Annoyance. DNF is asking me day after day to remove the same expired encryption key

I answer yes but every day, it asks me the same questyion again and again.

$ sudo dnf upgrade --refresh
[sudo] Mot de passe de user : 
Mise à jour et chargement des dépôts :
 Copr repo for preload owned by elxreno                                                                                 100% |   4.3 KiB/s |   1.5 KiB |  00m00s
 Fedora 42 - x86_64                                                                                                     100% |  88.5 KiB/s |  29.8 KiB |  00m00s
 Brave Browser                                                                                                          100% |  16.3 KiB/s |   2.0 KiB |  00m00s
 Copr repo for PyCharm owned by phracek                                                                                 100% |  19.6 KiB/s |   2.1 KiB |  00m00s
 Copr repo for better_fonts owned by chriscowleyunix                                                                    100% |  11.5 KiB/s |   1.5 KiB |  00m00s
 Copr repo for kernel-longterm-6.12 owned by kwizart                                                                    100% |  18.0 KiB/s |   1.5 KiB |  00m00s
 Dangerzone repository                                                                                                  100% |  24.0 KiB/s |   3.0 KiB |  00m00s
 Copr repo for palemoon owned by bgstack15                                                                              100% |  12.5 KiB/s |   1.5 KiB |  00m00s
 Fedora 42 - x86_64 - Updates                                                                                           100% |  69.1 KiB/s |  25.0 KiB |  00m00s
 Fedora 42 openh264 (From Cisco) - x86_64                                                                               100% |   2.9 KiB/s | 989.0   B |  00m00s
 RPM Fusion for Fedora 42 - Free                                                                                        100% |  12.0 KiB/s |   4.1 KiB |  00m00s
 RPM Fusion for Fedora 42 - Free - Updates                                                                              100% |  97.3 KiB/s |   3.8 KiB |  00m00s
 RPM Fusion for Fedora 42 – Nonfree – Steam                                                                         100% |  17.6 KiB/s |   6.4 KiB |  00m00s
 RPM Fusion for Fedora 42 - Nonfree - Updates                                                                           100% |  17.3 KiB/s |   6.3 KiB |  00m00s
 RPM Fusion for Fedora 42 - Nonfree                                                                                     100% |  17.1 KiB/s |   6.9 KiB |  00m00s
 vivaldi                                                                                                                100% |  41.8 KiB/s |   3.0 KiB |  00m00s
 Fedora 42 - x86_64 - Updates                                                                                           100% |   2.4 MiB/s |   2.2 MiB |  00m01s
Dépôts chargés.
gpg: WARNING: No valid encryption subkey left over.
La clé OpenPGP suivante (0x33EAAB8E) est sur le point d'être retirée :
 Motif      : Expired on 2025-02-28 13:24:59
 UserID     : "Vivaldi Package Composer KEY09 <packager@vivaldi.com>"
 Empreinte  : 336018F263FA000065CED7C6124F149833EAAB8E

Par conséquent, l'installation des paquets signés avec cette clé échouera.
Il est recommandé de retirer la clé expirée pour permettre l'importation
d'une clé mise à jour. Cela pourrait rendre invérifiables les paquets déjà installés.

Le système va maintenant retirer la clé.
Is this ok [Y/n]: 

Problem with gpg keys after 41 -> 42 upgrade - #2 by vgaetera

1 Like

FYI in F42 there is a easy to use command that cleans out the keys that are no longer required. I am not sure if its installed by default.

$ clean-rpm-gpg-pubkey --help
Usage: /usr/bin/clean-rpm-gpg-pubkey [--dry-run]

    Removes all RPM PGP keys except the ones from /etc/yum.repos.d
sudo dnf install /usr/bin/clean-rpm-gpg-pubkey 
sudo /usr/bin/clean-rpm-gpg-pubkey --dry-run

If you are happy with the dry run then run as

sudo /usr/bin/clean-rpm-gpg-pubkey --dry-run

The package libdnf5-plugin-expired-pgp-keys is recommended by the package dnf5, and therefore will by default be installed when upgrading to Fedora 42.

1 Like

Oh that’s interesting, thanks a lot!

$ grep -h -r -e gpgkey /etc/yum.repos.d | sort -u
rpmkeys --list
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-$releasever
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-$releasever
gpgkey=file:///usr/share/distribution-gpg-keys/rpmfusion/RPM-GPG-KEY-rpmfusion-nonfree-fedora-$releasever
gpgkey=https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
gpgkey=https://dl.google.com/linux/linux_signing_key.pub
gpgkey=https://download.copr.fedorainfracloud.org/results/bgstack15/palemoon/pubkey.gpg
gpgkey=https://download.copr.fedorainfracloud.org/results/chriscowleyunix/better_fonts/pubkey.gpg
gpgkey=https://download.copr.fedorainfracloud.org/results/elxreno/preload/pubkey.gpg
gpgkey=https://download.copr.fedorainfracloud.org/results/kwizart/kernel-longterm-6.12/pubkey.gpg
gpgkey=https://download.copr.fedorainfracloud.org/results/kwizart/kernel-longterm-6.6/pubkey.gpg
gpgkey=https://download.copr.fedorainfracloud.org/results/phracek/PyCharm/pubkey.gpg
gpgkey = https://packages.freedom.press/yum-tools-prod/fpf-yum-tools-archive-keyring.gpg
gpgkey=https://repo.vivaldi.com/archive/linux_signing_key.pub
20038257-63ab09c9: Brave Linux Release (Brave Linux Release) <brave-linux-release@brave.com> public key
d651ff2e-5dadbbc1: RPM Fusion free repository for Fedora (2020) <rpmfusion-buildsys@lists.rpmfusion.org> public key
94843c65-5dadbc64: RPM Fusion nonfree repository for Fedora (2020) <rpmfusion-buildsys@lists.rpmfusion.org> public key
eb0ab1b8-60a62437: chriscowleyunix_better_fonts (None) <chriscowleyunix#better_fonts@copr.fedorahosted.org> public key
eb60d886-65454c21: kwizart_kernel-longterm-6.6 (None) <kwizart#kernel-longterm-6.6@copr.fedorahosted.org> public key
74c35bc8-65afa692: Vivaldi Package Composer KEY10 <packager@vivaldi.com> public key
1eedd52f-6759cb1b: kwizart_kernel-longterm-6.12 (None) <kwizart#kernel-longterm-6.12@copr.fedorahosted.org> public key
6a73cd96-67d85d73: Brave Linux Release (Brave Linux Release) <linux-release@brave.com> public key
105ef944-65ca83d1: Fedora (42) <fedora-42-primary@fedoraproject.org> public key
33eaab8e-63bd672b: Vivaldi Package Composer KEY09 <packager@vivaldi.com> public key
sudo rpmkeys --delete 33eaab8e-63bd672b
sudo rpmkeys --delete eb60d886-65454c21
sudo rpmkeys --delete 74c35bc8-65afa692
$ rpmkeys --list
20038257-63ab09c9: Brave Linux Release (Brave Linux Release) <brave-linux-release@brave.com> public key
d651ff2e-5dadbbc1: RPM Fusion free repository for Fedora (2020) <rpmfusion-buildsys@lists.rpmfusion.org> public key
94843c65-5dadbc64: RPM Fusion nonfree repository for Fedora (2020) <rpmfusion-buildsys@lists.rpmfusion.org> public key
eb0ab1b8-60a62437: chriscowleyunix_better_fonts (None) <chriscowleyunix#better_fonts@copr.fedorahosted.org> public key
1eedd52f-6759cb1b: kwizart_kernel-longterm-6.12 (None) <kwizart#kernel-longterm-6.12@copr.fedorahosted.org> public key
6a73cd96-67d85d73: Brave Linux Release (Brave Linux Release) <linux-release@brave.com> public key
105ef944-65ca83d1: Fedora (42) <fedora-42-primary@fedoraproject.org> public key

Confirmed, it’s installed. Thanks for your kind help.

Paquets installés
libdnf5-plugin-expired-pgp-keys.x86_64 5.2.13.1-1.fc42 updates

That doesn’t tell me why it doesn’t delete that same key after I tell dnf to do so. Or maybe it redownloads the same key again and again? Will know tomorrow, because it’s been deleted manually now.

