{"id":604,"date":"2017-03-15T17:59:26","date_gmt":"2017-03-15T16:59:26","guid":{"rendered":"http:\/\/dominique.leuenberger.net\/blog\/?p=604"},"modified":"2017-03-15T17:59:26","modified_gmt":"2017-03-15T16:59:26","slug":"zypper-and-rpm-says-warning-unsupported-version-of-key-v3","status":"publish","type":"post","link":"https:\/\/dominique.leuenberger.net\/blog\/2017\/03\/zypper-and-rpm-says-warning-unsupported-version-of-key-v3\/","title":{"rendered":"zypper (and rpm) says: “warning: Unsupported version of key: V3”"},"content":{"rendered":"

Since openSUSE Tumbleweed has been upgraded to use rpm 4.13 (snapshot 2017033), you keep on seeing the message “warning: Unsupported version of key: V3<\/em>” whenever you invoke zypper or rpm. Of course this is highly annoying, and you just want to stop it, right?<\/p>\n

First, a bit of background:<\/strong>
\nRPM uses gpg infrastructure to validate package signatures. As is common, this infrastructure is being developed and the various key formats are versioned. As old formats become obsolete and considered insecure, they are no longer being supported by modern tools. This helps to improve security insofar to not give the user a false sense of safety: a key that is insecure is worth as much as no key at all.
\n<\/p>\n

So, let’s stop zypper \/ rpm annoy you with this! If it’s already not going to use the gpg key, we can as well just get rid of it. But HOW!?<\/p>\n

First, we need to find out the ID (or IDs) of the key(s) causing it. RPM can be a bit more verbose when asked to be so, and then it gives us some hints:<\/p>\n

rpm -vv -qf \/etc<\/code>
\nAnd this will reply with something like<\/p>\n

ufdio: 1 reads, 18883 total bytes in 0.000006 secs
\nD: loading keyring from pubkeys in \/var\/lib\/rpm\/pubkeys\/*.key
\nD: couldn’t find any keys in \/var\/lib\/rpm\/pubkeys\/*.key
\nD: loading keyring from rpmdb
\nD: opening db environment \/var\/lib\/rpm cdb:private:0x201
\nD: opening db index \/var\/lib\/rpm\/Packages 0x400 mode=0x0
\nD: locked db index \/var\/lib\/rpm\/Packages
\nD: opening db index \/var\/lib\/rpm\/Name nofsync:0x400 mode=0x0
\nD: read h# 168 Header sanity check: OK
\nwarning: Unsupported version of key: V3<\/strong>
\nD: read h# 335 Header sanity check: OK
\nD: added key gpg-pubkey-7e2e3b05-4be037ca to keyring
\nD: read h# 390 Header sanity check: OK<\/p><\/blockquote>\n

I highlighted the interesting parts here for your viewing pleasure. 168<\/strong> actually refers to the internal id in the rpm database of the key it just complained about.<\/p>\n

So, let’s find out what key this is:
\nrpm -q --querybynumber 168<\/code><\/p>\n

and you get something like gpg-pubkey-7e2e3b05-4be037ca<\/strong> as reply. With this information, you can find out what key it is – just to satisfy your hunger for information. If you believe that the key in question is still in use, you might want to inform its owner.<\/p>\n

rpm -qi gpg-pubkey-3d25d3d9-36e12d04<\/code><\/p>\n

warning: Unsupported version of key: V3
\nName : gpg-pubkey
\nVersion : 3d25d3d9
\nRelease : 36e12d04
\nArchitecture: (none)
\nInstall Date: Tue 06 Jul 2010 07:39:17 AM CEST
\nGroup : Public Keys
\nSize : 0
\nLicense : pubkey
\nSignature : (none)
\nSource RPM : (none)
\nBuild Date : Tue 06 Jul 2010 07:39:17 AM CEST
\nBuild Host : localhost
\nRelocations : (not relocatable)
\nSummary : gpg(SuSE Security Team )
\nDescription :
\nDistribution: (none)<\/p><\/blockquote>\n

This is indeed an old GPG key – from SUSE. As this machine has been updated using zypper dup<\/em> for such a long time, it’s no surprise some cruft like this accumulated. That key has long been replaced and is no longer in use. So it can be removed and live can go on:<\/p>\n

rpm -e gpg-pubkey-3d25d3d9-36e12d04<\/code><\/p>\n

There can be multiple keys in your system causing this – repeat above steps until your zypper\/rpm are no longer complaining – then have a lot of fun<\/p>\n","protected":false},"excerpt":{"rendered":"

Since openSUSE Tumbleweed has been upgraded to use rpm 4.13 (snapshot 2017033), you keep on seeing the message “warning: Unsupported version of key: V3” whenever you invoke zypper or rpm. Of course this is highly annoying, and you just want to stop it, right? First, a bit of background: RPM uses gpg infrastructure to validate […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,7],"tags":[34,37,22],"class_list":["post-604","post","type-post","status-publish","format-standard","hentry","category-opensuse","category-tutorials","tag-errors","tag-opensuse","tag-repository"],"_links":{"self":[{"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/posts\/604","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/comments?post=604"}],"version-history":[{"count":9,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/posts\/604\/revisions"}],"predecessor-version":[{"id":613,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/posts\/604\/revisions\/613"}],"wp:attachment":[{"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/media?parent=604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/categories?post=604"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/tags?post=604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}