Thanks all for the input. Maybe there was some issue in COPR and/or rawhide at the > time those packages were signed which caused them to fail > verification now? It may be worth trying to rebuild them to > see if they can be properly signed? > I resubmitted the affected packages and now everything works - thanks for the suggestion!
On Thu, 9 Mar 2023 at 20:42, Todd Zullinger <t...@pobox.com> wrote: > Hi, > > Chris Kelley wrote: > > TL;DR dogtag-pki is not installable on F38/Rawhide because > > it fails the GPG check (F37 and prior are fine), even if > > --nogpgcheck is specified, and I don't understand why. > > > > 1) Why does the key not work? > > 2) Why does --nogpgcheck not work? > > It seems like it must be related to the issues reported > recently with respect to changes in the rpm signature > backend & stricter crypto-policies, but I don't see _why_ > they are failing. They don't appear to be using SHA1 or DSA > algorithms. :/ > > I think it is suspicious that the three packages which fail > to verify are the three which have not been built within the > past week or so. Attempting an install in a rawhide > container from today, then checking the package cache after > it fails simply reports the rpm signature as BAD. > > [root@8f5fc423842b /]# rpm -Kvv > dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64.rpm > D: loading keyring from rpmdb > D: PRAGMA secure_delete = OFF: 0 > D: PRAGMA case_sensitive_like = ON: 0 > D: read h# 150 > Header SHA256 digest: OK > Header SHA1 digest: OK > D: added key gpg-pubkey-18b8e74c-62f2920f to keyring > D: read h# 160 > Header SHA256 digest: OK > Header SHA1 digest: OK > D: added key gpg-pubkey-20de059c-5c7ffdbe to keyring > /var/cache/dnf/copr:copr.fedorainfracloud.org: > group_pki:master-7092f479845efeda/packages/dogtag-jss-5.4.0-0.1.alpha1.20230227143934UTC.0c4012e6.fc39.x86_64.rpm: > Header V4 RSA/SHA256 Signature, key ID 20de059c: BAD > Header SHA256 digest: OK > Header SHA1 digest: OK > Payload SHA256 digest: OK > V4 RSA/SHA256 Signature, key ID 20de059c: BAD > MD5 digest: OK > > Maybe there was some issue in COPR and/or rawhide at the > time those packages were signed which caused them to fail > verification now? It may be worth trying to rebuild them to > see if they can be properly signed? > > -- > Todd > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