It is

$ sudo /usr/bin/clean-rpm-gpg-pubkey --dry-run
Downloading file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-42-x86_64 for:
  Fedora 42 - x86_64 (/etc/yum.repos.d/fedora.repo)
  Fedora 42 openh264 (From Cisco) - x86_64 (/etc/yum.repos.d/fedora-cisco-openh264.repo)
  Fedora 42 openh264 (From Cisco) - x86_64 - Debug (/etc/yum.repos.d/fedora-cisco-openh264.repo)
  Fedora 42 openh264 (From Cisco) - x86_64 - Source (/etc/yum.repos.d/fedora-cisco-openh264.repo)
  Fedora 42 - x86_64 - Debug (/etc/yum.repos.d/fedora.repo)
  Fedora 42 - Source (/etc/yum.repos.d/fedora.repo)
  Fedora 42 - x86_64 - Updates (/etc/yum.repos.d/fedora-updates.repo)
  Fedora 42 - x86_64 - Updates - Debug (/etc/yum.repos.d/fedora-updates.repo)
  Fedora 42 - Updates Source (/etc/yum.repos.d/fedora-updates.repo)
  Fedora 42 - x86_64 - Test Updates (/etc/yum.repos.d/fedora-updates-testing.repo)
  Fedora 42 - x86_64 - Test Updates Debug (/etc/yum.repos.d/fedora-updates-testing.repo)
  Fedora 42 - Test Updates Source (/etc/yum.repos.d/fedora-updates-testing.repo)
Downloading file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-42 for:
  RPM Fusion for Fedora 42 - Free (/etc/yum.repos.d/rpmfusion-free.repo)
  RPM Fusion for Fedora 42 - Free - Debug (/etc/yum.repos.d/rpmfusion-free.repo)
  RPM Fusion for Fedora 42 - Free - Source (/etc/yum.repos.d/rpmfusion-free.repo)
  RPM Fusion for Fedora 42 - Free - Updates (/etc/yum.repos.d/rpmfusion-free-updates.repo)
  RPM Fusion for Fedora 42 - Free - Updates Debug (/etc/yum.repos.d/rpmfusion-free-updates.repo)
  RPM Fusion for Fedora 42 - Free - Updates Source (/etc/yum.repos.d/rpmfusion-free-updates.repo)
  RPM Fusion for Fedora 42 - Free - Test Updates (/etc/yum.repos.d/rpmfusion-free-updates-testing.repo)
  RPM Fusion for Fedora 42 - Free - Test Updates Debug (/etc/yum.repos.d/rpmfusion-free-updates-testing.repo)
  RPM Fusion for Fedora 42 - Free - Test Updates Source (/etc/yum.repos.d/rpmfusion-free-updates-testing.repo)
Downloading file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-42 for:
  RPM Fusion for Fedora 42 - Nonfree (/etc/yum.repos.d/rpmfusion-nonfree.repo)
  RPM Fusion for Fedora 42 - Nonfree - Debug (/etc/yum.repos.d/rpmfusion-nonfree.repo)
  RPM Fusion for Fedora 42 - Nonfree - Source (/etc/yum.repos.d/rpmfusion-nonfree.repo)
  RPM Fusion for Fedora 42 - Nonfree - Updates (/etc/yum.repos.d/rpmfusion-nonfree-updates.repo)
  RPM Fusion for Fedora 42 - Nonfree - Updates Debug (/etc/yum.repos.d/rpmfusion-nonfree-updates.repo)
  RPM Fusion for Fedora 42 - Nonfree - Updates Source (/etc/yum.repos.d/rpmfusion-nonfree-updates.repo)
  RPM Fusion for Fedora 42 - Nonfree - Test Updates (/etc/yum.repos.d/rpmfusion-nonfree-updates-testing.repo)
  RPM Fusion for Fedora 42 - Nonfree - Test Updates Debug (/etc/yum.repos.d/rpmfusion-nonfree-updates-testing.repo)
  RPM Fusion for Fedora 42 - Nonfree - Test Updates Source (/etc/yum.repos.d/rpmfusion-nonfree-updates-testing.repo)
Downloading file:///usr/share/distribution-gpg-keys/rpmfusion/RPM-GPG-KEY-rpmfusion-nonfree-fedora-42 for:
  RPM Fusion for Fedora 42 - Nonfree - NVIDIA Driver (/etc/yum.repos.d/rpmfusion-nonfree-nvidia-driver.repo)
  RPM Fusion for Fedora 42 - Nonfree - NVIDIA Driver Debug (/etc/yum.repos.d/rpmfusion-nonfree-nvidia-driver.repo)
  RPM Fusion for Fedora 42 - Nonfree - NVIDIA Driver Source (/etc/yum.repos.d/rpmfusion-nonfree-nvidia-driver.repo)
  RPM Fusion for Fedora 42 – Nonfree – Steam (/etc/yum.repos.d/rpmfusion-nonfree-steam.repo)
  RPM Fusion for Fedora 42 – Nonfree – Steam Debug (/etc/yum.repos.d/rpmfusion-nonfree-steam.repo)
  RPM Fusion for Fedora 42 – Nonfree – Steam Source (/etc/yum.repos.d/rpmfusion-nonfree-steam.repo)
Downloading https://brave-browser-rpm-release.s3.brave.com/brave-core.asc for:
  Brave Browser (/etc/yum.repos.d/brave-browser.repo)
Downloading https://dl.google.com/linux/linux_signing_key.pub for:
  google-chrome (/etc/yum.repos.d/google-chrome.repo)
Downloading https://download.copr.fedorainfracloud.org/results/bgstack15/palemoon/pubkey.gpg for:
  Copr repo for palemoon owned by bgstack15 (/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:bgstack15:palemoon.repo)
Downloading https://download.copr.fedorainfracloud.org/results/chriscowleyunix/better_fonts/pubkey.gpg for:
  Copr repo for better_fonts owned by chriscowleyunix (/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:chriscowleyunix:better_fonts.repo)
Downloading https://download.copr.fedorainfracloud.org/results/elxreno/preload/pubkey.gpg for:
  Copr repo for preload owned by elxreno (/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:elxreno:preload.repo)
Downloading https://download.copr.fedorainfracloud.org/results/kwizart/kernel-longterm-6.12/pubkey.gpg for:
  Copr repo for kernel-longterm-6.12 owned by kwizart (/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:kwizart:kernel-longterm-6.12.repo)
Downloading https://download.copr.fedorainfracloud.org/results/kwizart/kernel-longterm-6.6/pubkey.gpg for:
  Copr repo for kernel-longterm-6.6 owned by kwizart (/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:kwizart:kernel-longterm-6.6.repo)
Downloading https://download.copr.fedorainfracloud.org/results/phracek/PyCharm/pubkey.gpg for:
  Copr repo for PyCharm owned by phracek (/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:phracek:PyCharm.repo)
Downloading https://repo.vivaldi.com/archive/linux_signing_key.pub for:
  vivaldi (/etc/yum.repos.d/vivaldi-fedora.repo)
Total affected keys: 0

Thanks for your kind help.

Day 2

See, not fixed.

$ LANG=C sudo dnf upgrade --refresh
Updating and loading repositories:
 Copr repo for kernel-longterm-6.12 owned by kwizart                                                                    100% |  24.2 KiB/s |   1.5 KiB |  00m00s
 Copr repo for better_fonts owned by chriscowleyunix                                                                    100% |  25.7 KiB/s |   1.5 KiB |  00m00s
 Brave Browser                                                                                                          100% |  39.5 KiB/s |   2.0 KiB |  00m00s
 Copr repo for preload owned by elxreno                                                                                 100% |  21.9 KiB/s |   1.5 KiB |  00m00s
 Copr repo for palemoon owned by bgstack15                                                                              100% |  21.3 KiB/s |   1.5 KiB |  00m00s
 Fedora 42 - x86_64                                                                                                     100% |  71.9 KiB/s |  29.8 KiB |  00m00s
 Dangerzone repository                                                                                                  100% |  38.0 KiB/s |   3.0 KiB |  00m00s
 Copr repo for PyCharm owned by phracek                                                                                 100% |  31.5 KiB/s |   2.1 KiB |  00m00s
 Fedora 42 - x86_64 - Updates                                                                                           100% |  80.5 KiB/s |  30.2 KiB |  00m00s
 Fedora 42 openh264 (From Cisco) - x86_64                                                                               100% |   6.3 KiB/s | 989.0   B |  00m00s
 RPM Fusion for Fedora 42 - Free                                                                                        100% |  10.2 KiB/s |   4.1 KiB |  00m00s
 RPM Fusion for Fedora 42 - Free - Updates                                                                              100% |  86.3 KiB/s |   3.8 KiB |  00m00s
 RPM Fusion for Fedora 42 – Nonfree – Steam                                                                         100% |  17.9 KiB/s |   6.4 KiB |  00m00s
 RPM Fusion for Fedora 42 - Nonfree - Updates                                                                           100% | 139.6 KiB/s |   6.3 KiB |  00m00s
 RPM Fusion for Fedora 42 - Nonfree                                                                                     100% |  19.1 KiB/s |   6.9 KiB |  00m00s
 vivaldi                                                                                                                100% |  83.5 KiB/s |   3.0 KiB |  00m00s
Repositories loaded.
gpg: WARNING: No valid encryption subkey left over.
The following OpenPGP key (0x33EAAB8E) is about to be removed:
 Reason     : Expired on 2025-02-28 13:24:59
 UserID     : "Vivaldi Package Composer KEY09 <packager@vivaldi.com>"
 Fingerprint: 336018F263FA000065CED7C6124F149833EAAB8E

As a result, installing packages signed with this key will fail.
It is recommended to remove the expired key to allow importing
an updated key. This might leave already installed packages unverifiable.

The system will now proceed with removing the key.
Is this ok [Y/n]: 

We have provided at least 2 ways to remove expired keys.
Did both of them fail to remove the expired Vivaldi key?

You will have to figure out how to get a valid Vivaldi key.

They were removed. I provided the output: Annoyance. DNF is asking me day after day to remove the same expired encryption key - #8 by josevillani

DNF upgrade redownloads it. And back to case one. Problem could very well be with vivaldi.

I saw a similar problem in the past on debian where apt redownloaded the same identical nginx version day after day.

Check this way:

dnf --dump-repo-config='*' | grep -e 'gpg.*/' | sort -u
rpm -q -a '*vivaldi*'
cat $(rpm -q -a -l '*vivaldi*') 2> /dev/null | gpg --show-keys
rpm -q -a --scripts --triggers '*vivaldi*' | gpg --show-keys
curl https://repo.vivaldi.com/archive/linux_signing_key.pub | gpg --show-keys
sudo find /etc -iname '*vivaldi*'
2 Likes

Thanks again.

I’ve checked today and dnf upgrade did not redownload the offending key. Might be a cron.daily job though. Will post config right after I post the output to your commands.

$ dnf --dump-repo-config='*' | grep -e 'gpg.*/' | sort -u
rpm -q -a '*vivaldi*'
cat $(rpm -q -a -l '*vivaldi*') 2> /dev/null | gpg --show-keys
rpm -q -a --scripts --triggers '*vivaldi*' | gpg --show-keys
curl https://repo.vivaldi.com/archive/linux_signing_key.pub | gpg --show-keys
sudo find /etc -iname '*vivaldi*'
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-42-x86_64
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-42
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-42
gpgkey = file:///usr/share/distribution-gpg-keys/rpmfusion/RPM-GPG-KEY-rpmfusion-nonfree-fedora-42
gpgkey = https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
gpgkey = https://dl.google.com/linux/linux_signing_key.pub
gpgkey = https://download.copr.fedorainfracloud.org/results/bgstack15/palemoon/pubkey.gpg
gpgkey = https://download.copr.fedorainfracloud.org/results/chriscowleyunix/better_fonts/pubkey.gpg
gpgkey = https://download.copr.fedorainfracloud.org/results/elxreno/preload/pubkey.gpg
gpgkey = https://download.copr.fedorainfracloud.org/results/kwizart/kernel-longterm-6.12/pubkey.gpg
gpgkey = https://download.copr.fedorainfracloud.org/results/phracek/PyCharm/pubkey.gpg
gpgkey = https://packages.freedom.press/yum-tools-prod/fpf-yum-tools-archive-keyring.gpg
gpgkey = https://repo.vivaldi.com/archive/linux_signing_key.pub
vivaldi-stable-6.8.3381.46-1.x86_64
pub   rsa4096 2023-01-10 [SC] [expirée : 2025-02-28]
      336018F263FA000065CED7C6124F149833EAAB8E
uid                      Vivaldi Package Composer KEY09 <packager@vivaldi.com>
sub   rsa4096 2023-01-10 [E] [expirée : 2025-02-28]

gpg: WARNING: No valid encryption subkey left over.
pub   rsa4096 2024-01-23 [SC] [expire : 2026-02-11]
      C2A2445B0EC3B396BD526E31F739AAC074C35BC8
uid                      Vivaldi Package Composer KEY10 <packager@vivaldi.com>
sub   rsa4096 2024-01-23 [E] [expire : 2026-02-11]

pub   rsa4096 2023-01-10 [SC] [expirée : 2025-02-28]
      336018F263FA000065CED7C6124F149833EAAB8E
uid                      Vivaldi Package Composer KEY09 <packager@vivaldi.com>
sub   rsa4096 2023-01-10 [E] [expirée : 2025-02-28]

gpg: WARNING: No valid encryption subkey left over.
pub   rsa4096 2024-01-23 [SC] [expire : 2026-02-11]
      C2A2445B0EC3B396BD526E31F739AAC074C35BC8
uid                      Vivaldi Package Composer KEY10 <packager@vivaldi.com>
sub   rsa4096 2024-01-23 [E] [expire : 2026-02-11]

pub   rsa4096 2023-01-10 [SC] [expirée : 2025-02-28]
      336018F263FA000065CED7C6124F149833EAAB8E
uid                      Vivaldi Package Composer KEY09 <packager@vivaldi.com>
sub   rsa4096 2023-01-10 [E] [expirée : 2025-02-28]

gpg: WARNING: No valid encryption subkey left over.
pub   rsa4096 2024-01-23 [SC] [expire : 2026-02-11]
      C2A2445B0EC3B396BD526E31F739AAC074C35BC8
uid                      Vivaldi Package Composer KEY10 <packager@vivaldi.com>
sub   rsa4096 2024-01-23 [E] [expire : 2026-02-11]

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3175  100  3175    0     0  56521      0 --:--:-- --:--:-- --:--:-- 56696
pub   rsa4096 2024-01-23 [SC] [expire : 2026-02-11]
      C2A2445B0EC3B396BD526E31F739AAC074C35BC8
uid                      Vivaldi Package Composer KEY10 <packager@vivaldi.com>
sub   rsa4096 2024-01-23 [E] [expire : 2026-02-11]

/etc/alternatives/vivaldi
/etc/default/vivaldi
/etc/cron.daily/vivaldi
/etc/yum.repos.d/vivaldi-fedora.repo
user@user:~$ cat /etc/default/vivaldi
repo_add_once="false"

user@user:~$ cat /etc/cron.daily/vivaldi
#!/bin/sh
#
# Copyright 2009 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
#
# This script is part of the vivaldi package.
#
# It creates the repository configuration file for package updates, since
# we cannot do this during the vivaldi installation since the repository
# is locked.
#
# This functionality can be controlled by creating the $DEFAULTS_FILE and
# setting "repo_add_once" to "true" or "false" as desired. An empty
# $DEFAULTS_FILE is the same as setting the value to "false".

# System-wide package configuration.
DEFAULTS_FILE="/etc/default/vivaldi"

# sources.list setting for vivaldi updates.
REPOCONFIG="https://repo.vivaldi.com/archive/rpm"
REPOCONFIGREGEX=""

# import Vivaldi public key updates from Vivaldi repo
# Vivaldi public key updates

# Remove expired repository/package signing key (4218647E), if present.
remove_old_rpm_key() {
  rpm -q gpg-pubkey-4218647e >/dev/null 2>&1
  if [ "$?" -eq "0" ]; then
    rpm -e gpg-pubkey-4218647e >/dev/null 2>&1
  fi
}

# Install the repository/package signing key (33EAAB8E), if it isn't already.
install_rpm_key() {
  # Check to see if the key already exists.
  rpm -q gpg-pubkey-33eaab8e >/dev/null 2>&1
  if [ "$?" -eq "0" ]; then
    # Keys already exist
    return 0
  fi

