SLED11SP2 - update repository integrity problem

Hello,

I cannot refresh SLED11-SP2-Updates repo anymore… I keep getting warning about possibly corrupt repomd.xml:

File repomd.xml from repository SLED11-SP2-Updates
https://nu.novell.com/repo/$RCE/SLED11-SP2-Updates/sle-11-x86_64?credentials=NCC
credentials
is signed with the following GnuPG key, but the integrity check failed:

ID: E3A5C360307E3D54
Fingerprint: 4E98 E675 19D9 8DC7 362A 5990 E3A5 C360 307E 3D54
Name: SuSE Package Signing Key build@suse.de
Created: 05/04/2010
Expires: 05/03/2014

The file has been changed, either by accident or by an attacker,
since the repository creator signed it. Using it is a big risk
for the integrity and security of your system.

Does anybody experience similiar problems?

Thanks…

Try running

$ zypper clean -a

That cleans all cache packages and metadata for all repos.

I have cleaned the cache (zypper clean -a) but the problem persists…

It turns out I was also getting an error, not exactly the same as yours but related looking and also on SLED11-SP2-Updates. This was with my own copy of the repo. (I maintain a local mirror using Subscription Management Tool.) Having told SMT to re-sync, the error has gone away. So looks like a transient issue that’s been resolved. Are you still seeing a problem?

No change here, still the same error :frowning:

I’m having the same issue with the SLES 11 sp2 for VMware update repository:
File repomd.xml from repository SLES11-SP2-VMware-Updates
https://nu.novell.com/repo/$RCE/SLES11-SP2-VMware-Updates/sle-11-x86_64?credentials=NCCcredentials
is signed with the following GnuPG key, but the integrity check failed:

            ID: E3A5C360307E3D54
            Fingerprint: 4E98 E675 19D9 8DC7 362A 5990 E3A5 C360 307E 3D54
            Name: SuSE Package Signing Key <build@suse.de> 
            Created: 05/04/10                                                                
            Expires: 05/03/14                                                                                  
                                                                                                               
            This means that the file has been changed by accident or by an attacker                            
            since the repository creator signed it. Using it is a big risk                                     
            for the integrity and security of your system.                            

Tried running “zypper clean -a”, but no change.

I have found that in this situation I can refresh the repository with gpk-update:

  • after cleaning the cache (zypper clean -a)
  • run gpk-update to check for online updates in configured repos
  • get popup dialog “Software signature is required” asking whether to trust the
    source of packages
  • the GPG key presented is ID E3A5C360307E3D54 with User ID SuSE Package Signing
    Key build@suse.de, i.e. looks like the same key as before (same fingerprint)
  • if accepted, the repo gets refreshed and becomes usable until I clean the cache - then I am back at the beginning

Strange…

Well, after I have checked this morning everything seems to be working OK… Maybe there was some problem with particular repo mirror(s)… I believe akamai CDN is used for delivery of nu.novell.com services…

Working for me as well.

Hi,

last week everything worked fine, but since today I’m running into this same problem because of a wrong checksum (2 messages):

-1-
Die erwartete Prüfsumme der Datei /var/cache/zypp/raw/nu_novell_com:SLED11-SP2-Updatesw8EMQZ/repodata/deltainfo.xml.gz
ist 952fa47bfd215fc53059ff6000b2e48a2bda429d,
aber die aktuelle Prüfsumme ist a4454914bff2e8af99dff7304fa0c903f31f1241.

Dies bedeutet, dass die Datei versehentlich oder durch einen
Angreifer geändert wurde, seit sie vom Ersteller des Repositorys signiert wurde.
Die Verwendung der Datei stellt daher ein hohes Risiko für Integrität und Sicherheit des Systems dar.
-2-
Fehler bei der Initialisierung des Repository.
[|] Keine gültigen Metadaten bei festgelegten URL(s) gefunden
Verlauf:

  • deltainfo.xml.gz has wrong checksum

[QUOTE=guennov;12595]Hi,

last week everything worked fine, but since today I’m running into this same problem because of a wrong checksum (2 messages):

-1-
Die erwartete Prüfsumme der Datei /var/cache/zypp/raw/nu_novell_com:SLED11-SP2-Updatesw8EMQZ/repodata/deltainfo.xml.gz
ist 952fa47bfd215fc53059ff6000b2e48a2bda429d,
aber die aktuelle Prüfsumme ist a4454914bff2e8af99dff7304fa0c903f31f1241.

Dies bedeutet, dass die Datei versehentlich oder durch einen
Angreifer geändert wurde, seit sie vom Ersteller des Repositorys signiert wurde.
Die Verwendung der Datei stellt daher ein hohes Risiko für Integrität und Sicherheit des Systems dar.
-2-
Fehler bei der Initialisierung des Repository.
[|] Keine gültigen Metadaten bei festgelegten URL(s) gefunden
Verlauf:

  • deltainfo.xml.gz has wrong checksum
    —[/QUOTE]

Try

$ zypper clean -a $ zypper refresh
clean removes caches of downloaded packages, -a removes repository metadata as well.