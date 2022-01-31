FWIW and for others reading, I have of course checked this on real systems (Ubuntu and Fedora) and they update without issue on their default configuration. That said, even without such systems you can verify things are correct (signature wise) on the repositories because of the way both YUM/DNF and APT work. A single meta-data file is signed, "repomd.xml" on yum/dnf and "Release" on apt using dettached signatures ('repomd.xml.asc' and 'Release.gpg' respectively). These in turn have a cascade SHA sums to check everything else. Thus we can check if the signatures are setup correctly by fetching the relevant meta-data (and it its dettached signature) and checking with gpg directly.

First fetch the public signing key and import it into GPG like so:

$ wget https://repo.vivaldi.com/stable/linux_signing_key.pub --2022-01-31 12:29:58-- https://repo.vivaldi.com/stable/linux_signing_key.pub Resolving repo.vivaldi.com (repo.vivaldi.com)... 23.111.9.47 Connecting to repo.vivaldi.com (repo.vivaldi.com)|23.111.9.47|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3175 (3.1K) [application/octet-stream] Saving to: 'linux_signing_key.pub' linux_signing_key.pub 100%[=================================================================================================================================================================>] 3.10K --.-KB/s in 0s 2022-01-31 12:29:58 (3.54 GB/s) - 'linux_signing_key.pub' saved [3175/3175] $ gpg --import linux_signing_key.pub gpg: key C27AA466: public key "Vivaldi Package Composer KEY07 <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)

(This is needed because although you will likely have the key already it will be stored in the system wide apt-key and rpm databases, not your current user's GPG installation)

You can now check that both YUM/DNF and APT are signed with this key.

YUM/DNF:

$ wget https://repo.vivaldi.com/stable/rpm/x86_64/repodata/repomd.xml https://repo.vivaldi.com/stable/rpm/x86_64/repodata/repomd.xml.asc --2022-01-31 12:11:09-- https://repo.vivaldi.com/stable/rpm/x86_64/repodata/repomd.xml Resolving repo.vivaldi.com (repo.vivaldi.com)... 23.111.9.47 Connecting to repo.vivaldi.com (repo.vivaldi.com)|23.111.9.47|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2973 (2.9K) [text/xml] Saving to: 'repomd.xml' repomd.xml 100%[=================================================================================================================================================================>] 2.90K --.-KB/s in 0s 2022-01-31 12:11:10 (3.38 GB/s) - 'repomd.xml' saved [2973/2973] --2022-01-31 12:11:10-- https://repo.vivaldi.com/stable/rpm/x86_64/repodata/repomd.xml.asc Reusing existing connection to repo.vivaldi.com:443. HTTP request sent, awaiting response... 200 OK Length: 833 [application/octet-stream] Saving to: 'repomd.xml.asc' repomd.xml.asc 100%[=================================================================================================================================================================>] 833 --.-KB/s in 0s 2022-01-31 12:11:10 (1.34 GB/s) - 'repomd.xml.asc' saved [833/833] FINISHED --2022-01-31 12:11:10-- Total wall clock time: 0.2s Downloaded: 2 files, 3.7K in 0s (2.53 GB/s) ruario@ruario-slack:~/Downloads$ gpg --verify repomd.xml.asc gpg: assuming signed data in `repomd.xml' gpg: Signature made Sun 30 Jan 2022 06:54:14 PM CET using RSA key ID C27AA466 gpg: Good signature from "Vivaldi Package Composer KEY07 <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: CB63 144F 1BA3 1BC3 9E27 79A8 FEB6 023D C27A A466

(Note: The warning is exactly that 'a warning' [because no third party or you, the user has ever verified the owner]. This signature is good however from the perspective of it matching.).

APT:

$ wget https://repo.vivaldi.com/stable/deb/dists/stable/Release https://repo.vivaldi.com/stable/deb/dists/stable/Release.gpg --2022-01-31 12:22:45-- https://repo.vivaldi.com/stable/deb/dists/stable/Release Resolving repo.vivaldi.com (repo.vivaldi.com)... 23.111.9.47 Connecting to repo.vivaldi.com (repo.vivaldi.com)|23.111.9.47|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3840 (3.8K) [application/octet-stream] Saving to: 'Release' Release 100%[=================================================================================================================================================================>] 3.75K --.-KB/s in 0s 2022-01-31 12:22:45 (3.76 GB/s) - 'Release' saved [3840/3840] --2022-01-31 12:22:45-- https://repo.vivaldi.com/stable/deb/dists/stable/Release.gpg Reusing existing connection to repo.vivaldi.com:443. HTTP request sent, awaiting response... 200 OK Length: 833 [application/octet-stream] Saving to: 'Release.gpg' Release.gpg 100%[=================================================================================================================================================================>] 833 --.-KB/s in 0s 2022-01-31 12:22:45 (1.18 GB/s) - 'Release.gpg' saved [833/833] FINISHED --2022-01-31 12:22:45-- Total wall clock time: 0.1s Downloaded: 2 files, 4.6K in 0s (2.70 GB/s) $ gpg --verify Release.gpg Release gpg: Signature made Sun 30 Jan 2022 06:54:13 PM CET using RSA key ID C27AA466 gpg: Good signature from "Vivaldi Package Composer KEY07 <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: CB63 144F 1BA3 1BC3 9E27 79A8 FEB6 023D C27A A466