  # RPM on Mandriva 2009 is dumb and does not understand "rpm --import -"
  TMPKEY=$(mktemp /tmp/vivaldi.sig.XXXXXX)
  if [ -n "$TMPKEY" ]; then
    cat > "$TMPKEY" <<KEYDATA
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGO9ZysBEACeLmXsTfEk6Msqskhkr+fU2uFTinefc6o8p1T9uRVkBiIM641/
n76LtmGuGQkIsDi+a6XkdNE08hn8IHru3Ir5m2/oku8lP99U0iHjKpF6D/37xxJa
5w9NyOQwusd3p4mPY+QB284ngMPPKIO0dudCfnRAPNzZejSwJ/rqoakMpBSPLn6j
U4la52aCfa25dtz2xpE6Q7mAvmi/zX/33ZdY71fJdoALXduQCLOMHj4i7J3BR8uQ
cC9KdJCm2DfaZAL2hz7+U8PeNkd7JOaKV+0nNYUhTN9zfE52vZq3SYWbCmBxlW7h
N+djIVtn85z/9xZX9fhDA8FKxIqL7SThPGZa/M4K7k+hlDxlZ3qhUCOfSN8L0zbk
/3iFb8K7h5YJbg5W5Cmm6bGQHPS9Urb2pAPaXn65fZYTEyGq0KN2aely4bq+HisK
a0N+aqrFeslCa2fJHom2BNle+Yy4Ys18xZ+I8Fji7HGQ6y8PcivaOw29R7Cspn/N
JEVZeR/jPXXylB0jf2zN1tOj7PKKvW3n6I6i3zd69OepkV/hBD9xLUqb0M+QSRGQ
3CMPCCvJA3A5D2UfPY+DSZNMkYG+p97mNEVqgOgBHZzz4wKTK92zF2GcvcdEsqtd
ukcQ9w/gLVU3Vv5KDUAB23wIqm1Jdo3JXRqZge5f2/EV41rVI7vRx63GdQARAQAB
tDVWaXZhbGRpIFBhY2thZ2UgQ29tcG9zZXIgS0VZMDkgPHBhY2thZ2VyQHZpdmFs
ZGkuY29tPokCVAQTAQoAPhYhBDNgGPJj+gAAZc7XxhJPFJgz6quOBQJjvWcrAhsD
BQkEBFIABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBJPFJgz6quOQJsP/Aqb
nLZAO9C3Hmljz0O5B+Ms2FXMVM/KF9DwIdV+AIiwf/WloPRbomYKapTRYIhPsQOU
Ol2C1IvSp3Em2fQM6dtMPzDDs7NkY0wGOVBHWVHeaXinxcPaZUY4Jd+QKsI0q3sd
NJcVMuX60/+cmJ2nzNZNfdxAmcXl2g9/QJpBXyrgTHS4C2EtvkhdEFHvUzg28ne8
5WFsNDVGJqiNpgS+GFbL9lxxHBe5KDZBnJXzURnvS63CnbbZiP5mHk0Xp7849yF1
3WYZYI5L6aZjpAxExpz6hyKz8TLLcCdB+lV98PYlJBSR556dmmR27xCiYjgIYdY2
HhjdwrJN9ARz5RNdFUsne0JXIoFwR8UI6rBPh7dLhQGg9FU5K4ACrcItksnlgc7S
9a9qTBZUhY9pqAS2hn1xKYbNo7xTV2z+afYsvkrv68SuEEOngMLDGNA/i/zUI541
XuJ1htMVDRTEmbApJapEfDr0Y0YoiCfVaTor5YxJw6eO6SC4+TCfcKNsmSwHkj+i
rVcliWNCs0MoUUhthRbKwdPndQgvGioCHFz+KfHOuPK/RAoMrriKxAw1pBTjG8Y0
zWzMKaMTBH7AkHzkT0qXjZhEFEaSFLFJa1OSKQNoodqxOGCDI/JEPvz8kXIAKcGV
1yPctq/EQJJGP3SyqnQON8sYaog3I4xuwLCpO+UduQINBGO9ZysBEACYB6sAsXwU
dBUWjQgWBvx5Sb3K/yrk9+Wj4ahdHOhFFtH//xI1170Jeac3iFONUJJ69dBwOY8I
rPtpsl8pz+/Sr0+4cqyR5whkxuRAqqMKI47F+Voi/I931T4pV8fNcz5Y5rZaEkfx
fUFl6mkGdKzVBdlxkbdcTSFr5gIb0UYQvRc9TzsNO9OFly6sR9Iz/T4h5S7/k1qa
gpiVJeT6il2QiY2OBhSUfmlvBItadCD4ZrFvFeNREyDQ7xJ/mU46R39AGTtqt1Qm
uSdCO1+z6JSToD9x6xv/eF5uLbvztogj9yEw3t8AubRT253dMLLfHm8lnYdC8GwF
el9L0+s5ex2Dj4xyxZosV3dwQXk/oaHefW9BjcQLxGkOH0gBt+ZQ+mHUlI4kgOXQ
guHKuCrBycT5DyrrbQbPFp3kQXbLzKNym7eWHnbvZx6uIQSu70QvBo9zPRiurC7A
4ofKcpvJdRhbojmc9ekprM2hDZEcsyiT0t/6W8+zfxyGBLK4pLMkuhGB8VQV+U7W
vIxkRQLqpzo0nzEEOkxxBSI+O6hLDeZVOLBhuLW49K1E2zfDp6PWoDMEccT684+Z
Pvz/ytVr3jBYHkaMH4Djzxl/BuSMA+njljpzjPvdpjSsCQ753IyqudXQ1aVscfrr
I31OB1JVAjCyziBpGVyNlOjVpYukWLoReQARAQABiQI8BBgBCgAmFiEEM2AY8mP6
AABlztfGEk8UmDPqq44FAmO9ZysCGwwFCQQEUgAACgkQEk8UmDPqq44Jkg/9F2ru
pFszfK9Qes8lMZ/7bqMZam45cIYURQY+6BJ8yqvj8u3we/uiGb0dwF+zOt4TkJU+
U7bqNEyB4pZsOoAQlYA/YPa4y0jTTJKFdjnKIXo/LaqKz8Mc7ONpOZHGZ25MGL+/
vxMYX2Pi0dNGsyqFBXRwuSs1Mx0sJunFf/qyIfwC3CCf6TWlAfCMNlNhoQ4idNmG
Q4hZq0BZFROjNKKuOm+Dm6qYo6VDjP/C+ttgo+N+kydq6Ieytbecys+aQBSFstuJ
ilhj9sRVmFDEze6Q4D2Q5dnuuT3ZET0U1aQ4KOcCUnPA5xrEb/iB/W3n76A/IS+4
2XHIwU8KgpQGMOegE1L9KSX9/ps1BEu1C9z10MmUZBchKydoSJBbTZKh+7+aixsK
7ruWpgU6qLxx+dqTZ7CF55m6JxAwrbbamSFfW91NA4yoNAMtkDx5KP9/fLoVnZum
B6LrSiXbD+mMJ/IqGpFSSH95EjLJO0c8U49MbQVgB5aHgt50k9sq8HtoJ7ewpEmT
sz4xGk7qg09h2SBhBWpiol7i3S96n8BdZOzpjBM0ZBu41foC9r2WFxJhs/vEnlqa
WFyoci3Fngd2+eymsme2AoQi0vHVYcLcL/0HjbU+f/5Cv0YFgj0mvoqFB+IG/ALH
KLjnVlvK3NkBqWBEmDSNS2yMqMM3KjvpwATqCUA=
=EWUm
-----END PGP PUBLIC KEY BLOCK-----
KEYDATA
    rpm --import "$TMPKEY" >/dev/null 2>&1
    rc=$?
    rm -f "$TMPKEY"
    if [ "$rc" -eq "0" ]; then
      return 0
    fi
  fi
  return 1
}

# Install another key (74C35BC8), if it isn't already, for future use.
install_future_rpm_key() {
  # Check to see if the key already exists.
  rpm -q gpg-pubkey-74c35bC8 >/dev/null 2>&1
  if [ "$?" -eq "0" ]; then
    # Keys already exist
    return 0
  fi

