opensuse rpm repositories are broken (again)

the rpm repositories for opensuse are broken (again)…

kumiko:~ # zypper ref
Retrieving repository 'download.nvidia.com-opensuse' metadata -------------------------------------------------------------------------------------[\]
Signature verification failed for file 'repomd.xml' from repository 'download.nvidia.com-opensuse'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: This file was modified after it has been signed. This may have been a malicious change,
    so it might not be trustworthy anymore! You should not continue unless you know it's safe.

Signature verification failed for file 'repomd.xml' from repository 'download.nvidia.com-opensuse'. Continue? [yes/no] (no):

please fix - and maybe fix the cause, this happened not for the first time.

same here, on repository add i get similar error;
"File repomd.xml from repository nVidia Graphics Drivers
https://download.nvidia.com/opensuse/leap/15.1
is signed with the following GnuPG key, but the integrity check failed:

ID: F5113243C66B6EAE
Fingerprint: 9B76 3D49 D8A5 C892 FC17 8BAC F511 3243 C66B 6EAE
Name: NVIDIA Corporation linux-bugs@nvidia.com
Created: 15.06.2006
Expires: Never

The file has been changed, either by accident or by an attacker,
since the repository creator signed it. Using it is a big risk
for the integrity and security of your system.

Use it anyway?
"
that indicates that site is hacked, or gpg key is incorrect, or packages are signed with wrong key.

can confirm…
worked 2 days ago, but then they seem to have updated something which broke the repo

Thanks for reporting this. We’re looking into it.

I would like to point out that this has happened many times before.

Should be worth someone’s time to find out why, and fix it.

I mean, this is on the same level as, for example, you open update.microsoft.com in a browser, and get a warning about an invalid or self signed ssl certificate…

Cheers
MH

well, this is kinda more problematic, all gpu level updates require root privilege, and these drivers are on some level accessed by almost all the software running, so by messing up with graphics driver updates, well it would be truly trivial to exploit any server that actually runs on graphical environment using compromised proprietary drivers.

and it happened again with openSUSE Leap 15.3 nvidia linux repositories

Unknown GnuPG key

I just ran sudo yast from Konsole command line, then went to Software Repositories, and specifically allowed me to always trust nvidia repo key. Since then the problem was solved, also on the plasma icon tray regarding automatic updates. It was pure luck…
[OpenSuse Leap 15.3 , kernel 5.3.18-59.10-default]