Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2149762
Summary: | Signature failures on 3rd party packages | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
Component: | rpm | Assignee: | Packaging Maintenance Team <packaging-team-maint> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | dhill, igor.raits, jaltman, lionking_1996-redhatbugzilla, lnie, mdomonko, packaging-team-maint, pmatilai, robatino, vmukhame, zkabelac |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-12-07 12:48:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2083912 |
Description
Mikhail
2022-11-30 20:13:38 UTC
# rpm -Uvh /home/mikhail/Downloads/google-chrome-unstable_current_x86_64.rpm error: /home/mikhail/Downloads/google-chrome-unstable_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: BAD error: /home/mikhail/Downloads/google-chrome-unstable_current_x86_64.rpm cannot be installed # rpm -Uvh --nosignature /home/mikhail/Downloads/google-chrome-unstable_current_x86_64.rpm Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:google-chrome-unstable-110.0.5449################################# [ 50%] Cleaning up / removing... 2:google-chrome-unstable-109.0.5414################################# [100%] Looks like all 3rd party packages couldn't update. $ dnf upgrade --refresh local repo 208 kB/s | 3.0 kB 00:00 Copr repo for openvpn3 owned by dsommers 4.7 kB/s | 3.3 kB 00:00 Copr repo for gnome-info-collect owned by vstan 5.1 kB/s | 3.3 kB 00:00 Fedora rawhide openh264 (From Cisco) - x86_64 2.6 kB/s | 989 B 00:00 Fedora - Rawhide - Developmental packages for t 17 kB/s | 10 kB 00:00 Fedora - Rawhide - Developmental packages for t 913 kB/s | 1.7 MB 00:01 Fedora - Rawhide - Debug 15 kB/s | 9.9 kB 00:00 Fedora - Rawhide - Debug 4.6 kB/s | 4.9 kB 00:01 Fedora - Modular Rawhide - Developmental packag 43 kB/s | 13 kB 00:00 Fedora - Modular Rawhide - Developmental packag 86 kB/s | 171 kB 00:01 Fedora - Modular Rawhide - Debug 14 kB/s | 13 kB 00:00 Fedora - Modular Rawhide - Debug 9.6 kB/s | 4.8 kB 00:00 google-chrome-unstable 6.5 kB/s | 1.3 kB 00:00 RPM Fusion for Fedora Rawhide - Free 15 kB/s | 8.0 kB 00:00 RPM Fusion for Fedora Rawhide - Free - Debug 16 kB/s | 8.1 kB 00:00 RPM Fusion for Fedora Rawhide - Nonfree 28 kB/s | 8.1 kB 00:00 RPM Fusion for Fedora Rawhide - Nonfree - Debug 30 kB/s | 8.2 kB 00:00 Scooter Software 3.3 kB/s | 2.9 kB 00:00 Sublime Text - x86_64 - Dev 4.3 kB/s | 2.9 kB 00:00 Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Upgrading: sublime-merge x86_64 2080-1 sublime-text 6.3 M Transaction Summary ================================================================================ Upgrade 1 Package Total size: 6.3 M Is this ok [y/N]: y Downloading Packages: [SKIPPED] sublime-merge-2080-1.x86_64.rpm: Already downloaded Problem opening package sublime-merge-2080-1.x86_64.rpm The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: GPG check FAILED There seem to be (at least) two separate issues: > error: rpmdbNextIterator: skipping h# 2604 > Header V4 DSA/SHA1 Signature, key ID 7fac5991: BAD DSA/SHA1 signatures are considered dangerously weak by the new sequoia crypto (this is not a bug) > error: rpmdbNextIterator: skipping h# 1736 > Header V4 RSA/SHA256 Signature, key ID 222d23d0: BAD > error: rpmdbNextIterator: skipping h# 1869 > Header V4 RSA/SHA256 Signature, key ID 222d23d0: BAD ...but there's no obvious reason for these, they're V4 signatures and using strong hashes. And, chasing down the above sublime-merge package which appears to be one of the failing packages here, it checks out ok for me: [root@localhost ~]# rpmkeys --import https://download.sublimetext.com/sublimehq-rpm-pub.gpg [root@localhost ~]# rpmkeys -Kv sublime-merge-2080-1.x86_64.rpm sublime-merge-2080-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 222d23d0: OK Header SHA1 digest: OK V4 RSA/SHA256 Signature, key ID 222d23d0: OK MD5 digest: OK What does 'rpm -q rpm-sequoia' say on this system? Make sure to update that to the latest version (1.2.0-1) and recheck. Okay the difference is rawhide vs older system without the sequoia crypto policy. On rawhide, attempting to import the key I get: # rpmkeys --import /tmp/sublimehq-rpm-pub.gpg error: Certificate CA464A9A222D23D0: Policy rejects CA464A9A222D23D0: No binding signature at time 2022-12-07T07:51:32Z And then it hangs, which is probably an unrelated issue somewhere (but needs investigating + fixing of course). Anyway, the import message explains why it fails the verification. It's just that in your case, the key was already imported, it's just that the verify API lacks the means to report that sort of a message. Here's what sq says about the key (https://download.sublimetext.com/sublimehq-rpm-pub.gpg): $ sq packet dump /tmp/sublimehq-rpm-pub.gpg Public-Key Packet, old CTB, 525 bytes Version: 4 Creation time: 2017-05-08 17:54:56 UTC Pk algo: RSA Pk size: 4096 bits Fingerprint: 1B64279675A4299DCFC70858CA464A9A222D23D0 KeyID: CA464A9A222D23D0 User ID Packet, old CTB, 44 bytes Value: Sublime HQ Pty Ltd <support> Signature Packet, old CTB, 564 bytes Version: 4 Type: PositiveCertification Pk algo: RSA Hash algo: SHA1 Hashed area: Signature creation time: 2017-05-08 17:54:56 UTC Key flags: CSEtErA Symmetric algo preferences: AES256, AES128 Hash preferences: SHA512, SHA384, SHA256 Compression preferences: Zlib, BZip2, Zip, Uncompressed Features: MDC Keyserver preferences: no modify Unhashed area: Issuer: CA464A9A222D23D0 Digest prefix: B42C Level: 0 (signature over data) Doh, of course, this is the actual reason for the failed signature check in the non-chrome case: Signature Packet, old CTB, 564 bytes Version: 4 Type: PositiveCertification Pk algo: RSA Hash algo: SHA1 ^^^^ While the *signature* made by this key uses SHA256 (ie "Header V4 RSA/SHA256 Signature, key ID 222d23d0"), the binding signature of the *key* uses the weak SHA1 hash. These SHA1 usages should be reported to the vendors in question, they can't be fixed in Fedora. In the meanwhile, as a workaround you can do # update-crypto-policies --set DEFAULT:SHA1 So the rpmdbNextIterator errors are not a bug, these are just insecure signatures/keys from 3rd parties that are only now getting caught out. Of course, ideally rpm would output something comprehensible in these situations, there's an upstream ticket for that. The one concrete bug here is hanging on import, and that seems to be a bug in 4.18 as it doesn't happen in upstream development codebase. I'll look into it. The related hang on failed key import fixed in rpm-4.18.0-8. While that's not what this report was about, that issue was found thanks to this report so thanks! Other than that, no bugs here. The fix is getting vendors to update their crypto. > Other than that, no bugs here. The fix is getting vendors to update their crypto.
So maybe more human readable message expected here? I would prefer to see in message which rpm package has outdated crypto.
# dnf upgrade --refresh local repo 3.0 MB/s | 3.0 kB 00:00 Copr repo for gnome-info-collect owned by vstanek 5.2 kB/s | 3.3 kB 00:00 Fedora rawhide openh264 (From Cisco) - x86_64 4.1 kB/s | 989 B 00:00 Fedora - Rawhide - Developmental packages for the next Fedora 47 kB/s | 13 kB 00:00 Fedora - Modular Rawhide - Developmental packages for the next 19 kB/s | 13 kB 00:00 google-chrome-unstable 7.6 kB/s | 1.3 kB 00:00 RPM Fusion for Fedora Rawhide - Free 17 kB/s | 8.6 kB 00:00 RPM Fusion for Fedora Rawhide - Nonfree 34 kB/s | 8.7 kB 00:00 Sublime Text - x86_64 - Dev 5.1 kB/s | 2.9 kB 00:00 Dependencies resolved. =============================================================================================== Package Arch Version Repository Size =============================================================================================== Installing: kernel x86_64 6.1.0-0.rc8.58.fc38 rawhide 116 k kernel-core x86_64 6.1.0-0.rc8.58.fc38 rawhide 49 M kernel-debug x86_64 6.1.0-0.rc8.58.fc38 rawhide 116 k kernel-debug-core x86_64 6.1.0-0.rc8.58.fc38 rawhide 51 M kernel-debug-modules x86_64 6.1.0-0.rc8.58.fc38 rawhide 59 M kernel-modules x86_64 6.1.0-0.rc8.58.fc38 rawhide 58 M kernel-modules-extra x86_64 6.1.0-0.rc8.58.fc38 rawhide 3.4 M Upgrading: edk2-ovmf noarch 20221117gitfff6d81270b5-5.fc38 rawhide 10 M evolution-data-server x86_64 3.46.2-1.fc38 rawhide 2.5 M evolution-data-server-langpacks noarch 3.46.2-1.fc38 rawhide 1.2 M grub2-common noarch 1:2.06-68.fc38 rawhide 926 k grub2-efi-ia32 x86_64 1:2.06-68.fc38 rawhide 2.1 M grub2-efi-ia32-cdboot x86_64 1:2.06-68.fc38 rawhide 2.1 M grub2-efi-x64 x86_64 1:2.06-68.fc38 rawhide 2.1 M grub2-efi-x64-cdboot x86_64 1:2.06-68.fc38 rawhide 2.1 M grub2-pc x86_64 1:2.06-68.fc38 rawhide 18 k grub2-pc-modules noarch 1:2.06-68.fc38 rawhide 958 k grub2-tools x86_64 1:2.06-68.fc38 rawhide 1.8 M grub2-tools-efi x86_64 1:2.06-68.fc38 rawhide 544 k grub2-tools-extra x86_64 1:2.06-68.fc38 rawhide 843 k grub2-tools-minimal x86_64 1:2.06-68.fc38 rawhide 607 k kernel-headers x86_64 6.1.0-0.rc8.git0.1.fc38 rawhide 1.5 M libbsd x86_64 0.11.7-2.fc38 rawhide 112 k libphonenumber x86_64 8.12.57-2.fc38 rawhide 2.3 M libvirt-daemon x86_64 8.10.0-1.fc38 rawhide 384 k libvirt-daemon-config-network x86_64 8.10.0-1.fc38 rawhide 13 k libvirt-daemon-driver-interface x86_64 8.10.0-1.fc38 rawhide 163 k libvirt-daemon-driver-network x86_64 8.10.0-1.fc38 rawhide 203 k libvirt-daemon-driver-nodedev x86_64 8.10.0-1.fc38 rawhide 184 k libvirt-daemon-driver-nwfilter x86_64 8.10.0-1.fc38 rawhide 199 k libvirt-daemon-driver-qemu x86_64 8.10.0-1.fc38 rawhide 910 k libvirt-daemon-driver-secret x86_64 8.10.0-1.fc38 rawhide 160 k libvirt-daemon-driver-storage x86_64 8.10.0-1.fc38 rawhide 11 k libvirt-daemon-driver-storage-core x86_64 8.10.0-1.fc38 rawhide 218 k libvirt-daemon-driver-storage-disk x86_64 8.10.0-1.fc38 rawhide 22 k libvirt-daemon-driver-storage-gluster x86_64 8.10.0-1.fc38 rawhide 24 k libvirt-daemon-driver-storage-iscsi x86_64 8.10.0-1.fc38 rawhide 19 k libvirt-daemon-driver-storage-iscsi-direct x86_64 8.10.0-1.fc38 rawhide 21 k libvirt-daemon-driver-storage-logical x86_64 8.10.0-1.fc38 rawhide 23 k libvirt-daemon-driver-storage-mpath x86_64 8.10.0-1.fc38 rawhide 17 k libvirt-daemon-driver-storage-rbd x86_64 8.10.0-1.fc38 rawhide 28 k libvirt-daemon-driver-storage-scsi x86_64 8.10.0-1.fc38 rawhide 19 k libvirt-daemon-driver-storage-zfs x86_64 8.10.0-1.fc38 rawhide 19 k libvirt-daemon-kvm x86_64 8.10.0-1.fc38 rawhide 11 k libvirt-libs x86_64 8.10.0-1.fc38 rawhide 4.7 M paps x86_64 0.7.1-6.fc38 rawhide 34 k perl-srpm-macros noarch 1-47.fc38 rawhide 8.2 k sublime-merge x86_64 2080-1 sublime-text 6.3 M vim-data noarch 2:9.0.1006-1.fc38 rawhide 24 k vim-minimal x86_64 2:9.0.1006-1.fc38 rawhide 783 k Installing weak dependencies: libvirt-client x86_64 8.10.0-1.fc38 rawhide 429 k Removing: kernel x86_64 6.1.0-0.rc7.20221130git01f856ae6d0c.53.fc38 @local-repo 0 kernel-core x86_64 6.1.0-0.rc7.20221130git01f856ae6d0c.53.fc38 @local-repo 94 M kernel-debug x86_64 6.1.0-0.rc7.20221130git01f856ae6d0c.53.fc38 @local-repo 0 kernel-debug-core x86_64 6.1.0-0.rc7.20221130git01f856ae6d0c.53.fc38 @local-repo 0 kernel-debug-modules x86_64 6.1.0-0.rc7.20221130git01f856ae6d0c.53.fc38 @local-repo 0 kernel-modules x86_64 6.1.0-0.rc7.20221130git01f856ae6d0c.53.fc38 @local-repo 58 M kernel-modules-extra x86_64 6.1.0-0.rc7.20221130git01f856ae6d0c.53.fc38 @local-repo 3.3 M Transaction Summary =============================================================================================== Install 8 Packages Upgrade 43 Packages Remove 7 Packages Total download size: 268 M Is this ok [y/N]: y Downloading Packages: (1/51): kernel-6.1.0-0.rc8.58.fc38.x86_64.rpm 205 kB/s | 116 kB 00:00 (2/51): kernel-debug-6.1.0-0.rc8.58.fc38.x86_64.rpm 196 kB/s | 116 kB 00:00 (3/51): kernel-core-6.1.0-0.rc8.58.fc38.x86_64.rpm 14 MB/s | 49 MB 00:03 (4/51): kernel-debug-core-6.1.0-0.rc8.58.fc38.x86_64.rpm 16 MB/s | 51 MB 00:03 (5/51): kernel-modules-extra-6.1.0-0.rc8.58.fc38.x86_64.rpm 7.1 MB/s | 3.4 MB 00:00 (6/51): libvirt-client-8.10.0-1.fc38.x86_64.rpm 3.2 MB/s | 429 kB 00:00 (7/51): kernel-debug-modules-6.1.0-0.rc8.58.fc38.x86_64.rpm 13 MB/s | 59 MB 00:04 (8/51): evolution-data-server-3.46.2-1.fc38.x86_64.rpm 6.5 MB/s | 2.5 MB 00:00 (9/51): edk2-ovmf-20221117gitfff6d81270b5-5.fc38.noarch.rpm 7.7 MB/s | 10 MB 00:01 (10/51): evolution-data-server-langpacks-3.46.2-1.fc38.noarch. 4.9 MB/s | 1.2 MB 00:00 (11/51): grub2-common-2.06-68.fc38.noarch.rpm 4.8 MB/s | 926 kB 00:00 (12/51): grub2-efi-ia32-2.06-68.fc38.x86_64.rpm 7.1 MB/s | 2.1 MB 00:00 (13/51): grub2-efi-ia32-cdboot-2.06-68.fc38.x86_64.rpm 5.3 MB/s | 2.1 MB 00:00 (14/51): grub2-efi-x64-2.06-68.fc38.x86_64.rpm 6.7 MB/s | 2.1 MB 00:00 (15/51): grub2-pc-2.06-68.fc38.x86_64.rpm 141 kB/s | 18 kB 00:00 (16/51): grub2-efi-x64-cdboot-2.06-68.fc38.x86_64.rpm 5.5 MB/s | 2.1 MB 00:00 (17/51): grub2-pc-modules-2.06-68.fc38.noarch.rpm 5.2 MB/s | 958 kB 00:00 (18/51): kernel-modules-6.1.0-0.rc8.58.fc38.x86_64.rpm 