the rpm repositories for opensuse are broken (again)…
kumiko:~ # zypper ref
Retrieving repository 'download.nvidia.com-opensuse' metadata -------------------------------------------------------------------------------------[\]
Signature verification failed for file 'repomd.xml' from repository 'download.nvidia.com-opensuse'.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.
Warning: This file was modified after it has been signed. This may have been a malicious change,
so it might not be trustworthy anymore! You should not continue unless you know it's safe.
Signature verification failed for file 'repomd.xml' from repository 'download.nvidia.com-opensuse'. Continue? [yes/no] (no):
please fix - and maybe fix the cause, this happened not for the first time.
same here, on repository add i get similar error;
"File repomd.xml from repository nVidia Graphics Drivers https://download.nvidia.com/opensuse/leap/15.1
is signed with the following GnuPG key, but the integrity check failed:
The file has been changed, either by accident or by an attacker,
since the repository creator signed it. Using it is a big risk
for the integrity and security of your system.
Use it anyway?
"
that indicates that site is hacked, or gpg key is incorrect, or packages are signed with wrong key.
I would like to point out that this has happened many times before.
Should be worth someone’s time to find out why, and fix it.
I mean, this is on the same level as, for example, you open update.microsoft.com in a browser, and get a warning about an invalid or self signed ssl certificate…
well, this is kinda more problematic, all gpu level updates require root privilege, and these drivers are on some level accessed by almost all the software running, so by messing up with graphics driver updates, well it would be truly trivial to exploit any server that actually runs on graphical environment using compromised proprietary drivers.
I just ran sudo yast from Konsole command line, then went to Software Repositories, and specifically allowed me to always trust nvidia repo key. Since then the problem was solved, also on the plasma icon tray regarding automatic updates. It was pure luck…
[OpenSuse Leap 15.3 , kernel 5.3.18-59.10-default]