  # RPM on Mandriva 2009 is dumb and does not understand "rpm --import -"
  TMPKEY=$(mktemp /tmp/vivaldi.sig.XXXXXX)
  if [ -n "$TMPKEY" ]; then
    cat > "$TMPKEY" <<KEYDATA
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGWvppIBEADEP5eQWayPrhnAs/AQtBAqt9KVkb5exVWsuuneyNgGBq7e8xrg
2Mh4A5+Szj1PwjGgJeAmY2g50gXHJ4rygchCZmxZ09vcBB+s7HXfzp0SNN+LEAzu
Pb0s5Vl4XFW4sgpglB06R65+tIfQJqyPUJK9I8of8417/IAu/kL8IQU93mH0CzIJ
7sK9PAN/LIwdcbDeGwuQJWYgZAlclBcLQc2uG/FBAsCxyBfyv8vSCcJrNXvmFJnS
b1iS903t7GXpOkeIXTt4TcjXQ56IqY+UeCgY7GVZ+3ej6d0x+smfay8o26qdbktl
kjoUSICun+8UdcXBhNjWqscQrv/9Z8h6In6OoyjSf0NtcppI+9UFB7csGm6ySZ5U
E65uUD8evDnocfXhxIiPMhfi01PAAO6CyLMCA9ZytzPZDrIUct13m4YMWdKRtE0I
TRO4FX9Ev0iKyhfS8WNQ95ZtDUZMTyqMeP88SyIOnxIhRRZSNCXnuzxZbPloEuEF
mPY45zRr2mvICZg3d4TLhm8tyvYPgC6C0cEaWcjgRZVKsVl1c4n8N//6GtmlhcrF
V1kbUNVwLt1H8GYsIs7EqyiEI44ciFCNJY+Xccze8LFjwsBz0ro6wvV5N5wA8tIG
RAc2H5qbEoESmd5sF85mnRlXxKF7hz1R8QtbEJCAhht8AifuukOPzdGS8QARAQAB
tDVWaXZhbGRpIFBhY2thZ2UgQ29tcG9zZXIgS0VZMTAgPHBhY2thZ2VyQHZpdmFs
ZGkuY29tPokCVAQTAQoAPhYhBMKiRFsOw7OWvVJuMfc5qsB0w1vIBQJlr6aSAhsD
BQkD3MUABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEPc5qsB0w1vI/pEP/jIc
X+DBSe26osMa1bYDHIGqkRhltLYY6Sjpp0R1l6rmtUuwSER8tuxeDlh2PzkmPwKi
WdvfW1jT1VPUS0RVeOV0Dg0LLH4mgbTGj9aXWLmX1j9QGuXWUasf+ozeHF/cjlDE
KfdzY7mFsDmwHyapZBky/e8szIIagBJBxvAFLgvvezY74RQ5P8RuhbYHY9Nv8LWj
21HhBvUv9sT0OFEtCGNF2VFFKRXjwy07M/hsLoFC4Z/vBBnDIpZlHZmCqqGwo9yg
4afozlIkqUbwJtNcyqybgZjC9wZRfnKGpD6wvDrhL3sSgqnvreQyCju+OWHn6X23
giBwmY7FFuoRi5H24o5qyifQ59UzrU5cgiJCttjBfMi2Zfzz1iCWd87+luw/V4HR
QBWPUGyY6Q9+/8UNEPPy/3kkg0DeuQVR1bogrIiUwqfgOhF1RoWiXONFGIETrykL
kTHlklz7Yc8K+xCrIr22YBwuuMp+953u/RH22m2HipIBwXehIN+p98lUuKpGtfwz
KGninsXPQeBALq++9ELWmtRkUJ0KzveNqTqFU7P1DlIcRXK/94KPK1JrRCu/2nhw
J5Z1EJuZdZ8pkRv7gKopnwIXnNQYjAlgk95ol0AQNmvDZ3qyPFJzN+TfDKbxG3ol
0ZEPYddcymvt8eUCpRmAEDQuX6Wv1JO/bkJIq26MuQINBGWvppIBEACldmKPWvDd
fOiYBgcaIytEDj+FQaLjLJtd/fsdF10cok6tatQpBo5UIvtQOHtdjIoL8udKGqT6
8Zm7+xxsUwOVCNoYhaIJg/IzU9FrjjZ0wqGQWGntdbcSweejQkzkFbCiWMoXTFEV
yac8ETwErpf2oRNb1n7zJtKN1ctJwGO/amVuy1XxLk/aEi0wC0zgkaSObZXxTSZH
IhZah+a0Ua31kD0hd3OriftQw1eqskDkgpPyUe0KRemGD7bJB+dtuQLF2w30AcPO
0ufPG6pK6Y6VOFCDIMFpfkYtbIIyhtyrAmvduXXFC+KxnCHuIi52b+PcP3E44WBt
7EE37jlxxErabzQN8GTnyvELnXA9eiShmwTIVfp+W3AsIT5C+J2TBcHn0ThJ3zL+
P5xzDgnZ/y3k5qIl5t+xrVmhGcSdZtzg6muyOT9pCXCaTpqjmMBqNGMLdBFgNoUq
lQ54/88eXlsSQDb0E7a/uQAKwKKU3i7rWt//wOwaW+6tW0TsK2th2RLBpje+3Shi
diOm1gAeyWhO5XcZYZndu65pnyrvuX3i2+rKkpTSkpGAF69i0cG2hXlOkjSjGnEp
2IhvE2erywZZAY+ktasQspoLD/oN6HZkZhG6wQ8I8N5cfs/D2VryZ2PHiCT2IHPg
a3lXl40sWDtzrBDtsQeiDeeZ+GCAbmqRdwARAQABiQI8BBgBCgAmFiEEwqJEWw7D
s5a9Um4x9zmqwHTDW8gFAmWvppICGwwFCQPcxQAACgkQ9zmqwHTDW8gCVg/+MwU6
P+Ii7Kdn2BXH+BeZCrlB6/5tMsbYkaMgidpxJe07CwLO1kIwiR9EmepbcJbq2qGd
I8KNwb9hIl3mEkn5gmin9NfAo+WozeHZi3y1L4XIxlPLZqs3rn5iMPfqJSwbo59J
CUtJsYU8btL6dcWFcgUoqF/DN20VvrS837Ro0NppNLDPyFcjoTpWgEdf8t0hZtD1
/tzi6PVu9IN17i6yhzSR2IGUiun98k9DOC2QbPtg60WF9KVmycz2vgg8KJck9YgV
1nJ6qSKLii7tBlbHI9cKEqUAxEnaSyfoyKQjOmsx9MUQQ3O8oiarAlICOANo7Twq
mNecHjABcLs6eV4Ta0BLByas8RWjcWi0mBIe3BF/MzF3JyvL446UFOaHHynOjNdJ
rzUIaZtUGOvSUszNYOYm7qPGpmifDq3Tdph9wyNM8otI8IG7M8WI2HSZqcDi/urH
91433HAV2yS3G+LwXBX9mM3PpktNur+OChCX6p3Lv+9PPCxB5wl9OmuGusK+4f94
PBYDWOfoBOpBBsWNvED+3goFrU+CWtDMsXEKiaMg6TPpKWB+anqgMZR6JEYr3FuA
fo9Sa2sKm+dYTrNerUJVr5MW2FtiIVqAyTlsNqHB1z3EmfQQoYhlmtNax+p0qW6Y
GgUqMpeO5Nzvc5+8UBcSfmOp/cVgxKMaXP0rlRU=
=/N0X
-----END PGP PUBLIC KEY BLOCK-----
KEYDATA
    rpm --import "$TMPKEY" >/dev/null 2>&1
    rc=$?
    rm -f "$TMPKEY"
    if [ "$rc" -eq "0" ]; then
      return 0
    fi
  fi
  return 1
}

determine_rpm_package_manager() {
  local RELEASE

  # Modern method using os-release(5)
  if [ -f "/etc/os-release" ]; then
    RELEASE=$(. "/etc/os-release"; echo "$ID")
    case $RELEASE in
    "fedora"|"rhel"|"centos"|"amzn"|"mageia"|"openmandriva")
      PACKAGEMANAGERS=(yum)
      ;;
    "suse"|"sles"|"sled"|"opensuse"|"opensuse-leap"|"opensuse-tumbleweed")
      PACKAGEMANAGERS=(zypp)
      ;;
    esac
  fi

  if [ "$PACKAGEMANAGERS" ]; then
    return
  fi

  # Fallback method using lsb_release(1)
  LSB_RELEASE="$(command -v lsb_release 2> /dev/null)"
  if [ -x "$LSB_RELEASE" ]; then
    RELEASE=$(lsb_release -i 2> /dev/null | sed 's/:\t/:/' | cut -d ':' -f 2-)
    case $RELEASE in
    "Fedora"|"Amazon"|"Mageia"|"OpenMandrivaLinux")
      PACKAGEMANAGERS=(yum)
      ;;
    "SUSE LINUX"|"openSUSE")
      PACKAGEMANAGERS=(zypp)
      ;;
    esac
  fi

  if [ "$PACKAGEMANAGERS" ]; then
    return
  fi

  # Fallback methods that are probably unnecessary on modern systems.
  if [ -f "/etc/fedora-release" ] || [ -f "/etc/redhat-release" ]; then
    PACKAGEMANAGERS=(yum)
  elif [ -f "/etc/system-release" ] && grep -Fq "Amazon Linux" "/etc/system-release"; then
    PACKAGEMANAGERS=(yum)
  elif [ -f "/etc/SuSE-release" ]; then
    PACKAGEMANAGERS=(zypp)
  fi
}

DEFAULT_ARCH="x86_64"
YUM_REPO_FILE="/etc/yum.repos.d/vivaldi.repo"
ZYPPER_REPO_FILE="/etc/zypp/repos.d/vivaldi.repo"

install_yum() {
  install_rpm_key

  if [ ! "$REPOCONFIG" ]; then
    return 0
  fi

  if [ -d "/etc/yum.repos.d" ]; then
cat > "$YUM_REPO_FILE" << REPOCONTENT
[vivaldi]
name=vivaldi
baseurl=$REPOCONFIG/$DEFAULT_ARCH
enabled=1
gpgcheck=1
gpgkey=https://repo.vivaldi.com/archive/linux_signing_key.pub
REPOCONTENT
  fi
}

install_zypp() {
  if [ ! "$REPOCONFIG" ]; then
    return 0
  fi

  # Ideally, we would run: zypper addrepo -t YUM -f \
  # "$REPOCONFIG/$DEFAULT_ARCH" "vivaldi"
  # but that does not work when zypper is running.
  if [ -d "/etc/zypp/repos.d" ]; then
cat > "$ZYPPER_REPO_FILE" << REPOCONTENT
[vivaldi]
name=vivaldi
enabled=1
autorefresh=1
baseurl=$REPOCONFIG/$DEFAULT_ARCH
gpgcheck=1
gpgkey=https://repo.vivaldi.com/archive/linux_signing_key.pub
type=rpm-md
keeppackages=0
REPOCONTENT
  fi
}

