On Thu, 9 Mar 2023 at 05:15, Chris Kelley <ckelley@xxxxxxxxxx> wrote:
Hi all!
TL;DR dogtag-pki is not installable on F38/Rawhide because it fails the GPG check (F37 and prior are fine), even if --nogpgcheck is specified, and I don't understand why.
1) Why does the key not work?
2) Why does --nogpgcheck not work?
This repo is probably using DSA and/or SHA1 in its keys. The rpm in Fedora 38 and beyond uses the central policies for encryption while previous versions did not. Currently the system policy does not allow for SHA1, DSA and other keys which were allowed previously but currently only allow for SHA2 and stronger encryption algorithms.
The keys need to be regenerated in COPR I believe to fix this.
The error I get is:
----
[root@fedora ~]# dnf copr enable @pki/master; dnf install dogtag-pki
<dnf downloads packages>
Importing GPG key 0x20DE059C:
Userid : "@pki_master (None) <@pki#master@xxxxxxxxxxxxxxxxxxxxx>"
Fingerprint: B023 2014 243E 33DA CFBA 5269 94CF 0B2D 20DE 059C
From : https://download.copr.fedorainfracloud.org/results/@pki/master/pubkey.gpg
Is this ok [y/N]: y
Key imported successfully
Import of key(s) didn't help, wrong key(s)?
Problem opening package dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64.rpm. Failing package is: dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64
GPG Keys are configured as: https://download.copr.fedorainfracloud.org/results/@pki/master/pubkey.gpg
Problem opening package dogtag-ldapjdk-5.4.0-0.1.alpha1.20230127155101UTC.ea85ad3a.fc38.noarch.rpm
Problem opening package dogtag-tomcatjss-8.4.0-0.1.alpha1.20230120164140UTC.a5ca31ab.fc38.noarch.rpm
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
----
I see that the key is new, generated yesterday: https://download.copr.fedorainfracloud.org/results/%40pki/master/
What causes this key to be (re)generated? I looked for docs around this but couldn't find anything to help me.
To move things along, I tried to work around this with --nogpgcheck ,which led to a different error:
----
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
package dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD
package dogtag-ldapjdk-5.4.0-0.1.alpha1.20230127155101UTC.ea85ad3a.fc38.noarch does not verify: Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD
package dogtag-tomcatjss-8.4.0-0.1.alpha1.20230120164140UTC.a5ca31ab.fc38.noarch does not verify: Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD
----
...which looks like it is still attempting to do some kind of verification of the key.
I have tried setting both gpgcheck=0 and repo_gpgcheck=0 in the repo file, but this does not change the result. Am I misunderstanding the purpose/scope of this option?
Does anyone have any idea why this key does not work, or have some doc I can look at to try figure it out myself?
Likewise for the workaround, anyone have any insight there?
Thanks for your patient reading if you go this far :-) I'm hoping this is a lack of familiarity on my part with GPG.
Cheers,
Chris
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue