Bug #115875 Signature verification failed for file 'repomd.xml'
Submitted: 20 Aug 15:07 Modified: 21 Aug 8:59
Reporter: Jeff Erbrecht Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Package Repos Severity:S2 (Serious)
Version:8.0 OS:SUSE (15)
Assigned to: CPU Architecture:x86
Tags: repo

[20 Aug 15:07] Jeff Erbrecht 
Description:
This looks like a regression of https://bugs.mysql.com/bug.php?id=107974.

---

About a day or two ago we started seeing this error when trying to use the repo on SUSE. This was working fine in the past for some time:

sudo zypper -n install mysql-community-server
...
        Signature verification failed for file 'repomd.xml' from repository 'MySQL Connectors Community'.
        
            Note: Signing data enables the recipient to verify that no modifications occurred after the data
            were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
            and in extreme cases even to a system compromise.
        
            Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
            whole repo.
        
            Warning: This file was modified after it has been signed. This may have been a malicious change,
            so it might not be trustworthy anymore! You should not continue unless you know it's safe.
        
            Note: This might be a transient issue if the server is in the midst of receiving new data. The
            data file and its signature are two files which must fit together. In case the request hit the
            server in the midst of updating them, the signature verification might fail. After a few
            minutes, when the server has updated its data, it should work again.

How to repeat:
sudo rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2023
sudo rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2022
sudo zypper -n install https://dev.mysql.com/get/mysql80-community-release-sl15.rpm
sudo zypper -n install mysql-community-server
[20 Aug 15:20] MySQL Verification Team 
Hi Mr. Erbrecht,

Have you tried installing from our standard download site:

https://dev.mysql.com/downloads/mysql/

There are packages for SUSE .........
[20 Aug 15:44] Jeff Erbrecht 
I'm not sure I understand -- we're already downloading from `dev.mysql.com`. Are the packages hosted on the official domain expected to no longer be signed properly? We're specifically trying to install the package located at https://dev.mysql.com/get/mysql80-community-release-sl15.rpm, which we expect to work as it did before. Downloading a different package instead feels like a workaround rather than a fix.

I will add that we also see the same error intermittently against 'MySQL Tools Community' and 'MySQL 8.0 Community Server'.
[20 Aug 17:31] Philip Olson 
Hi Jeff, I can't confirm what's expected behavior here but am adding this note:

  mysql80-community-release-sl15.rpm: last updated October 2023, this file shouldn't be used
  mysql84-community-release-sl15.rpm: current file, note the mysql84 file prefix (versus mysql80)

The file prefix indicates the default MySQL series to install (enabled subrepository), which is the latest LTS version. In theory this (along with the file prefix) changes every two years with the old file going dormant. So assuming you want MySQL 8.0 for a new installation, this also means changing the subrepository for example:

  sudo zypper modifyrepo -d mysql-8.4-lts-community
  sudo zypper modifyrepo -e mysql80-community

I'm not an experienced SUSE user but hope this helps. I believe the subrepository format won't change again, so for example mysql-9.7-lts-community will likely come next.

Related note: SUSE 12 does not support MySQL 8.4 so mysql80-community-release-sles12.rpm is the latest file for v12, and gets updated.
[20 Aug 18:11] Balasubramanian Kandasamy 
Thank you for your bug report. It's the expected behavior. As of the April 2024 release, we have updated the SL15 repository setup RPM to denote the default subrepository (MySQL 8.4 LTS) enabled by default.

To summarize the installation steps:

1. Import the RPM keys by running the following commands:
   sudo rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2023
   sudo rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2022
   
2. Install the repository setup RPM:
   sudo zypper -n install https://dev.mysql.com/get/mysql84-community-release-sl15.rpm
   
3. Install MySQL 8.4.2 LTS release binaries using the following command:
   sudo zypper -n install mysql-community-server

To install Server 8.0.x releases, use these commands:
   sudo zypper modifyrepo -d mysql-8.4-lts-community
   sudo zypper modifyrepo -e mysql80-community
   sudo zypper -n install mysql-community-server
[21 Aug 8:59] MySQL Verification Team 
Thank you, very much, for all the explanations and instructions,  Balasubramanian.

This bug report is henceforth, resolved and closed.