Re: Dogtag-pki is not installable on F38/Rawhide because it fails the GPG check even if you attempt to skip the check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Chris Kelley wrote:
> TL;DR dogtag-pki is not installable on F38/Rawhide because
> it fails the GPG check (F37 and prior are fine), even if
> --nogpgcheck is specified, and I don't understand why.
>
> 1) Why does the key not work?
> 2) Why does --nogpgcheck not work?

It seems like it must be related to the issues reported
recently with respect to changes in the rpm signature
backend & stricter crypto-policies, but I don't see _why_
they are failing.  They don't appear to be using SHA1 or DSA
algorithms. :/

I think it is suspicious that the three packages which fail
to verify are the three which have not been built within the
past week or so.  Attempting an install in a rawhide
container from today, then checking the package cache after
it fails simply reports the rpm signature as BAD.

[root@8f5fc423842b /]# rpm -Kvv dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64.rpm 
D: loading keyring from rpmdb
D: PRAGMA secure_delete = OFF: 0
D: PRAGMA case_sensitive_like = ON: 0
D:  read h#     150 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-18b8e74c-62f2920f to keyring
D:  read h#     160 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-20de059c-5c7ffdbe to keyring
/var/cache/dnf/copr:copr.fedorainfracloud.org:group_pki:master-7092f479845efeda/packages/dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, key ID 20de059c: BAD
    MD5 digest: OK

Maybe there was some issue in COPR and/or rawhide at the
time those packages were signed which caused them to fail
verification now?  It may be worth trying to rebuild them to
see if they can be properly signed?

-- 
Todd

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux