Hi all! TL;DR dogtag-pki is not installable on F38/Rawhide because it fails the GPG check (F37 and prior are fine), even if --nogpgcheck is specified, and I don't understand why. 1) Why does the key not work? 2) Why does --nogpgcheck not work?
The error I get is: ---- [root@fedora ~]# dnf copr enable @pki/master; dnf install dogtag-pki <dnf downloads packages> Importing GPG key 0x20DE059C: Userid : "@pki_master (None) <@pki#mas...@copr.fedorahosted.org>" Fingerprint: B023 2014 243E 33DA CFBA 5269 94CF 0B2D 20DE 059C From : https://download.copr.fedorainfracloud.org/results/@pki/master/pubkey.gpg Is this ok [y/N]: y Key imported successfully Import of key(s) didn't help, wrong key(s)? Problem opening package dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64.rpm. Failing package is: dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64 GPG Keys are configured as: https://download.copr.fedorainfracloud.org/results/@pki/master/pubkey.gpg Problem opening package dogtag-ldapjdk-5.4.0-0.1.alpha1.20230127155101UTC.ea85ad3a.fc38.noarch.rpm Problem opening package dogtag-tomcatjss-8.4.0-0.1.alpha1.20230120164140UTC.a5ca31ab.fc38.noarch.rpm The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: GPG check FAILED ---- I see that the key is new, generated yesterday: https://download.copr.fedorainfracloud.org/results/%40pki/master/ What causes this key to be (re)generated? I looked for docs around this but couldn't find anything to help me. To move things along, I tried to work around this with --nogpgcheck ,which led to a different error: ---- Running transaction check Transaction check succeeded. Running transaction test The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: Transaction test error: package dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD package dogtag-ldapjdk-5.4.0-0.1.alpha1.20230127155101UTC.ea85ad3a.fc38.noarch does not verify: Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD package dogtag-tomcatjss-8.4.0-0.1.alpha1.20230120164140UTC.a5ca31ab.fc38.noarch does not verify: Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD ---- ...which looks like it is still attempting to do some kind of verification of the key. I have tried setting both gpgcheck=0 and repo_gpgcheck=0 in the repo file, but this does not change the result. Am I misunderstanding the purpose/scope of this option? Does anyone have any idea why this key does not work, or have some doc I can look at to try figure it out myself? Likewise for the workaround, anyone have any insight there? Thanks for your patient reading if you go this far :-) I'm hoping this is a lack of familiarity on my part with GPG. Cheers, Chris _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
