On 6/13/25 5:51 PM, Todd Zullinger wrote:
ToddAndMargo via users wrote:
On 6/13/25 3:28 PM, ToddAndMargo via users wrote:
Open SUSE pulled a "NOTTRUSTED".
[...]
2) if so, what is the workaround?
# dnf install waterfox-6.5.9-4.1.x86_64.rpm
Not sure why you're installing it manually to be honest. I
tested it in an F41 container and it worked just fine:
[root@20245a7c82c1 /]# dnf -qq list --installed waterfox
Installed packages
waterfox.x86_64 6.5.9-4.1 home_hawkeye116477_waterfox
That was after using:
dnf config-manager addrepo
--from-repofile=https://download.opensuse.org/repositories/home:hawkeye116477:waterfox/Fedora_41/home:hawkeye116477:waterfox.repo
dnf install waterfox
Updating and loading repositories:
Repositories loaded.
Package Arch Version Repository Size
Installing:
waterfox x86_64 6.5.9-4.1 @commandline 242.1
MiB
Transaction Summary:
Installing: 1 package
Total size of inbound packages is 74 MiB. Need to download 0 B.
After this operation, 242 MiB extra will be used (install 242 MiB, remove 0
B).
Is this ok [y/N]: y
Running transaction
Transaction failed: Rpm transaction failed.
Warning: skipped OpenPGP checks for 1 package from repository: @commandline
- package waterfox-6.5.9-4.1.x86_64 does not verify: Header V3 RSA/SHA256
Signature, key ID 625a271e: NOTTRUSTED
If you had the repo installed from ages ago, you very well
may need to remove the key and install it again, as until
very recently, rpm had no way to refresh GPG keys. (I don't
think that's even in a released version of rpm yet, but if
it is, it's not in F41 at the very least.)
So you have to use rpm -e gpg-pubkey-625a271e and then let
dnf install it again (having added the repo properly).
[root@20245a7c82c1 /]# rpm -qi gpg-pubkey-625a271e | gpg --show-key
pub rsa2048 2017-04-05 [SC] [expires: 2027-07-10]
E64C7A04DC653D07ACA3EA585E62D791625A271E
uid home:hawkeye116477 OBS Project
<home:hawkeye116...@build.opensuse.org>
This is not much different than was needed for many other
third-party repos after updating to Fedora 40 or whenever it
was that the gpg backend in rpm was switch to sequoia, which
does much better/stricter checking of keys.
Many third-party repos updated their keys rather than
generated entirely new keys, which requires manual work from
their users.
I don't know if anything other than the key expiration had
to be changed for the home:hawkeye116477 repo key, but even
in that case, rpm's inability to refresh keys requires such
a change to be managed manually.
(Tangentially, and IMO, the smarter move is to generate an
entirely new key, add it to the gpgkey parameter in the repo
file, in addition to the existing key and then allow some
time to pass before removing the old key. But that also
presumes that they provide a package which manages the repo
file rather than just some "hey, download this file and
chuck it in place.")
None of this is really all that hard to do and is something
anyone adding third-party repos to their system should be
familiar with and comfortable doing.
I gave up and am just using each from their tar balls
--
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
