Thanks all for the input.
Maybe there was some issue in COPR and/or rawhide at the
time those packages were signed which caused them to fail
verification now? It may be worth trying to rebuild them to
see if they can be properly signed?
I resubmitted the affected packages and now everything works - thanks for the suggestion!
On Thu, 9 Mar 2023 at 20:42, Todd Zullinger <tmz@xxxxxxxxx> wrote:
Hi,
Chris Kelley wrote:
> TL;DR dogtag-pki is not installable on F38/Rawhide because
> it fails the GPG check (F37 and prior are fine), even if
> --nogpgcheck is specified, and I don't understand why.
>
> 1) Why does the key not work?
> 2) Why does --nogpgcheck not work?
It seems like it must be related to the issues reported
recently with respect to changes in the rpm signature
backend & stricter crypto-policies, but I don't see _why_
they are failing. They don't appear to be using SHA1 or DSA
algorithms. :/
I think it is suspicious that the three packages which fail
to verify are the three which have not been built within the
past week or so. Attempting an install in a rawhide
container from today, then checking the package cache after
it fails simply reports the rpm signature as BAD.
[root@8f5fc423842b /]# rpm -Kvv dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64.rpm
D: loading keyring from rpmdb
D: PRAGMA secure_delete = OFF: 0
D: PRAGMA case_sensitive_like = ON: 0
D: read h# 150
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-18b8e74c-62f2920f to keyring
D: read h# 160
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-20de059c-5c7ffdbe to keyring
/var/cache/dnf/copr:copr.fedorainfracloud.org:group_pki:master-7092f479845efeda/packages/dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64.rpm:
Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
V4 RSA/SHA256 Signature, key ID 20de059c: BAD
MD5 digest: OK
Maybe there was some issue in COPR and/or rawhide at the
time those packages were signed which caused them to fail
verification now? It may be worth trying to rebuild them to
see if they can be properly signed?
--
Todd
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
