Re: The semiannual "Transaction failed: Signature verification failed." exercise

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Feb 15, 2024 at 06:03:59PM -0800, Kevin Fenzi wrote:
> That won't do it. We need mock to update it's config at exactly the same
> moment a successfull rawhide compose completes and mirrors to whatever
> mirror you are hitting. ;( 
> 
> We make keys a year ahead now. The f42 key is in fedora-release already.

Oh, I didn't know that. I see that I have
/usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary
/usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-41-primary
on both my F39 and ~rawhide systems.

This means that both keys are on the system, it's just a matter of
pointing dnf/other tools at them.

But let's not talk about mock, let's talk about mkosi.

In my earlier message I quoted this case:

> [1] From https://github.com/systemd/systemd/actions/runs/7919159325/job/21619276641?pr=31338:
>
> Running transaction
> Importing PGP key 0xA15B79CC:
>  Userid     : "Fedora (40) <fedora-40-primary@xxxxxxxxxxxxxxxxx>"
>  Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC
>  From       : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary
> The key was successfully imported.
>
> Transaction failed: Signature verification failed.
> PGP check for package "filesystem-3.18-8.fc40.x86_64"
> (/var/cache/libdnf5/fedora-306b6523e9c8dc02/packages/filesystem-3.18-8.fc40.x86_64.rpm) from
> repo "fedora" has failed: Import of the key didn't help, wrong key?

/usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary
points to RPM-GPG-KEY-fedora-40-primary.
So everythould be fine, no? filesystem-3.18-8.fc40.x86_64 is clearly an F40
package, so it should be signed with the RPM-GPG-KEY-fedora-40-primary key.

But it has
"Signature   : RSA/SHA256, Fri 09 Feb 2024 01:30:23 PM CET, Key ID d0622462e99d6ad1"
which is RPM-GPG-KEY-fedora-41-primary.

This actually raises a bunch of questions:
1. Why is the .f40 package signed with the F41 key?
2. How does this even work later on? Wouldn't F40 installations refuse
   packages signed with the F41 key?
3. If F42 key has already been generated, why isn't it distributed in
   distribution-gpg-keys already, to make it well known and make the
   transition easier in the future?

and also:

4. https://fedoraproject.org/fedora.gpg contains keys for F35, F36, F37, F38, F38, F40.
   Why not F41 and F42?

For mkosi specifically, I guess could try to import also the "next" key
when configuring rawhide installs, but I'd like to first understand why
the packages are signed with the F41 key.

Zbyszek
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux