I am seeing this on my openSUSE Leap 42.2 installation at home, except rather than "unknown key '<hidden>'", I have "unknown key '1397BC53640DB551'".

@Tom: Do you know why this would be? Have we changed the signing key recently?

+mmoss +thestig
do we need to merge this to m60? https://chromium-review.googlesource.com/c/588049/

Merging that will only affect new installations, correct? Not people who already have chrome installed and are trying to do a 'zypper up'.

By the way, re-importing the signing key (after doing a 'rpm -e') doesn't fix this issue. I don't have a current workaround.

Looks like repomd.xml is signed with our 2016 signing key.

govind@ do you have the powers to update repomd.xml.asc?  I see you updated it last in cl 130552392

Is this caused by use of a subkey for signing? OpenSUSE currently have a zypper bug open for that:
https://bugzilla.opensuse.org/show_bug.cgi?id=1008325

Re #5: https://critique.corp.google.com/#review/130552392 was automatically created cl when we used to do Linux release using release script. 

mmoss@ or dimu@ probably can  here. 

+ manoranjanr@ & bustamante@ M60 Test and Release owners

This problem persists both for 59 stable and - when manually downloaded and installed - 60 stable.

Yes, this is because of the "subkey bug" mentioned in #6. We don't really want to go back to the ancient (weaker) signing key, and this should really be fixed in zypper, since there's no reason not to accept subkeys (as every other package manager seems to support).

Maybe the new activity on the bug will encourage a fix, but even if it does, it will probably take a while to roll out. Unfortunately, it will also take us a while to roll out a new, non-subkey signing key (assuming we even wanted to do that), since it would need to be distributed for a few releases before we could start requiring it.

Any other suggestions?

I have the same problem but I noticed that I'm getting a different "unknown key '6494C6D6997C215E'" than comment #2. Was there a release of Chrome last week which I missed? Or how does that happen?

6494C6D6997C215E is a different issue caused by prematurely trying to dual-sign with a new key (the "2017" key) that isn't widely distributed yet. I'm reverting that change and will try to get the repository updated as soon as I can.

Re: the 6494C6D6997C215E issue, if you don't want to wait for the repository update, you should also be able to fix it by manually installing the latest public key file as described in https://www.google.com/linuxrepositories/, e.g.:

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

@12

I did (as root):

wget https://dl.google.com/linux/linux_signing_key.pub
rpm --import linux_signing_key.pub
zypper up

and I getting:

File 'repomd.xml' from repository 'google-chrome' is signed with an unknown key '6494C6D6997C215E'. Continue? [yes/no] (no):

#13, that's the subkey problem described above (6494C6D6997C215E and 1397BC53640DB551 are both subkeys). There currently isn't a fix for that.

Thanks for explaining. Ok, I will wait more then.

@mmoss- As per comment #14,Could you please provide us any update on this.

Removing Needs-Bisect label for now, please feel free to add this again if required.

Thanks! 

The subkey bug in zypper (https://bugzilla.opensuse.org/show_bug.cgi?id=1008325) has been fixed upstream and rolled out to supported versions (Leap 42.2 and above).

As such, I'm going to close this as fixed.

If you still see a problem, please comment or open a new bug as necessary.