On Thu, 9 Mar 2023 at 05:15, Chris Kelley <ckel...@redhat.com> wrote:
> Hi all! > > TL;DR dogtag-pki is not installable on F38/Rawhide because it fails the > GPG check (F37 and prior are fine), even if --nogpgcheck is specified, and > I don't understand why. > 1) Why does the key not work? > 2) Why does --nogpgcheck not work? > > This repo is probably using DSA and/or SHA1 in its keys. The rpm in Fedora 38 and beyond uses the central policies for encryption while previous versions did not. Currently the system policy does not allow for SHA1, DSA and other keys which were allowed previously but currently only allow for SHA2 and stronger encryption algorithms. The keys need to be regenerated in COPR I believe to fix this. The error I get is: > ---- > [root@fedora ~]# dnf copr enable @pki/master; dnf install dogtag-pki > <dnf downloads packages> > Importing GPG key 0x20DE059C: > Userid : "@pki_master (None) <@pki#mas...@copr.fedorahosted.org>" > Fingerprint: B023 2014 243E 33DA CFBA 5269 94CF 0B2D 20DE 059C > From : > https://download.copr.fedorainfracloud.org/results/@pki/master/pubkey.gpg > Is this ok [y/N]: y > Key imported successfully > Import of key(s) didn't help, wrong key(s)? > Problem opening package > dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64.rpm. > Failing package is: > dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64 > GPG Keys are configured as: > https://download.copr.fedorainfracloud.org/results/@pki/master/pubkey.gpg > Problem opening package > dogtag-ldapjdk-5.4.0-0.1.alpha1.20230127155101UTC.ea85ad3a.fc38.noarch.rpm > Problem opening package > dogtag-tomcatjss-8.4.0-0.1.alpha1.20230120164140UTC.a5ca31ab.fc38.noarch.rpm > The downloaded packages were saved in cache until the next successful > transaction. > You can remove cached packages by executing 'dnf clean packages'. > Error: GPG check FAILED > ---- > > I see that the key is new, generated yesterday: > https://download.copr.fedorainfracloud.org/results/%40pki/master/ > What causes this key to be (re)generated? I looked for docs around this > but couldn't find anything to help me. > > To move things along, I tried to work around this with --nogpgcheck ,which > led to a different error: > ---- > Running transaction check > Transaction check succeeded. > Running transaction test > The downloaded packages were saved in cache until the next successful > transaction. > You can remove cached packages by executing 'dnf clean packages'. > Error: Transaction test error: > package > dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64 does not > verify: Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD > package > dogtag-ldapjdk-5.4.0-0.1.alpha1.20230127155101UTC.ea85ad3a.fc38.noarch does > not verify: Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD > package > dogtag-tomcatjss-8.4.0-0.1.alpha1.20230120164140UTC.a5ca31ab.fc38.noarch > does not verify: Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD > ---- > ...which looks like it is still attempting to do some kind of verification > of the key. > > I have tried setting both gpgcheck=0 and repo_gpgcheck=0 in the repo file, > but this does not change the result. Am I misunderstanding the > purpose/scope of this option? > > Does anyone have any idea why this key does not work, or have some doc I > can look at to try figure it out myself? > Likewise for the workaround, anyone have any insight there? > > Thanks for your patient reading if you go this far :-) I'm hoping this is > a lack of familiarity on my part with GPG. > > Cheers, > > Chris > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
