Bash 3.33 installed?

Thanx.

[QUOTE=lumentouch;23870]Does anyone have a work-around to get a known good copy of Bash 3.33 installed?

Thanx.[/QUOTE]

Seems the issue is gone today.
Does anybody have an explanation for these effects?

Thanks, Thomas

I updated my sles11sp3/oes11sp2 servers on Monday, September 29th. Thought I’d check today (October 1st) and I’m having this same error.

Suggestions?

It is working now as of 2:10 p.m. EST Oct 1, 2014.

seems there has been a wrong timestamp on repomd.xml

Now it’s working again:

host:~ # zypper ref Repository 'SUSE-Linux-Enterprise-Server-11-SP3 11.3.3-1.138' is up to date. Repository 'SUSE-Linux-Enterprise-Software-Development-Kit-11-SP3 11.3.3-1.69' is up to date. Repository 'SLES11-SP3-Extension-Store' is up to date. Repository 'SLES11-SP3-Pool' is up to date. Repository 'SLES11-SP3-Updates' is up to date. All repositories have been refreshed. host:~ #

I heard Novell is preparing a permanent fix for that.

HTH, Thomas