Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2130122

Summary: Switch rpm to use Sequoia OpenPGP
Product: [Fedora] Fedora Reporter: Panu Matilainen <pmatilai>
Component: Changes TrackingAssignee: Ben Cotton <bcotton>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: bcotton, bugzilla.redhat.com, igor.raits, mdomonko, neal, packaging-team-maint, pmatilai, pmoravco, vmukhame
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-18 14:06:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2087499, 2141686, 2170878, 2180049    
Bug Blocks: 2075059    

Description Panu Matilainen 2022-09-27 09:13:25 UTC
Description of problem:
Rpm has been using it's own simple and flawed OpenPGP parser ever since v4.0 or so. There's now a much more advanced alternative in rpm-sequoia, we should switch rpm to use it instead.

Initial plan for this change is early in Fedora 38 release process to have time to deal with any potential teething issues.

Comment 1 Panu Matilainen 2022-10-10 11:39:44 UTC
(This is a tracking bug for https://fedoraproject.org/wiki/Changes/RpmSequoia)

Comment 2 Panu Matilainen 2022-11-09 09:16:06 UTC
Blocked by https://pagure.io/fedora-ci/general/issue/371

Comment 3 Panu Matilainen 2022-11-10 10:40:57 UTC
Aand we're live in rawhide, including builders.

Comment 4 Panu Matilainen 2022-11-11 08:32:35 UTC
This is on hold until Sequoia adds support for V3 signatures, those were discovered to be the predominant life-form in the rpm ecosystem (see https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c23 for details).

Comment 5 neal 2022-11-11 08:36:25 UTC
FYI, I'm currently testing it (see https://gitlab.com/sequoia-pgp/sequoia/-/merge_requests/1377)

Comment 6 Panu Matilainen 2022-11-11 08:43:24 UTC
Wow, that was quick :) Thanks a lot for working on that!

Comment 7 neal 2022-11-11 14:24:58 UTC
I believe this is the output that we want to see:

```
$ ~/rpm/_build/rpmkeys -K /tmp/python3-docutils-0.19-1.fc38.noarch.rpm 
/tmp/python3-docutils-0.19-1.fc38.noarch.rpm: digests signatures OK
```

:D

Comment 8 Panu Matilainen 2022-11-14 07:54:33 UTC
(In reply to neal from comment #7)
> I believe this is the output that we want to see:
> 
> ```
> $ ~/rpm/_build/rpmkeys -K /tmp/python3-docutils-0.19-1.fc38.noarch.rpm 
> /tmp/python3-docutils-0.19-1.fc38.noarch.rpm: digests signatures OK
> ```
> 
> :D

Yay, indeed :)

FWIW, for troubleshooting and such, you typically want to use 'rpmkeys -Kv' which produces more information about what exactly is being verified.

Comment 9 neal 2022-11-14 10:52:22 UTC
> FWIW, for troubleshooting and such, you typically want to use 'rpmkeys -Kv' which produces more information about what exactly is being verified.

Good point, thanks for the tip!

```
$ ~/rpm/_build/rpmkeys -Kv /tmp/python3-pytest-7.1.3-1.fc38.noarch.rpm 
/tmp/python3-pytest-7.1.3-1.fc38.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID 6326b335: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 6326b335: OK
    MD5 digest: OK
```

Comment 10 neal 2022-11-23 20:51:45 UTC
(In reply to Panu Matilainen from comment #4)
> This is on hold until Sequoia adds support for V3 signatures, those were
> discovered to be the predominant life-form in the rpm ecosystem (see
> https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c23 for details).

As also mentioned here https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c33 ,
I've added support for v3 signatures to sequoia-openpgp and rpm-sequoia, and
the relevant packages are in rawhide.

Comment 11 Panu Matilainen 2022-11-24 09:21:32 UTC
Back in game now with rpm-4.18.0-7.fc38 and rpm-sequoia 1.2.0.

Comment 12 ojab 2023-03-08 21:59:41 UTC
I _guess_ this broke 
```
[google-cloud-cli]
name=Google Cloud CLI
baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=0
gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
```
worked fine on f37 and getting 
```
Google Cloud CLI                                                                                                                                                                                               2.9 kB/s | 975  B     00:00    
GPG key at https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg (0x3E1BA8D5) is already installed
The GPG keys listed for the "Google Cloud CLI" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: google-cloud-cli-421.0.0-1.x86_64
 GPG Keys are configured as: https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Public key for f14f10a3db2f20011b10638bca848d4cc5a46123e72b580a4172261ee76ec8d8-google-cloud-cli-gke-gcloud-auth-plugin-421.0.0-1.x86_64.rpm is not trusted. Failing package is: google-cloud-cli-gke-gcloud-auth-plugin-421.0.0-1.x86_64
 GPG Keys are configured as: https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
```
after update to f38

Comment 13 Panu Matilainen 2023-03-09 10:17:10 UTC
Make sure you have the versions from https://bodhi.fedoraproject.org/updates/FEDORA-2023-bd9a4614ad (see bug 2170878 for the long story). If it still fails that then we'll need to open a separate bug to track that.