Brave-browser: `repomd.xml` is not signed message on OpenSuse

Also, according to #1900, our RPM repository is not compatible with OpenSUSE.

The same error message occurs after installing Chrome:

# zypper install /home/francois/google-chrome-stable_current_x86_64.rpm 
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  google-chrome-stable

1 new package to install.
Overall download size: 55.7 MiB. Already cached: 0 B. After the operation, additional 196.3 MiB will be used.
Continue? [y/n/...? shows all options] (y): y
Retrieving package google-chrome-stable-74.0.3729.108-1.x86_64             (1/1),  55.7 MiB (196.3 MiB unpacked)
google-chrome-stable_current_x86_64.rpm:
    Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY
    V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY

Looking for gpg key ID 7FAC5991 in cache /var/cache/zypp/pubkeys.
Repository Plain RPM files cache does not define additional 'gpgkey=' URLs.
google-chrome-stable-74.0.3729.108-1.x86_64 (Plain RPM files cache): Signature verification failed [4-Signatures public key is not available]
Abort, retry, ignore? [a/r/i] (a): i
Checking for file conflicts: .............................................................................[done]
(1/1) Installing: google-chrome-stable-74.0.3729.108-1.x86_64 ............................................[done]
Additional rpm output:
warning: /var/cache/zypper/RPMS/google-chrome-stable_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY
update-alternatives: using /usr/bin/google-chrome-stable to provide /usr/bin/google-chrome (google-chrome) in auto mode


# zypper dup
Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you continue. See 'man zypper' for more information about this command.
Retrieving repository 'google-chrome' metadata --------------------------------------------------------------[\]
Looking for gpg key ID 997C215E in cache /var/cache/zypp/pubkeys.
Repository google-chrome does not define additional 'gpgkey=' URLs.
Warning: File 'repomd.xml' from repository 'google-chrome' is signed with an unknown key '6494C6D6997C215E'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
    anymore! You should not continue unless you know it's safe.

File 'repomd.xml' from repository 'google-chrome' is signed with an unknown key '6494C6D6997C215E'. Continue? [yes/no] (no):

but it goes away after the cronjob (which installs repo and key) runs.

I'm not sure what we need to do on our end to fix this. If someone knows, please chime in.

+1 from Community:
https://community.brave.com/t/opensuse-repo-not-signed/87323/2

@fmarier How about you actually look into it rather then just looking what happens with chrome? Looks like the file repomd.xml itself needs to be signed with a GPG key or something like that not just the .rpm packages. Can not that hard to figure this out, ask some SUSE guys if in doubt ...

I do not want to install brave with this warning showing up.

@nextgenthemes do you have time available to help check this out? (even just an intro to some SUSE guys). Could be a great first contribution 😄

@bsclifton Sure whats the payment for fixing this issue?

@mbacchi is working on a fix for this in https://github.com/brave/brave-core/pull/3877

When one should expect this issue to be fixed?

Next time we have a release I believe this should be fixed

@mbacchi should we uplift this to release? We'll be having a hotfix soon (as a new Chromium version was released)

Yes, the nightly build running currently will have it, then will be uplifted to dev/beta/release channels. The next release channel build should have it (depending on when that is.)

repomd.xml still is not signed. Why has the issue been closed?

@xtemp09 the issue has been fixed in the code; we'll need to do a publish to release/beta/dev with this new code to resolve the issue

Can you try Nightly? It should be fixed, per the above

I don't understand how nightly build is connected to the issue. The repo has an unsigned repomd.xml. All the authors have to do is to sign the file. Why do I have to install a nightly build? Just sign the file and everyone will install the stable build.

I'll close the issue once I've confirmed that it's been fixed on release.

All repositories are now fixed.