Re: The semiannual "Transaction failed: Signature verification failed." exercise

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 16, 2024 at 11:12:07AM +0000, Zbigniew Jędrzejewski-Szmek wrote:
> On Thu, Feb 15, 2024 at 06:03:59PM -0800, Kevin Fenzi wrote:
> > That won't do it. We need mock to update it's config at exactly the same
> > moment a successfull rawhide compose completes and mirrors to whatever
> > mirror you are hitting. ;( 
> > 
> > We make keys a year ahead now. The f42 key is in fedora-release already.
> 
> Oh, I didn't know that. I see that I have
> /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary
> /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-41-primary
> on both my F39 and ~rawhide systems.
> 
> This means that both keys are on the system, it's just a matter of
> pointing dnf/other tools at them.
> 
> But let's not talk about mock, let's talk about mkosi.
> 
> In my earlier message I quoted this case:
> 
> > [1] From https://github.com/systemd/systemd/actions/runs/7919159325/job/21619276641?pr=31338:
> >
> > Running transaction
> > Importing PGP key 0xA15B79CC:
> >  Userid     : "Fedora (40) <fedora-40-primary@xxxxxxxxxxxxxxxxx>"
> >  Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC
> >  From       : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary
> > The key was successfully imported.
> >
> > Transaction failed: Signature verification failed.
> > PGP check for package "filesystem-3.18-8.fc40.x86_64"
> > (/var/cache/libdnf5/fedora-306b6523e9c8dc02/packages/filesystem-3.18-8.fc40.x86_64.rpm) from
> > repo "fedora" has failed: Import of the key didn't help, wrong key?
> 
> /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary
> points to RPM-GPG-KEY-fedora-40-primary.
> So everythould be fine, no? filesystem-3.18-8.fc40.x86_64 is clearly an F40
> package, so it should be signed with the RPM-GPG-KEY-fedora-40-primary key.
> 
> But it has
> "Signature   : RSA/SHA256, Fri 09 Feb 2024 01:30:23 PM CET, Key ID d0622462e99d6ad1"
> which is RPM-GPG-KEY-fedora-41-primary.
> 
> This actually raises a bunch of questions:
> 1. Why is the .f40 package signed with the F41 key?
> 2. How does this even work later on? Wouldn't F40 installations refuse
>    packages signed with the F41 key?
> 3. If F42 key has already been generated, why isn't it distributed in
>    distribution-gpg-keys already, to make it well known and make the
>    transition easier in the future?
> 
> and also:
> 
> 4. https://fedoraproject.org/fedora.gpg contains keys for F35, F36, F37, F38, F38, F40.
>    Why not F41 and F42?
> 
> For mkosi specifically, I guess could try to import also the "next" key
> when configuring rawhide installs, but I'd like to first understand why
> the packages are signed with the F41 key.

For now, I prepared the following PR: https://github.com/systemd/mkosi/pull/2398.
It makes the build work by importing both RPM-GPG-KEY-fedora-40-primary
and RPM-GPG-KEY-fedora-41-primary when the version string is "rawhide".
As I wrote above, I don't understand some things here, so comments are
very much welcome.

Zbyszek
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux