On Fri, Feb 16, 2024 at 11:12:07AM +0000, Zbigniew Jędrzejewski-Szmek wrote: > On Thu, Feb 15, 2024 at 06:03:59PM -0800, Kevin Fenzi wrote: > > That won't do it. We need mock to update it's config at exactly the same > > moment a successfull rawhide compose completes and mirrors to whatever > > mirror you are hitting. ;( > > > > We make keys a year ahead now. The f42 key is in fedora-release already. > > Oh, I didn't know that. I see that I have > /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary > /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-41-primary > on both my F39 and ~rawhide systems. yes. The 42 one should have been added too... not sure why it didn't land. ;( > This means that both keys are on the system, it's just a matter of > pointing dnf/other tools at them. Yes. Looking more I think we just need mock to list both the current one and the next one. fedora-repos already does this and I think dnf/dfn5 honor it. > But let's not talk about mock, let's talk about mkosi. ok > In my earlier message I quoted this case: > > > [1] From https://github.com/systemd/systemd/actions/runs/7919159325/job/21619276641?pr=31338: > > > > Running transaction > > Importing PGP key 0xA15B79CC: > > Userid : "Fedora (40) <fedora-40-primary@xxxxxxxxxxxxxxxxx>" > > Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC > > From : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary > > The key was successfully imported. > > > > Transaction failed: Signature verification failed. > > PGP check for package "filesystem-3.18-8.fc40.x86_64" > > (/var/cache/libdnf5/fedora-306b6523e9c8dc02/packages/filesystem-3.18-8.fc40.x86_64.rpm) from > > repo "fedora" has failed: Import of the key didn't help, wrong key? > > /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary > points to RPM-GPG-KEY-fedora-40-primary. > So everythould be fine, no? filesystem-3.18-8.fc40.x86_64 is clearly an F40 > package, so it should be signed with the RPM-GPG-KEY-fedora-40-primary key. Not really no. When we branch, the branched release gets all the already signed by fedora-40 key packages. Rawhide is completely re-signed with the new fedora-41 key. The dist tag of packages has nothing to do with it. So, day X, rawhide is all signed by fedora-40 key. Day X+1 we branch and get a new rawhide compose and all rawhide is signed by the fedora-41 key. > But it has > "Signature : RSA/SHA256, Fri 09 Feb 2024 01:30:23 PM CET, Key ID d0622462e99d6ad1" > which is RPM-GPG-KEY-fedora-41-primary. > > This actually raises a bunch of questions: > 1. Why is the .f40 package signed with the F41 key? Because it's composed in rawhide. That same package composed in branched composes _is_ signed by the fedora-40 key. > 2. How does this even work later on? Wouldn't F40 installations refuse > packages signed with the F41 key? refuse where? dnf/dnf5 use the line in fedora-rawhide.repo that lists Both keys. > 3. If F42 key has already been generated, why isn't it distributed in > distribution-gpg-keys already, to make it well known and make the > transition easier in the future? It should have been. I am not sure where the process failed. I did generate the fedora-42 key. > and also: > > 4. https://fedoraproject.org/fedora.gpg contains keys for F35, F36, F37, F38, F38, F40. > Why not F41 and F42? Yes, it should be added. > For mkosi specifically, I guess could try to import also the "next" key > when configuring rawhide installs, but I'd like to first understand why > the packages are signed with the F41 key. See above, happy to expand or try better to explain. kevin
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue