Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prolonged GPG keys are not updated on the system #2894

Open
praiskup opened this issue Aug 31, 2023 · 15 comments
Open

Prolonged GPG keys are not updated on the system #2894

praiskup opened this issue Aug 31, 2023 · 15 comments

Comments

@praiskup
Copy link
Member

[root@pc-loznice yum.repos.d]# LANG=en_US.utf8 dnf update myvpn
Repository copr:copr.fedorainfracloud.org:praiskup:myvpn is listed more than once in the configuration
Last metadata expiration check: 2:15:50 ago on Thu 31 Aug 2023 08:22:03 PM CEST.
Dependencies resolved.
========================================================================================================================
 Package         Architecture     Version                 Repository                                               Size
========================================================================================================================
Upgrading:
 myvpn           x86_64           1.3-6.fc38              copr:copr.fedorainfracloud.org:praiskup:myvpn            36 k

Transaction Summary
========================================================================================================================
Upgrade  1 Package

Total size: 36 k
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] myvpn-1.3-6.fc38.x86_64.rpm: Already downloaded                                                              
error: Verifying a signature using certificate 519B71E71D5251A03A517DF8454724A7D1C452B2 (praiskup_myvpn (None) <praiskup#[email protected]>):
  1. Certificiate 454724A7D1C452B2 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-09-02T17:42:01Z
  2. Key 454724A7D1C452B2 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-09-02T17:42:01Z
error: Verifying a signature using certificate 519B71E71D5251A03A517DF8454724A7D1C452B2 (praiskup_myvpn (None) <praiskup#[email protected]>):
  1. Certificiate 454724A7D1C452B2 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-09-02T17:42:01Z
  2. Key 454724A7D1C452B2 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-09-02T17:42:01Z
Copr repo for myvpn owned by praiskup                                                   194  B/s | 998  B     00:05    
GPG key at https://download.copr.fedorainfracloud.org/results/praiskup/myvpn/pubkey.gpg (0xD1C452B2) is already installed
The GPG keys listed for the "Copr repo for myvpn owned by praiskup" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: myvpn-1.3-6.fc38.x86_64
 GPG Keys are configured as: https://download.copr.fedorainfracloud.org/results/praiskup/myvpn/pubkey.gpg
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
@praiskup
Copy link
Member Author

[root@pc-loznice yum.repos.d]# rpm -qi gpg-pubkey-d1c452b2-59ac3ee9
Name        : gpg-pubkey
Version     : d1c452b2
Release     : 59ac3ee9
Architecture: (none)
Install Date: Pá 14. prosince 2018, 15:18:58
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Ne 3. září 2017, 19:42:01
Build Host  : localhost
Packager    : praiskup_myvpn (None) <praiskup#[email protected]>
Summary     : gpg(praiskup_myvpn (None) <praiskup#[email protected]>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.14.2.1 (NSS-3)

mQENBFmsPukBCADQShlYpNGZu+8+4gGWvDB82Z2AyWso+d9DpTHy/qTvU93oOR6V
hwVZgVT4ci9EU82GpC4HX9KEzm7CtJ9FC73r48W7zVzIpR4Crpci1l3zWEfiHSON
rTdcyifdHt9e1pG6WgiOLv8ToeNXZH7xpj0ijtepN0vngw0KNujFxYXZ+JH+SRPo
Dmaa8s/YQb9Pd1F3laDJm+I+rjz4MuSuBDpDxwUfJYhtItJM4tCMXMtIgUF5rT4/
Fax5GgpCFTsR+d0pg4S/sIx+qY14g2T3ibeqCmJdvLIIogxSK9XxEN46JiKnWz/W
fOGP7YyFovRNIJDxNK4fDFBAzHd+SNgRl821ABEBAAG0PHByYWlza3VwX215dnBu
IChOb25lKSA8cHJhaXNrdXAjbXl2cG5AY29wci5mZWRvcmFob3N0ZWQub3JnPokB
PQQTAQgAJwUCWaw+6QIbLwUJCWYBgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK
CRBFRySn0cRSshOOCADNOp6wJU92iMOfIMYLH7nbs2NFyPrboeuLFpRaxO3LFqyK
RuLzJP8hEqAoiVqsR0+GckLZ9D+LE3lAElgiHX52LRVSwdNv2w1sqm/NSNfBuqdj
U1Gu5vOnRgeYgPlll7HK+gnGJ6zhXrR7M+ZuY36sEI7LrtYUTAy6CY47kjYuqgss
sTYHQT3VzALbK7SY32V1BBS9p4iMwkMPDfHzR6tBKNmf8nE7cGpjHPds9ZJXOlVD
Z/HMuhAtTqwFy1yOJUVi6foGQGHvxh+0pmlaeR4Or57pAii1hLWH2ScE4dY2xEf/
kWOQeu3lqU7KR5asFBd2xjQpHVMAvAzmT/xkJzF4
=U0/K
-----END PGP PUBLIC KEY BLOCK-----

@praiskup
Copy link
Member Author

Way around:

$ # drop the old key
$ rpm -e gpg-pubkey-d1c452b2-59ac3ee9  # drop the old key
$ # install the prolonged one
$ rpm --import https://download.copr.fedorainfracloud.org/results/praiskup/myvpn/pubkey.gpg

Is there a way to automatize this?

@praiskup
Copy link
Member Author

praiskup commented Sep 4, 2023

Mirek claims that DNF and RPM has a separate gpg key database

@praiskup praiskup moved this from Needs triage to In 3 months in CPT Kanban Sep 4, 2023
@praiskup
Copy link
Member Author

praiskup commented Sep 4, 2023

From Mirek, see also: https://bugzilla.redhat.com/show_bug.cgi?id=1768206

@praiskup
Copy link
Member Author

praiskup commented Oct 2, 2023

See also discussion in #2935 -> that might open a door for very fast RPM re-signing.

@FrostyX
Copy link
Member

FrostyX commented Dec 20, 2023

Triage: We probably need to solve this in the DNF Copr plugin

@praiskup
Copy link
Member Author

Related RPM discussion: rpm-software-management/rpm-sequoia#50 (comment)

@praiskup
Copy link
Member Author

praiskup commented Feb 7, 2024

Triage time:

  • could we have systemd timer for checking updated keys?
  • could we a dnf plugin post-transaction? (but this woudl be too verbose and visible, slowing things down)
  • could we dnf copr enable (re-enable) and do some magic in the background?
  • could we have dnf copr refres-keys?

@FrostyX
Copy link
Member

FrostyX commented Mar 6, 2024

For the record, this happened to me with korkeala/clojure, we also got Matrix report about agriffis/neovim-nightly and Reddit post here https://www.reddit.com/r/Fedora/comments/181omz0/how_to_fix_expired_gpg_keys_on_old_copr_repos/

@praiskup praiskup moved this from In 3 months to In Progress in CPT Kanban Mar 18, 2024
@praiskup
Copy link
Member Author

praiskup commented Apr 8, 2024

New ticket against DNF4 rpm-software-management/dnf#2075

@purpleidea
Copy link

Certificiate

I've hit this issue too. As an aside, I greped a few repos to find this typo and I couldn't. If anyone could point me to that code I'd be interested, thanks!

@FrostyX
Copy link
Member

FrostyX commented Aug 7, 2024

Hello @purpleidea, I am not sure what typo do you mean and what code are you interested in. But here are few relevant links for you :-)

We keep this Copr issue open so that users know this can happen and use it as a starting point but there isn't actually any relevant bug in Copr. Everything needs to be fixed on the Dnf and RPM side of things.

@FrostyX
Copy link
Member

FrostyX commented Nov 4, 2024

Current status:

  • The rpm and rpm-sequoia code is finished and merged to master but not released yet
  • The DNF4 plugin was released in dnf-plugins-core-4.9.0, but it is disabled by default. Users need to explicitly use --enableplugin=expired-pgp-keys or enable the plugin in /etc/dnf/plugins/expired-pgp-keys.conf. We agreed with @jan-kolarik that it needs to be disabled by default but that we should change the "GPG check FAILED" error to provide instructions to use the plugin for resolving the issue.
  • AFAIK there are no blockers for DNF5 anymore, and the feature (enabled by default) could potentially land in F42. I pinged the ticket but no response yet.

@nikromen nikromen moved this from In Progress to In 3 months in CPT Kanban Nov 11, 2024
@FrostyX FrostyX moved this from In 3 months to In Progress in CPT Kanban Dec 2, 2024
@FrostyX
Copy link
Member

FrostyX commented Dec 2, 2024

Users need to explicitly use --enableplugin=expired-pgp-keys or enable the plugin in /etc/dnf/plugins/expired-pgp-keys.conf. We agreed with @jan-kolarik that it needs to be disabled by default but that we should change the "GPG check FAILED" error to provide instructions to use the plugin for resolving the issue.

I submitted a PR rpm-software-management/dnf#2166

@FrostyX
Copy link
Member

FrostyX commented Dec 5, 2024

Change proposal for F42 - https://fedoraproject.org/wiki/Changes/Dnf5ExpiredPGPKeys

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: In Progress
Development

No branches or pull requests

4 participants