zypper (and rpm) says: “warning: Unsupported version of key: V3”

Since openSUSE Tumbleweed has been upgraded to use rpm 4.13 (snapshot 2017033), you keep on seeing the message “warning: Unsupported version of key: V3” whenever you invoke zypper or rpm. Of course this is highly annoying, and you just want to stop it, right?

First, a bit of background:
RPM uses gpg infrastructure to validate package signatures. As is common, this infrastructure is being developed and the various key formats are versioned. As old formats become obsolete and considered insecure, they are no longer being supported by modern tools. This helps to improve security insofar to not give the user a false sense of safety: a key that is insecure is worth as much as no key at all.

So, let’s stop zypper / rpm annoy you with this! If it’s already not going to use the gpg key, we can as well just get rid of it. But HOW!?

First, we need to find out the ID (or IDs) of the key(s) causing it. RPM can be a bit more verbose when asked to be so, and then it gives us some hints:

rpm -vv -qf /etc
And this will reply with something like

ufdio: 1 reads, 18883 total bytes in 0.000006 secs
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn’t find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening db environment /var/lib/rpm cdb:private:0x201
D: opening db index /var/lib/rpm/Packages 0x400 mode=0x0
D: locked db index /var/lib/rpm/Packages
D: opening db index /var/lib/rpm/Name nofsync:0x400 mode=0x0
D: read h# 168 Header sanity check: OK
warning: Unsupported version of key: V3

D: read h# 335 Header sanity check: OK
D: added key gpg-pubkey-7e2e3b05-4be037ca to keyring
D: read h# 390 Header sanity check: OK

I highlighted the interesting parts here for your viewing pleasure. 168 actually refers to the internal id in the rpm database of the key it just complained about.

So, let’s find out what key this is:
rpm -q --querybynumber 168

and you get something like gpg-pubkey-7e2e3b05-4be037ca as reply. With this information, you can find out what key it is – just to satisfy your hunger for information. If you believe that the key in question is still in use, you might want to inform its owner.

rpm -qi gpg-pubkey-3d25d3d9-36e12d04

warning: Unsupported version of key: V3
Name : gpg-pubkey
Version : 3d25d3d9
Release : 36e12d04
Architecture: (none)
Install Date: Tue 06 Jul 2010 07:39:17 AM CEST
Group : Public Keys
Size : 0
License : pubkey
Signature : (none)
Source RPM : (none)
Build Date : Tue 06 Jul 2010 07:39:17 AM CEST
Build Host : localhost
Relocations : (not relocatable)
Summary : gpg(SuSE Security Team )
Description :
Distribution: (none)

This is indeed an old GPG key – from SUSE. As this machine has been updated using zypper dup for such a long time, it’s no surprise some cruft like this accumulated. That key has long been replaced and is no longer in use. So it can be removed and live can go on:

rpm -e gpg-pubkey-3d25d3d9-36e12d04

There can be multiple keys in your system causing this – repeat above steps until your zypper/rpm are no longer complaining – then have a lot of fun

6 responses to “zypper (and rpm) says: “warning: Unsupported version of key: V3””

  1. Gert Avatar

    Really nice to know 😉
    I got a rid of it and was tired to find out where it comes…
    Thanx
    Gert

  2. Amit Avatar
    Amit

    Very useful – thank you.

  3. Joe Morris Avatar
    Joe Morris

    Thanks much for this help. It great to finally get this problem fixed,

  4. Stefan Seyfried Avatar

    Same happened to me after update to Leap 15.0 — and the solution worked fine. Thanks!

  5. Bjørn Ove Isaksen Avatar
    Bjørn Ove Isaksen

    Thanx for the solution. I also got this issue with Leap 15.0, though the above stated install date was 2007 in my case.

  6. […] First, all my servers had an old key that had to be removed, other wise I got a non-essential but annoying error with every single package install…  See this great post for an explanation & fix. […]