# Check if the automatic repository configuration is done, so we know when to
# stop trying.
verify_install() {
  # It's probably enough to see that the repo configs have been created. If they
  # aren't configured properly, update_bad_repo should catch that when it's run.
  case $1 in
  "yum")
    [ -f "$YUM_REPO_FILE" ]
    ;;
  "zypp")
    [ -f "$ZYPPER_REPO_FILE" ]
    ;;
  esac
}

# Update the Google repository if it's not set correctly.
update_bad_repo() {
  if [ ! "$REPOCONFIG" ]; then
    return 0
  fi

  determine_rpm_package_manager

  for PACKAGEMANAGER in ${PACKAGEMANAGERS[*]}
  do
    case $PACKAGEMANAGER in
    "yum")
      update_repo_file "$YUM_REPO_FILE"
      ;;
    "zypp")
      update_repo_file "$ZYPPER_REPO_FILE"
      ;;
    esac
  done
}

update_repo_file() {
  REPO_FILE="$1"

  # Don't do anything if the file isn't there, since that probably means the
  # user disabled it.
  if [ ! -r "$REPO_FILE" ]; then
    return 0
  fi

  # Check if the correct repository configuration is in there.
  REPOMATCH=$(grep "^baseurl=$REPOCONFIG/$DEFAULT_ARCH" "$REPO_FILE" \
    2>/dev/null)
  # If it's there, nothing to do
  if [ "$REPOMATCH" ]; then
    return 0
  fi

  # Check if it's there but disabled by commenting out (as opposed to using the
  # 'enabled' setting).
  MATCH_DISABLED=$(grep "^[[:space:]]*#.*baseurl=$REPOCONFIG/$DEFAULT_ARCH" \
    "$REPO_FILE" 2>/dev/null)
  if [ "$MATCH_DISABLED" ]; then
    # It's OK for it to be disabled, as long as nothing bogus is enabled in its
    # place.
    ACTIVECONFIGS=$(grep "^baseurl=.*" "$REPO_FILE" 2>/dev/null)
    if [ ! "$ACTIVECONFIGS" ]; then
      return 0
    fi
  fi

  # If we get here, the correct repository wasn't found, or something else is
  # active, so fix it. This assumes there is a 'baseurl' setting, but if not,
  # then that's just another way of disabling, so we won't try to add it.
  sed -i -e "s,^baseurl=.*,baseurl=$REPOCONFIG/$DEFAULT_ARCH," "$REPO_FILE"
}

# We only remove the repository configuration during a purge. Since RPM has
# no equivalent to dpkg --purge, the code below is actually never used. We
# keep it only for reference purposes, should we ever need it.
#
#remove_yum() {
#  rm -f "$YUM_REPO_FILE"
#}
#
#remove_zypp() {
#  # Ideally, we would run: zypper removerepo "vivaldi"
#  # but that does not work when zypper is running.
#  rm -f /etc/zypp/repos.d/vivaldi.repo
#}

DEFAULT_ARCH="x86_64"

get_lib_dir() {
  if [ "$DEFAULT_ARCH" = "i386" ] || [ "$DEFAULT_ARCH" = "armhf" ] || \
      [ "$DEFAULT_ARCH" = "mipsel" ]; then
    LIBDIR=lib
  elif [ "$DEFAULT_ARCH" = "x86_64" ] || [ "$DEFAULT_ARCH" = "aarch64" ] || \
        [ "$DEFAULT_ARCH" = "mips64el" ]; then
    LIBDIR=lib64
  else
    echo Unknown CPU Architecture: "$DEFAULT_ARCH"
    exit 1
  fi
}

## MAIN ##
if [ -r "$DEFAULTS_FILE" ]; then
  . "$DEFAULTS_FILE"
fi

remove_old_rpm_key
install_rpm_key
install_future_rpm_key

if [ "$repo_add_once" = "true" ]; then
  determine_rpm_package_manager

  # Let's run through this for each supported package manager as detected...
  for PACKAGEMANAGER in ${PACKAGEMANAGERS[*]}
  do
    # The initial install happens in the post-install scripts, but there have been
    # reports of configuration problems, so just verify that everything looks
    # good, and if not, try to install again.
    verify_install $PACKAGEMANAGER
    if [ $? -ne 0 ]; then
      install_${PACKAGEMANAGER}
    fi
  done

  if [ $? -eq 0 ]; then
    # Do this for each supported package manager...
    for PACKAGEMANAGER in ${PACKAGEMANAGERS[*]}
    do
      # Before we quit auto-configuration, check that everything looks sane, since
      # part of this happened during package install and we don't have the return
      # value of that process.
      verify_install $PACKAGEMANAGER
      if [ $? -eq 0 ]; then
        sed -i -e 's/[[:space:]]*repo_add_once=.*/repo_add_once="false"/' \
          "$DEFAULTS_FILE"
      fi
    done
  fi
else
  update_bad_repo
fi

user@user:~$ cat /etc/yum.repos.d/vivaldi-fedora.repo
[vivaldi]
name=vivaldi
enabled=1
baseurl=https://repo.vivaldi.com/archive/rpm/$basearch
gpgcheck=1
gpgkey=https://repo.vivaldi.com/archive/linux_signing_key.pub

user@user:~$ vivaldi --version
Vivaldi 6.8.3381.46 stable

Looks like it’s the /etc/cron.daily/vivaldi redownloading the expired key. I normally don’t upgrade browsers unless they stopped working. Here’s the proposed replacement script to fix the issue:

#!/bin/sh
#
# Copyright 2009 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
#
# This script is part of the vivaldi package.
#
# It creates the repository configuration file for package updates, since
# we cannot do this during the vivaldi installation since the repository
# is locked.
#
# This functionality can be controlled by creating the $DEFAULTS_FILE and
# setting "repo_add_once" to "true" or "false" as desired. An empty
# $DEFAULTS_FILE is the same as setting the value to "false".

# System-wide package configuration.
DEFAULTS_FILE="/etc/default/vivaldi"

# sources.list setting for vivaldi updates.
REPOCONFIG="https://repo.vivaldi.com/archive/rpm"
REPOCONFIGREGEX=""

# import Vivaldi public key updates from Vivaldi repo
# Vivaldi public key updates

# Remove expired repository/package signing key (4218647E), if present.
remove_old_rpm_key() {
  rpm -q gpg-pubkey-4218647e >/dev/null 2>&1
  if [ "$?" -eq "0" ]; then
    rpm -e gpg-pubkey-4218647e >/dev/null 2>&1
  fi
}

# Remove expired repository/package signing key (33EAAB8E), if present.
remove_old_rpm_key2() {
  rpm -q gpg-pubkey-33eaab8e >/dev/null 2>&1
  if [ "$?" -eq "0" ]; then
    rpm -e gpg-pubkey-33eaab8e >/dev/null 2>&1
  fi
}

# Install another key (74C35BC8), if it isn't already, for future use.
install_future_rpm_key() {
  # Check to see if the key already exists.
  rpm -q gpg-pubkey-74c35bC8 >/dev/null 2>&1
  if [ "$?" -eq "0" ]; then
    # Keys already exist
    return 0
  fi

