#5645 File repomd.xml is unsigned
I'm using Webmin on openSUSE and had to modify the script make-repo.sh a little bit for the installation. However, when I do a zypper refresh webmin-noarch, I get a warning that repomd.xml is unsigned:
Warning: File 'repomd.xml' from repository 'Webmin - noarch' is unsigned.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
anymore! You should not continue unless you know it's safe.
File 'repomd.xml' from repository 'Webmin - noarch' is unsigned, continue? [yes/no] (no): yes
Retrieving repository 'Webmin - noarch' metadata ....................................................................................................................[done]
Building repository 'Webmin - noarch' cache .........................................................................................................................[done]
Specified repositories have been refreshed.
So, the metadata is read, but only after manual interaction. To automate this, I cannot use interactive input. I find no option for zypper to not check for a signature of repomd.xml.
Would it be possible to sign the file and thus increase security? Looking at a random directory in the openSUSE Open Build Service, there should be two files added (repomd.xml.asc and repomd.xml.key), see http://download.opensuse.org/repositories/Apache/openSUSE_Leap_15.5/repodata/ as an example. The naming seems to be significant.
The modifications for SUSE/openSUSE in the script make-repo.sh are attached as a diff file.
Best regards,
Werner
