Automated SUSE Manager package synchronization fails because of an untrusted GPG key

This document (000021509) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Manager Server 4.3

Situation

SUSE Manager syncs packages from the SUSE Customer Center (scc.suse.com) on a daily base. Package synchronization may fail because of an untrusted GPG key. However SUSE Manager automatically trust GPG keys generated from SUSE. An Example of the error from /var/log/rhn/rhn_taskomatic_daemon.log:

org.quartz.JobExecutionException: Command '[/usr/bin/spacewalk-repo-sync, --channel, sle-module-confidential-computing-15-sp6-pool-x86_64, --type, yum, --non-interactive]' exited with error code 1: 01:00:38 ======================================
01:00:38 | Channel: sle-module-confidential-computing-15-sp6-pool-x86_64
01:00:38 ======================================
01:00:38 Sync of channel started.
Retrieving repository 'sle-module-confidential-computing-15-sp6-pool-x86_64' metadata [......

New repository or package signing key received:

  Repository:       sle-module-confidential-computing-15-sp6-pool-x86_64
  Key Fingerprint:  7F00 9157 B127 B994 D5CF BE76 F74F 09BC 3FA1 D6CE
  Key Name:         SUSE Package Signing Key <build@suse.de>
  Key Algorithm:    RSA 4096
  Key Created:      Thu 19 Jan 2023 02:39:40 PM CET
  Key Expires:      Mon 18 Jan 2027 02:39:40 PM CET
  Rpm Name:         gpg-pubkey-3fa1d6ce-63c9481c

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If
    you are not sure whether the presented key is authentic, ask the repository provider or check
    their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they
    are using.

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r
error]
01:00:39 RepoMDError: Cannot access repository.

After running spacewalk-repo-sync command manually and accepting the GPG Key using the "always" option, the issue still happens the next day.

Resolution

Rebuild the spacewalk-repo-sync RPM database using the below command:

rpmdb --rebuild --dbpath=/var/lib/spacewalk/reposync/root/var/lib/rpm/

Note: before rebuild, kindly take a backup of above directory.

Cause

SUSE Manager or most specifically spacewalk-repo-sync has its own RPM database ( /var/lib/spacewalk/reposync/root/var/lib/rpm/ ) which contains accepted GPG public keys. This database could be corrupted so it does not accept adding new GPG Keys.

Additional Information

For synchronization issues, please see also the following chapter from the SUSE Manager documentation:
https://documentation.suse.com/suma/4.3/en/suse-manager/administration/troubleshooting/tshoot-sync.html

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.