The semiannual "Transaction failed: Signature verification failed." exercise

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It's this time of the year again:

Running transaction
Importing PGP key 0xA15B79CC:
 Userid     : "Fedora (40) <fedora-40-primary@xxxxxxxxxxxxxxxxx>"
 Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC
 From       : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary
The key was successfully imported.
Importing PGP key 0xA15B79CC:
 Userid     : "Fedora (40) <fedora-40-primary@xxxxxxxxxxxxxxxxx>"
 Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC
 From       : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary
The key was successfully imported.
Importing PGP key 0x18B8E74C:
 Userid     : "Fedora (39) <fedora-39-primary@xxxxxxxxxxxxxxxxx>"
 Fingerprint: E8F23996F23218640CB44CBE75CF5AC418B8E74C
 From       : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-39-primary
The key was successfully imported.

Transaction failed: Signature verification failed.
PGP check for package "curl-8.6.0-6.fc40.x86_64" (/var/lib/mock/fedora-rawhide-x86_64/root/var/cache/dnf/fedora-2d95c80a1fa0a67d/packages/curl-8.6.0-6.fc40.x86_64.rpm) from repo "fedora" has failed: Import of the key didn't help, wrong key?

This message is from mock. It's one issue if mock fails, when you call
it from the command line, but this failure also causes CI fails.
And as everybody knows, flaky CI gets ignroed.

I very much want people to use Fedora for their CI, and in particular
rawhide, because it's great for testing with upstream software. But
it looks silly if we get such a major "security failure" twice a year [1].

Could we please do something so that this doesn't happen?
Dunno, generate and distribute the keys earlier so that mock
and https://fedoraproject.org/fedora.gpg get updated _before_
we need it?

I know this subject comes up approx. twice a year (or once once for F21 ;) ),
e.g. [2]. I know this can be "fixed" with some manual steps, but I posit
that this should never occur in the first place.

Zbyszek


[1] From https://github.com/systemd/systemd/actions/runs/7919159325/job/21619276641?pr=31338:

Running transaction
Importing PGP key 0xA15B79CC:
 Userid     : "Fedora (40) <fedora-40-primary@xxxxxxxxxxxxxxxxx>"
 Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC
 From       : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary
The key was successfully imported.

Transaction failed: Signature verification failed.
PGP check for package "filesystem-3.18-8.fc40.x86_64" (/var/cache/libdnf5/fedora-306b6523e9c8dc02/packages/filesystem-3.18-8.fc40.x86_64.rpm) from repo "fedora" has failed: Import of the key didn't help, wrong key?

Note that this is a test VM that was created specifically for this
test run, so there's no question of stale data or anything like that.


[2] https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/MFX2JDVANNEW7LWWIBBLYCN6DEPWHSXF/.
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux