Bug #107974 MySQL community 5.7 SLES 12 repo signature verification fails
Submitted: 26 Jul 2022 10:23 Modified: 27 Jul 2022 12:01
Reporter: David Shapiro Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Package Repos Severity:S2 (Serious)
Version:5.7 OS:SUSE (12SP5)
Assigned to: CPU Architecture:x86
Tags: repo

[26 Jul 2022 10:23] David Shapiro 
Description:
As of 7/26/2022, the repo at http://repo.mysql.com/yum/mysql-5.7-community/sles/12/x86_64 is no longer properly signed.  Any attempt to use this repo produces the following:

---
# zypper refresh
Repository 'MySQL Connectors Community' is up to date.                                                                                       
Repository 'MySQL Tools Community' is up to date.                                                                                            
Retrieving repository 'MySQL 5.7 Community Server' metadata ------------------------------------------------------------------------------[\]
Signature verification failed for file 'repomd.xml' from repository 'MySQL 5.7 Community Server'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: This file was modified after it has been signed. This may have been a malicious change,
    so it might not be trustworthy anymore! You should not continue unless you know it's safe.

Signature verification failed for file 'repomd.xml' from repository 'MySQL 5.7 Community Server'. Continue? [yes/no] (no): no
---

This was working correctly as recently as 7/25/2022.  This problem appears to be specific to this repo.  The same issue does not occur with http://repo.mysql.com/yum/mysql-8.0-community/sles/12/x86_64, which works fine.

How to repeat:
Download the SLES repo RPM mysql80-community-release-sles12-6.noarch.rpm
rpm -i mysql80-community-release-sles12-6.noarch.rpm
rpm --import /etc/RPM-GPG-KEY-mysql-2022
zypper modifyrepo -d mysql80-community
zypper modifyrepo -e mysql57-community
zypper refresh
[26 Jul 2022 13:04] MySQL Verification Team 
Hi Mr. Shapiro,

Thank you for your bug report.

We need additional info. Which release is your report related to ????

Thanks in advance .....
[26 Jul 2022 13:42] David Shapiro 
I'm not entirely sure what you're looking for as a "release" here.

The problem is the repo at http://repo.mysql.com/yum/mysql-5.7-community/sles/12/x86_64 is not signed correctly right now.  This impacts all RPMs available from that repo, regardless of the specific release version.  In other words, all 5.7 releases in this repo are impacted, because the repo should not be trusted while not properly signed.
[26 Jul 2022 14:14] MySQL Verification Team 
Hi Mr. Shapiro,

Actually, you are quite right .....

Verified as reported.
[26 Jul 2022 15:35] Gipson Pulla 
The fix has been added. 
The sles12 repodata files have been resigned.
[26 Jul 2022 15:44] David Shapiro 
Thank you.  This is working for me now.
[27 Jul 2022 12:01] MySQL Verification Team 
A bug is fixed.