17 MB/s | 58 MB 00:03 (19/51): grub2-tools-efi-2.06-68.fc38.x86_64.rpm 3.0 MB/s | 544 kB 00:00 (20/51): grub2-tools-2.06-68.fc38.x86_64.rpm 4.8 MB/s | 1.8 MB 00:00 (21/51): grub2-tools-minimal-2.06-68.fc38.x86_64.rpm 2.4 MB/s | 607 kB 00:00 (22/51): grub2-tools-extra-2.06-68.fc38.x86_64.rpm 2.0 MB/s | 843 kB 00:00 (23/51): libbsd-0.11.7-2.fc38.x86_64.rpm 583 kB/s | 112 kB 00:00 (24/51): kernel-headers-6.1.0-0.rc8.git0.1.fc38.x86_64.rpm 4.2 MB/s | 1.5 MB 00:00 (25/51): libvirt-daemon-8.10.0-1.fc38.x86_64.rpm 3.5 MB/s | 384 kB 00:00 (26/51): libvirt-daemon-config-network-8.10.0-1.fc38.x86_64.rp 147 kB/s | 13 kB 00:00 (27/51): libphonenumber-8.12.57-2.fc38.x86_64.rpm 9.2 MB/s | 2.3 MB 00:00 (28/51): libvirt-daemon-driver-interface-8.10.0-1.fc38.x86_64. 1.1 MB/s | 163 kB 00:00 (29/51): libvirt-daemon-driver-network-8.10.0-1.fc38.x86_64.rp 1.8 MB/s | 203 kB 00:00 (30/51): libvirt-daemon-driver-nodedev-8.10.0-1.fc38.x86_64.rp 1.7 MB/s | 184 kB 00:00 (31/51): libvirt-daemon-driver-nwfilter-8.10.0-1.fc38.x86_64.r 2.0 MB/s | 199 kB 00:00 (32/51): libvirt-daemon-driver-secret-8.10.0-1.fc38.x86_64.rpm 1.6 MB/s | 160 kB 00:00 (33/51): libvirt-daemon-driver-storage-8.10.0-1.fc38.x86_64.rp 117 kB/s | 11 kB 00:00 (34/51): libvirt-daemon-driver-storage-core-8.10.0-1.fc38.x86_ 2.3 MB/s | 218 kB 00:00 (35/51): libvirt-daemon-driver-storage-disk-8.10.0-1.fc38.x86_ 239 kB/s | 22 kB 00:00 (36/51): libvirt-daemon-driver-qemu-8.10.0-1.fc38.x86_64.rpm 3.1 MB/s | 910 kB 00:00 (37/51): libvirt-daemon-driver-storage-iscsi-direct-8.10.0-1.f 243 kB/s | 21 kB 00:00 (38/51): libvirt-daemon-driver-storage-gluster-8.10.0-1.fc38.x 193 kB/s | 24 kB 00:00 (39/51): libvirt-daemon-driver-storage-iscsi-8.10.0-1.fc38.x86 168 kB/s | 19 kB 00:00 (40/51): libvirt-daemon-driver-storage-mpath-8.10.0-1.fc38.x86 202 kB/s | 17 kB 00:00 (41/51): libvirt-daemon-driver-storage-logical-8.10.0-1.fc38.x 215 kB/s | 23 kB 00:00 (42/51): libvirt-daemon-driver-storage-rbd-8.10.0-1.fc38.x86_6 258 kB/s | 28 kB 00:00 (43/51): libvirt-daemon-driver-storage-scsi-8.10.0-1.fc38.x86_ 232 kB/s | 19 kB 00:00 (44/51): libvirt-daemon-driver-storage-zfs-8.10.0-1.fc38.x86_6 203 kB/s | 19 kB 00:00 (45/51): libvirt-daemon-kvm-8.10.0-1.fc38.x86_64.rpm 127 kB/s | 11 kB 00:00 (46/51): paps-0.7.1-6.fc38.x86_64.rpm 364 kB/s | 34 kB 00:00 (47/51): perl-srpm-macros-1-47.fc38.noarch.rpm 85 kB/s | 8.2 kB 00:00 (48/51): vim-data-9.0.1006-1.fc38.noarch.rpm 214 kB/s | 24 kB 00:00 (49/51): vim-minimal-9.0.1006-1.fc38.x86_64.rpm 6.1 MB/s | 783 kB 00:00 (50/51): libvirt-libs-8.10.0-1.fc38.x86_64.rpm 11 MB/s | 4.7 MB 00:00 (51/51): sublime-merge-2080-1.x86_64.rpm 2.9 MB/s | 6.3 MB 00:02 ----------------------------------------------------------------------------------------------- Total 24 MB/s | 268 MB 00:11 Problem opening package sublime-merge-2080-1.x86_64.rpm The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: GPG check FAILED # dnf remove sublime-merge Dependencies resolved. =============================================================================================== Package