  # RPM on Mandriva 2009 is dumb and does not understand "rpm --import -"
  TMPKEY=$(mktemp /tmp/vivaldi.sig.XXXXXX)
  if [ -n "$TMPKEY" ]; then
    cat > "$TMPKEY" <<KEYDATA
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGWvppIBEADEP5eQWayPrhnAs/AQtBAqt9KVkb5exVWsuuneyNgGBq7e8xrg
2Mh4A5+Szj1PwjGgJeAmY2g50gXHJ4rygchCZmxZ09vcBB+s7HXfzp0SNN+LEAzu
Pb0s5Vl4XFW4sgpglB06R65+tIfQJqyPUJK9I8of8417/IAu/kL8IQU93mH0CzIJ
7sK9PAN/LIwdcbDeGwuQJWYgZAlclBcLQc2uG/FBAsCxyBfyv8vSCcJrNXvmFJnS
b1iS903t7GXpOkeIXTt4TcjXQ56IqY+UeCgY7GVZ+3ej6d0x+smfay8o26qdbktl
kjoUSICun+8UdcXBhNjWqscQrv/9Z8h6In6OoyjSf0NtcppI+9UFB7csGm6ySZ5U
E65uUD8evDnocfXhxIiPMhfi01PAAO6CyLMCA9ZytzPZDrIUct13m4YMWdKRtE0I
TRO4FX9Ev0iKyhfS8WNQ95ZtDUZMTyqMeP88SyIOnxIhRRZSNCXnuzxZbPloEuEF
mPY45zRr2mvICZg3d4TLhm8tyvYPgC6C0cEaWcjgRZVKsVl1c4n8N//6GtmlhcrF
V1kbUNVwLt1H8GYsIs7EqyiEI44ciFCNJY+Xccze8LFjwsBz0ro6wvV5N5wA8tIG
RAc2H5qbEoESmd5sF85mnRlXxKF7hz1R8QtbEJCAhht8AifuukOPzdGS8QARAQAB
tDVWaXZhbGRpIFBhY2thZ2UgQ29tcG9zZXIgS0VZMTAgPHBhY2thZ2VyQHZpdmFs
ZGkuY29tPokCVAQTAQoAPhYhBMKiRFsOw7OWvVJuMfc5qsB0w1vIBQJlr6aSAhsD
BQkD3MUABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEPc5qsB0w1vI/pEP/jIc
X+DBSe26osMa1bYDHIGqkRhltLYY6Sjpp0R1l6rmtUuwSER8tuxeDlh2PzkmPwKi
WdvfW1jT1VPUS0RVeOV0Dg0LLH4mgbTGj9aXWLmX1j9QGuXWUasf+ozeHF/cjlDE
KfdzY7mFsDmwHyapZBky/e8szIIagBJBxvAFLgvvezY74RQ5P8RuhbYHY9Nv8LWj
21HhBvUv9sT0OFEtCGNF2VFFKRXjwy07M/hsLoFC4Z/vBBnDIpZlHZmCqqGwo9yg
4afozlIkqUbwJtNcyqybgZjC9wZRfnKGpD6wvDrhL3sSgqnvreQyCju+OWHn6X23
giBwmY7FFuoRi5H24o5qyifQ59UzrU5cgiJCttjBfMi2Zfzz1iCWd87+luw/V4HR
QBWPUGyY6Q9+/8UNEPPy/3kkg0DeuQVR1bogrIiUwqfgOhF1RoWiXONFGIETrykL
kTHlklz7Yc8K+xCrIr22YBwuuMp+953u/RH22m2HipIBwXehIN+p98lUuKpGtfwz
KGninsXPQeBALq++9ELWmtRkUJ0KzveNqTqFU7P1DlIcRXK/94KPK1JrRCu/2nhw
J5Z1EJuZdZ8pkRv7gKopnwIXnNQYjAlgk95ol0AQNmvDZ3qyPFJzN+TfDKbxG3ol
0ZEPYddcymvt8eUCpRmAEDQuX6Wv1JO/bkJIq26MuQINBGWvppIBEACldmKPWvDd
fOiYBgcaIytEDj+FQaLjLJtd/fsdF10cok6tatQpBo5UIvtQOHtdjIoL8udKGqT6
8Zm7+xxsUwOVCNoYhaIJg/IzU9FrjjZ0wqGQWGntdbcSweejQkzkFbCiWMoXTFEV
yac8ETwErpf2oRNb1n7zJtKN1ctJwGO/amVuy1XxLk/aEi0wC0zgkaSObZXxTSZH
IhZah+a0Ua31kD0hd3OriftQw1eqskDkgpPyUe0KRemGD7bJB+dtuQLF2w30AcPO
0ufPG6pK6Y6VOFCDIMFpfkYtbIIyhtyrAmvduXXFC+KxnCHuIi52b+PcP3E44WBt
7EE37jlxxErabzQN8GTnyvELnXA9eiShmwTIVfp+W3AsIT5C+J2TBcHn0ThJ3zL+
P5xzDgnZ/y3k5qIl5t+xrVmhGcSdZtzg6muyOT9pCXCaTpqjmMBqNGMLdBFgNoUq
lQ54/88eXlsSQDb0E7a/uQAKwKKU3i7rWt//wOwaW+6tW0TsK2th2RLBpje+3Shi
diOm1gAeyWhO5XcZYZndu65pnyrvuX3i2+rKkpTSkpGAF69i0cG2hXlOkjSjGnEp
2IhvE2erywZZAY+ktasQspoLD/oN6HZkZhG6wQ8I8N5cfs/D2VryZ2PHiCT2IHPg
a3lXl40sWDtzrBDtsQeiDeeZ+GCAbmqRdwARAQABiQI8BBgBCgAmFiEEwqJEWw7D
s5a9Um4x9zmqwHTDW8gFAmWvppICGwwFCQPcxQAACgkQ9zmqwHTDW8gCVg/+MwU6
P+Ii7Kdn2BXH+BeZCrlB6/5tMsbYkaMgidpxJe07CwLO1kIwiR9EmepbcJbq2qGd
I8KNwb9hIl3mEkn5gmin9NfAo+WozeHZi3y1L4XIxlPLZqs3rn5iMPfqJSwbo59J
CUtJsYU8btL6dcWFcgUoqF/DN20VvrS837Ro0NppNLDPyFcjoTpWgEdf8t0hZtD1
/tzi6PVu9IN17i6yhzSR2IGUiun98k9DOC2QbPtg60WF9KVmycz2vgg8KJck9YgV
1nJ6qSKLii7tBlbHI9cKEqUAxEnaSyfoyKQjOmsx9MUQQ3O8oiarAlICOANo7Twq
mNecHjABcLs6eV4Ta0BLByas8RWjcWi0mBIe3BF/MzF3JyvL446UFOaHHynOjNdJ
rzUIaZtUGOvSUszNYOYm7qPGpmifDq3Tdph9wyNM8otI8IG7M8WI2HSZqcDi/urH
91433HAV2yS3G+LwXBX9mM3PpktNur+OChCX6p3Lv+9PPCxB5wl9OmuGusK+4f94
PBYDWOfoBOpBBsWNvED+3goFrU+CWtDMsXEKiaMg6TPpKWB+anqgMZR6JEYr3FuA
fo9Sa2sKm+dYTrNerUJVr5MW2FtiIVqAyTlsNqHB1z3EmfQQoYhlmtNax+p0qW6Y
GgUqMpeO5Nzvc5+8UBcSfmOp/cVgxKMaXP0rlRU=
=/N0X
-----END PGP PUBLIC KEY BLOCK-----
KEYDATA
    rpm --import "$TMPKEY" >/dev/null 2>&1
    rc=$?
    rm -f "$TMPKEY"
    if [ "$rc" -eq "0" ]; then
      return 0
    fi
  fi
  return 1
}

determine_rpm_package_manager() {
  local RELEASE

  # Modern method using os-release(5)
  if [ -f "/etc/os-release" ]; then
    RELEASE=$(. "/etc/os-release"; echo "$ID")
    case $RELEASE in
    "fedora"|"rhel"|"centos"|"amzn"|"mageia"|"openmandriva")
      PACKAGEMANAGERS=(yum)
      ;;
    "suse"|"sles"|"sled"|"opensuse"|"opensuse-leap"|"opensuse-tumbleweed")
      PACKAGEMANAGERS=(zypp)
      ;;
    esac
  fi

  if [ "$PACKAGEMANAGERS" ]; then
    return
  fi

  # Fallback method using lsb_release(1)
  LSB_RELEASE="$(command -v lsb_release 2> /dev/null)"
  if [ -x "$LSB_RELEASE" ]; then
    RELEASE=$(lsb_release -i 2> /dev/null | sed 's/:\t/:/' | cut -d ':' -f 2-)
    case $RELEASE in
    "Fedora"|"Amazon"|"Mageia"|"OpenMandrivaLinux")
      PACKAGEMANAGERS=(yum)
      ;;
    "SUSE LINUX"|"openSUSE")
      PACKAGEMANAGERS=(zypp)
      ;;
    esac
  fi

  if [ "$PACKAGEMANAGERS" ]; then
    return
  fi

  # Fallback methods that are probably unnecessary on modern systems.
  if [ -f "/etc/fedora-release" ] || [ -f "/etc/redhat-release" ]; then
    PACKAGEMANAGERS=(yum)
  elif [ -f "/etc/system-release" ] && grep -Fq "Amazon Linux" "/etc/system-release"; then
    PACKAGEMANAGERS=(yum)
  elif [ -f "/etc/SuSE-release" ]; then
    PACKAGEMANAGERS=(zypp)
  fi
}

