-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh PGP keys, e.g. when prolonging an expiration time #1192
Comments
Note that we will have more and more repositories in Copr that will be hitting this issue, so the priority of this issue will be raised in time. |
A related issue, and related comment: rpm-software-management/rpm-sequoia#50 (comment) (it did not ring RPM bells those days). |
I guess the problem is that DNF does not periodically redownload a key to refresh it. AFAIK watching expiration time is not enough because there can be different reasons for republish a key. E.g. changing a self-signature hash algorithm. |
Yes, but not just this... even if you re-download the updated key, it has the same key-ID. So if |
Copr users recently started to report this issue more frequently. This problem will become more frequent as Copr repositories reach the default expiration time. According to Copr developers resigning RPM packages with a completely new key is not feasible due the volume of the data. That means DNF needs to come with a mechanism for refreshing the keys. Therefore I'm rising a priority of this issue. |
Thank you for raising the priority @ppisar. Has there been any progress on this? I've seen multiple reports recently, not only in regard to Copr but for other repositories as well (e.g. OpenRazer). ReproducerI wanted to provide a step-by-step, copy-paste reproducer to make your life easier. Optionally, run a container to not mess up your workstation:
Install dependencies
Import an expired key
Enable a repository that uses a prolonged version of this key
Try to install a new package from the repository using DNF5
This will result in a failure:
This issue wasn't introduced by DNF5, the DNF4 fails as well
Error for comparison:
Expected behavior
I was thinking about a different solution. When DNF is installing a package from a completely new repository, it asks if I trust its key. Personally, I would expect to get the same dialog when installing a package that was signed by a prolonged known key, e.g.
|
One thing worth mentioning - this is an uncharted territory, even RPM doesn't behave properly. rpm-software-management/rpm#2577 I am not sure whether DNF implementation is blocked by this bug, or if DNF has its own logic for this. |
Thank you very much for the reproducer. It looks like that the problem is already in RPM (problem is reproducible also with DNF4). I had imported keys |
Yes, rpm --import has no concept of refreshing existing keys, never had. The only way to refresh keys is to erase the old one first. See rpm-software-management/rpm#2577 |
@pmatilai Thank you for the link |
Even when RPM will somehow manage to import renewed key we need to modify DNF4 because when a key is already in RPMDB we do not try to import it. base.py:
|
We just received a surprise development on this on the rpm side: rpm-software-management/rpm#3083 So you might want to hold off dnf5 work on this until that lands. |
After discussing with the RPM team the future of the above mentioned RPM PR, we concluded that it is not sufficient to solve the issue, as follow-up work in rpm-sequoia is still needed, with an unknown timeline for landing such a patch in Fedora releases. Therefore, for now, we plan to continue with the workaround approach based on this existing PR for both dnf4 and dnf5. |
Just FYI, the relevant work has now landed in rpm-sequoia (and rpm): But, that still only works in rpm git master and I don't know if it'll be backported because the upstream implementation relies on C++ stuff already... |
With all the building blocks already merged in |
I ran into this problem with the Kubernetes RPM repo recently. I know this isn't a support thread, but for anyone else waywardly searching, you can manually work around this for repos that have
This was a little insidious to debug due to a combination of (1) the error message from |
When the package is signed by the GPG key, and the key is prolonged, then GPG does not recognize that the content of the GPG key was changed and refuses to update the package.
This is affecting Copr users and originally reported as fedora-copr/copr#2894
Steps to reproduce:
You will get:
The workaround is to:
This might be rpm issue. But because DNF has its own db of GPG keys and because this happen primary with DNF I am reporting it here.
The text was updated successfully, but these errors were encountered: