On Tue, 28 Feb 2023 at 07:18, Ralf Corsépius <rc040203@xxxxxxxxxx> wrote:
Am 28.02.23 um 10:34 schrieb Kamil Paral:
> That's most certainly this problem:
> https://ask.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/31594 <https://ask.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/31594>
>
Yes, it certainly is this problem.
AFAICT, the cause seems to be my old gpg-signing key (created 2013) is
using "digest algo 2" signature digests (whatever this means).
I think that means the key is using SHA-1 keys (going from https://bfh.science/OLD/software/gnupg/best-practice.html) It looks like you can update a GPG key to the newer hash with something like https://wiki.ubuntu.com/SecurityTeam/GPGMigration (or https://old.nixaid.com/gpg-migration-sha1-to-sha2/ though lots of ads )
> I don't understand these security measures much, but creating a new key
> using modern tools should be sufficient to resolve this.
Which tools whould you suggest? So far, for me, all such attempts, using
seahorse on fc37 failed.
Though the newly created key seems to comply to the new rules, now gpg
-sign and rpm --resign fail:
# rpm --resign libmail-2.3.5-1.fc38.x86_64.rpm
libmail-2.3.5-1.fc38.x86_64.rpm:
gpg: signing failed: Permission denied
gpg: signing failed: Permission denied
error: gpg exec failed (2)
No idea, about what's going on.
> See the article
> to learn how to detect and uninstall already affected packages present
> on your system first.
Well, ...
IMHO, this stuff + FC38's rpm and dnf are not in a release-ready shape.
Too many cryptic and non-understandable/non-readable error messages, far
too radical changes, far too little backward compatibility and far too
little help.
Ralf
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