DEFAULT_ARCH="x86_64"
YUM_REPO_FILE="/etc/yum.repos.d/vivaldi.repo"
ZYPPER_REPO_FILE="/etc/zypp/repos.d/vivaldi.repo"

install_yum() {
  install_rpm_key

  if [ ! "$REPOCONFIG" ]; then
    return 0
  fi

  if [ -d "/etc/yum.repos.d" ]; then
cat > "$YUM_REPO_FILE" << REPOCONTENT
[vivaldi]
name=vivaldi
baseurl=$REPOCONFIG/$DEFAULT_ARCH
enabled=1
gpgcheck=1
gpgkey=https://repo.vivaldi.com/archive/linux_signing_key.pub
REPOCONTENT
  fi
}

install_zypp() {
  if [ ! "$REPOCONFIG" ]; then
    return 0
  fi

  # Ideally, we would run: zypper addrepo -t YUM -f \
  # "$REPOCONFIG/$DEFAULT_ARCH" "vivaldi"
  # but that does not work when zypper is running.
  if [ -d "/etc/zypp/repos.d" ]; then
cat > "$ZYPPER_REPO_FILE" << REPOCONTENT
[vivaldi]
name=vivaldi
enabled=1
autorefresh=1
baseurl=$REPOCONFIG/$DEFAULT_ARCH
gpgcheck=1
gpgkey=https://repo.vivaldi.com/archive/linux_signing_key.pub
type=rpm-md
keeppackages=0
REPOCONTENT
  fi
}

# Check if the automatic repository configuration is done, so we know when to
# stop trying.
verify_install() {
  # It's probably enough to see that the repo configs have been created. If they
  # aren't configured properly, update_bad_repo should catch that when it's run.
  case $1 in
  "yum")
    [ -f "$YUM_REPO_FILE" ]
    ;;
  "zypp")
    [ -f "$ZYPPER_REPO_FILE" ]
    ;;
  esac
}

# Update the Google repository if it's not set correctly.
update_bad_repo() {
  if [ ! "$REPOCONFIG" ]; then
    return 0
  fi

  determine_rpm_package_manager

  for PACKAGEMANAGER in ${PACKAGEMANAGERS[*]}
  do
    case $PACKAGEMANAGER in
    "yum")
      update_repo_file "$YUM_REPO_FILE"
      ;;
    "zypp")
      update_repo_file "$ZYPPER_REPO_FILE"
      ;;
    esac
  done
}

update_repo_file() {
  REPO_FILE="$1"

  # Don't do anything if the file isn't there, since that probably means the
  # user disabled it.
  if [ ! -r "$REPO_FILE" ]; then
    return 0
  fi

  # Check if the correct repository configuration is in there.
  REPOMATCH=$(grep "^baseurl=$REPOCONFIG/$DEFAULT_ARCH" "$REPO_FILE" \
    2>/dev/null)
  # If it's there, nothing to do
  if [ "$REPOMATCH" ]; then
    return 0
  fi

  # Check if it's there but disabled by commenting out (as opposed to using the
  # 'enabled' setting).
  MATCH_DISABLED=$(grep "^[[:space:]]*#.*baseurl=$REPOCONFIG/$DEFAULT_ARCH" \
    "$REPO_FILE" 2>/dev/null)
  if [ "$MATCH_DISABLED" ]; then
    # It's OK for it to be disabled, as long as nothing bogus is enabled in its
    # place.
    ACTIVECONFIGS=$(grep "^baseurl=.*" "$REPO_FILE" 2>/dev/null)
    if [ ! "$ACTIVECONFIGS" ]; then
      return 0
    fi
  fi

  # If we get here, the correct repository wasn't found, or something else is
  # active, so fix it. This assumes there is a 'baseurl' setting, but if not,
  # then that's just another way of disabling, so we won't try to add it.
  sed -i -e "s,^baseurl=.*,baseurl=$REPOCONFIG/$DEFAULT_ARCH," "$REPO_FILE"
}

# We only remove the repository configuration during a purge. Since RPM has
# no equivalent to dpkg --purge, the code below is actually never used. We
# keep it only for reference purposes, should we ever need it.
#
#remove_yum() {
#  rm -f "$YUM_REPO_FILE"
#}
#
#remove_zypp() {
#  # Ideally, we would run: zypper removerepo "vivaldi"
#  # but that does not work when zypper is running.
#  rm -f /etc/zypp/repos.d/vivaldi.repo
#}

DEFAULT_ARCH="x86_64"

get_lib_dir() {
  if [ "$DEFAULT_ARCH" = "i386" ] || [ "$DEFAULT_ARCH" = "armhf" ] || \
      [ "$DEFAULT_ARCH" = "mipsel" ]; then
    LIBDIR=lib
  elif [ "$DEFAULT_ARCH" = "x86_64" ] || [ "$DEFAULT_ARCH" = "aarch64" ] || \
        [ "$DEFAULT_ARCH" = "mips64el" ]; then
    LIBDIR=lib64
  else
    echo Unknown CPU Architecture: "$DEFAULT_ARCH"
    exit 1
  fi
}

## MAIN ##
if [ -r "$DEFAULTS_FILE" ]; then
  . "$DEFAULTS_FILE"
fi

remove_old_rpm_key
remove_old_rpm_key2
install_future_rpm_key

if [ "$repo_add_once" = "true" ]; then
  determine_rpm_package_manager

  # Let's run through this for each supported package manager as detected...
  for PACKAGEMANAGER in ${PACKAGEMANAGERS[*]}
  do
    # The initial install happens in the post-install scripts, but there have been
    # reports of configuration problems, so just verify that everything looks
    # good, and if not, try to install again.
    verify_install $PACKAGEMANAGER
    if [ $? -ne 0 ]; then
      install_${PACKAGEMANAGER}
    fi
  done

  if [ $? -eq 0 ]; then
    # Do this for each supported package manager...
    for PACKAGEMANAGER in ${PACKAGEMANAGERS[*]}
    do
      # Before we quit auto-configuration, check that everything looks sane, since
      # part of this happened during package install and we don't have the return
      # value of that process.
      verify_install $PACKAGEMANAGER
      if [ $? -eq 0 ]; then
        sed -i -e 's/[[:space:]]*repo_add_once=.*/repo_add_once="false"/' \
          "$DEFAULTS_FILE"
      fi
    done
  fi
else
  update_bad_repo
fi

or get an up to date /etc/cron/daily/vivaldi script.

There’s a newer version with the correct key:

The problem should go away when you upgrade the package.

1 Like

Thanks again. Did not upgrade the package. Only the /etc/cron.daily/vivaldi from the package. I’m reticent to upgrade web browsers when they’re not broken.

Old web browsers are broken… The security issues keep coming up and if you have a browser that you are not updating then it’s almost certainly exposing you to security issues.

1 Like

That’s what they want you to believe. I run chromium 108 and 109 based browsers on Win 7, that’s Jan 2023, and never had a single problem. Naturally I need to install extensions manually in developer mode. Bonus: those extensions won’t auto-update, neither will the browser. Works perfectly well. They know that. That’s why they pretend they’re broken. They don’t want you to use software they can’t control anymore.

Granted. I accept the risk and I’m doing it knowingly. Never had a single problem in 35 years though. OTOH you expose yourself to backdoors, malware, keyloggers, blocklists by upgrading constantly. Popular software like browsers, vlc are targets for monitoring your activities. Not to mention modern browsers are bloatware.

According to WikiLeaks documents revealed in 2017, the CIA allegedly exploited an older portable version of VLC Media Player as an attack vector to spy on targets. The method involved modifying the software to inject malicious dynamic link libraries (DLLs), enabling data collection while the target used VLC to play videos or music. VideoLAN, the organization behind VLC, acknowledged these revelations and worked on patches to secure the software. This attack targeted specific individuals, not the general public.

According to WikiLeaks’ Vault 7 disclosures, the CIA developed a tool called Archimedes, used to conduct man-in-the-middle (MitM) attacks on web browsers within a local area network (LAN). Archimedes redirected a target’s browser traffic through a CIA-controlled computer before it reached its intended destination, allowing the agency to monitor or manipulate the browsing session while making it appear normal. This tool didn’t involve planting spyware directly in the browser but exploited browser sessions to spy on targets. The documents, published on May 5, 2017, suggest Archimedes could be used to intercept data or deliver malicious payloads, though specific instances of its use weren’t detailed.

In 2025, a critical vulnerability in Google Chrome, identified as CVE-2025-2783, was exploited in a spying campaign called “Operation ForumTroll,” primarily targeting organizations in Russia. This flaw, located in Chrome’s Mojo engine on Windows, allowed hackers to bypass browser protections to monitor victims’ browsing habits and remotely install malware via malicious links sent by email. Google patched this vulnerability in Chrome versions 134.0.6998.177 and .178.

I’m very skeptical regarding software that auto-updates like browsers and browser extensions.
And naturally, I do not use google chrome regularly and whenever I need to, I use the oldest version that work. Currently a version from oct 2023.

Thanks for the warning. I’m sure you’re well intentioned.