Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2130122
Summary: | Switch rpm to use Sequoia OpenPGP | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Panu Matilainen <pmatilai> |
Component: | Changes Tracking | Assignee: | Ben Cotton <bcotton> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 38 | CC: | bcotton, bugzilla.redhat.com, igor.raits, mdomonko, neal, packaging-team-maint, pmatilai, pmoravco, vmukhame |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-04-18 14:06:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2087499, 2141686, 2170878, 2180049 | ||
Bug Blocks: | 2075059 |
Description
Panu Matilainen
2022-09-27 09:13:25 UTC
(This is a tracking bug for https://fedoraproject.org/wiki/Changes/RpmSequoia) Aand we're live in rawhide, including builders. This is on hold until Sequoia adds support for V3 signatures, those were discovered to be the predominant life-form in the rpm ecosystem (see https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c23 for details). FYI, I'm currently testing it (see https://gitlab.com/sequoia-pgp/sequoia/-/merge_requests/1377) Wow, that was quick :) Thanks a lot for working on that! I believe this is the output that we want to see: ``` $ ~/rpm/_build/rpmkeys -K /tmp/python3-docutils-0.19-1.fc38.noarch.rpm /tmp/python3-docutils-0.19-1.fc38.noarch.rpm: digests signatures OK ``` :D (In reply to neal from comment #7) > I believe this is the output that we want to see: > > ``` > $ ~/rpm/_build/rpmkeys -K /tmp/python3-docutils-0.19-1.fc38.noarch.rpm > /tmp/python3-docutils-0.19-1.fc38.noarch.rpm: digests signatures OK > ``` > > :D Yay, indeed :) FWIW, for troubleshooting and such, you typically want to use 'rpmkeys -Kv' which produces more information about what exactly is being verified. > FWIW, for troubleshooting and such, you typically want to use 'rpmkeys -Kv' which produces more information about what exactly is being verified.
Good point, thanks for the tip!
```
$ ~/rpm/_build/rpmkeys -Kv /tmp/python3-pytest-7.1.3-1.fc38.noarch.rpm
/tmp/python3-pytest-7.1.3-1.fc38.noarch.rpm:
Header V3 RSA/SHA256 Signature, key ID 6326b335: OK
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
V3 RSA/SHA256 Signature, key ID 6326b335: OK
MD5 digest: OK
```
(In reply to Panu Matilainen from comment #4) > This is on hold until Sequoia adds support for V3 signatures, those were > discovered to be the predominant life-form in the rpm ecosystem (see > https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c23 for details). As also mentioned here https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c33 , I've added support for v3 signatures to sequoia-openpgp and rpm-sequoia, and the relevant packages are in rawhide. Back in game now with rpm-4.18.0-7.fc38 and rpm-sequoia 1.2.0. I _guess_ this broke ``` [google-cloud-cli] name=Google Cloud CLI baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=0 gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg ``` worked fine on f37 and getting ``` Google Cloud CLI 2.9 kB/s | 975 B 00:00 GPG key at https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg (0x3E1BA8D5) is already installed The GPG keys listed for the "Google Cloud CLI" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository.. Failing package is: google-cloud-cli-421.0.0-1.x86_64 GPG Keys are configured as: https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg Public key for f14f10a3db2f20011b10638bca848d4cc5a46123e72b580a4172261ee76ec8d8-google-cloud-cli-gke-gcloud-auth-plugin-421.0.0-1.x86_64.rpm is not trusted. Failing package is: google-cloud-cli-gke-gcloud-auth-plugin-421.0.0-1.x86_64 GPG Keys are configured as: https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: GPG check FAILED ``` after update to f38 Make sure you have the versions from https://bodhi.fedoraproject.org/updates/FEDORA-2023-bd9a4614ad (see bug 2170878 for the long story). If it still fails that then we'll need to open a separate bug to track that. |