SDB:YOU Reports Problems Verifying Patch Signatures

From openSUSE

Symptom

YaST Online Update (YOU) fails with an error message

Signature check for patch info files failed. Cannot load patch information.

Possible cause: corrupted download

This problem is often caused by a corrupted download of the patch information file. A corrupted download itself has a number of possible causes, like a simple transmission error or a content-altering proxy. This article is not concerned with that case. We will assume that you have already ruled out a corrupted download.

Background

In YOU patchinfo files as distributed by SUSE digital signatures [wikipedia] implemented by the GNU Privacy Guard [wikipedia] are used to verify that the patchinfo was produced by a trusted source (Novell/SUSE) and that it has not been tampered with (either accidentally, e.g. through data corruption during download or deliberately by a malevolent party).

The /usr/lib/rpm/gnupg/pubring.gpg file contains the public keys needed to verify the signatures on patch information files; the /var/lib/YaST2/gnupg/trustdb.gpg file contains related administrative data. When either of these files gets corrupted, YOU cannot verify the signatures on the patch information files and refuses to process them further.

Possible cause: corrupted (or deleted) GPG files

One cause for a failed signature check is deleted or corrupted /usr/lib/rpm/gnupg/pubring.gpg (keyring) or /var/lib/YaST2/gnupg/trustdb.gpg files.

You can have a look at the contents of the keyring file through a command like the following:

gpg --no-default-keyring --keyring /usr/lib/rpm/gnupg/pubring.gpg --verbose --list-keys

Solution: replace corrupted GPG files

Regenerate the /usr/lib/rpm/gnupg/pubring.gpg and /var/lib/YaST2/gnupg/trustdb.gpg files by reinstalling the suse-build-key package.

For SUSE Linux Enterprise Server 9, this package is found on CD2 and the command looks like this:

rpm -i --force --nosignature /media/cdrom/suse/noarch/suse-build-key*rpm

Possible cause: system time is in the (far) future

Some of the keys used to sign SUSE packages have an expiry date set. When the system time is in the (far) future, the system may think that a key has already expired (and is therefore no longer to be trusted).

Solution: set the system time properly

Setting the proper system time is covered in the manual. You may want to configure time synchronisation to have your system keep proper time. For details on time synchronisation, see the article SDB:Time Synchronization Through the Network .

Similar/related problems

There is a similar problem with the verification of the signatures of RPM package files rather than YOU patch info files; this problem is discussed in the article SDB:YOU or RPM Report Problems Verifying Package Signatures .