Architecture Version Repository Size =============================================================================================== Removing: sublime-merge x86_64 2078-1 @sublime-text 21 M Transaction Summary =============================================================================================== Remove 1 Package Freed space: 21 M Is this ok [y/N]: y Running transaction check error: rpmdbNextIterator: skipping h# 7669 Header V4 RSA/SHA256 Signature, key ID 222d23d0: BAD Header SHA1 digest: OK Error: An rpm exception occurred: package not installed And another stalemate is that it is problematic for the user to even remove the problematic package. > So maybe more human readable message expected here? I would prefer to see in message which rpm package has outdated crypto. > > And another stalemate is that it is problematic for the user to even remove the problematic package. Yes, a nicer message would be nice, but this is an API issue that's not so easy to resolve. Rpm by default does not access headers whose signature check failed for security reasons, so it can't tell because it actually doesn't know. You can bypass that with --nosignature, and you can pinpoint the package with --querybynumber, eg: > error: rpmdbNextIterator: skipping h# 7669 > Header V4 RSA/SHA256 Signature, key ID 222d23d0: BAD To find out what that is: rpm -q --nosignature --querybynumber 7669 And then erase with the help of --nosignature. But like noted above, update-crypto-policies can be used to work around the issue more generally that doesn't require mucking with low-level rpm switches. Yet another affected rpm: # dnf upgrade --refresh Waiting for process with pid 149966 to finish. local repo 3.0 MB/s | 3.0 kB 00:00 Copr repo for gnome-info-collect owned by vstanek 5.3 kB/s | 3.3 kB 00:00 created by dnf config-manager from https://brave-browser-rpm-nightly.s3.b 17 kB/s | 3.3 kB 00:00 Fedora rawhide openh264 (From Cisco) - x86_64 4.0 kB/s | 989 B 00:00 Fedora - Rawhide - Developmental packages for the next Fedora release 12 kB/s | 6.6 kB 00:00 Fedora - Rawhide - Debug 23 kB/s | 5.7 kB 00:00 Fedora - Modular Rawhide - Developmental packages for the next Fedora rel 25 kB/s | 16 kB 00:00 Fedora - Modular Rawhide - Debug 49 kB/s | 15 kB 00:00 google-chrome-unstable 6.9 kB/s | 1.3 kB 00:00 microsoft-edge-dev 9.8 kB/s | 3.0 kB 00:00 Opera packages 12 kB/s | 3.0 kB 00:00 pgadmin4 1.0 kB/s | 833 B 00:00 RPM Fusion for Fedora Rawhide - Free 32 kB/s | 7.8 kB 00:00 RPM Fusion for Fedora Rawhide - Free - Debug 38 kB/s | 7.9 kB 00:00 RPM Fusion for Fedora Rawhide - Nonfree 17 kB/s | 8.5 kB 00:00 RPM Fusion for Fedora Rawhide - Nonfree - Debug 16 kB/s | 8.6 kB 00:00 Scooter Software 3.8 kB/s | 2.9 kB 00:00 Sublime Text - x86_64 - Dev 4.3 kB/s | 2.9 kB 00:00 Dependencies resolved. ========================================================================================================== Package Architecture Version Repository Size ========================================================================================================== Upgrading: microsoft-edge-dev x86_64 110.0.1556.0-1 microsoft-edge-dev 135 M Transaction Summary ========================================================================================================== Upgrade 1 Package Total size: 135 M Is this ok [y/N]: y Downloading Packages: [SKIPPED] microsoft-edge-dev-110.0.1556.0-1.x86_64.rpm: Already downloaded microsoft-edge-dev 3.1 kB/s | 983 B 00:00 Importing GPG key 0xBE1229CF: Userid : "Microsoft (Release signing) <gpgsecurity>" Fingerprint: BC52 8686 B50D 79E3 39D3 721C EB3E 94AD BE12 29CF From : https://packages.microsoft.com/keys/microsoft.asc Is this ok [y/N]: y error: Certificate EB3E94ADBE1229CF: Policy rejects EB3E94ADBE1229CF: No binding signature at time 2022-12-14T00:02:09Z Key import failed (code 2). Failing package is: microsoft-edge-dev-110.0.1556.0-1.x86_64 GPG Keys are configured as: https://packages.microsoft.com/keys/microsoft.asc The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: GPG check FAILED Oh, another rather high profile case... It's also an issue of the key, not the signature: [pmatilai🎩︎localhost tmp]$ sq packet dump microsoft.asc Public-Key Packet, old CTB, 269 bytes Version: 4 Creation time: 2015-10-28 23:21:48 UTC Pk algo: RSA Pk size: 2048 bits Fingerprint: BC528686B50D79E339D3721CEB3E94ADBE1229CF KeyID: EB3E94ADBE1229CF User ID Packet, old CTB, 55 bytes Value: Microsoft (Release signing) <gpgsecurity> Signature Packet, old CTB, 309 bytes Version: 4 Type: PositiveCertification Pk algo: RSA Hash algo: SHA1 ^^^^^^^^^^^^^^^ Hashed area: Signature creation time: 2015-10-28 23:21:48 UTC Key flags: CS Symmetric algo preferences: AES256, AES192, AES128, CAST5, TripleDES Hash preferences: SHA1, SHA256, RipeMD Compression preferences: Zlib, Zip Features: MDC Keyserver preferences: no modify Unhashed area: Issuer: EB3E94ADBE1229CF Digest prefix: 1A9B Level: 0 (signature over data) *** Bug 2154270 has been marked as a duplicate of this bug. *** *** Bug 2159281 has been marked as a duplicate of this bug. *** *** Bug 2160044 has been marked as a duplicate of this bug. *** The Beyond Compare package also affected by this issue. ❯ dnf upgrade --refresh --nogpgcheck local repo 3.0 MB/s | 3.0 kB 00:00 Copr repo for openvpn3 owned by dsommers 4.8 kB/s | 3.3 kB 00:00 Copr repo for gnome-info-collect owned by vstan 5.1 kB/s | 3.3 kB 00:00 created by dnf config-manager from https://brav 748 B/s | 3.3 kB 00:04 Fedora rawhide openh264 (From Cisco) - x86_64 2.5 kB/s | 989 B 00:00 Fedora - Rawhide - Developmental packages for t 29 kB/s | 12 kB 00:00 Fedora - Rawhide - Debug 30 kB/s | 12 kB 00:00 Fedora - Modular Rawhide - Developmental packag 22 kB/s | 15 kB 00:00 Fedora - Modular Rawhide - Debug 19 kB/s | 14 kB 00:00 google-chrome-unstable 3.9 kB/s | 1.3 kB 00:00 microsoft-edge-dev 3.9 kB/s | 2.0 kB 00:00 RPM Fusion for Fedora Rawhide - Free 13 kB/s | 7.4 kB 00:00 RPM Fusion for Fedora Rawhide - Free - Debug 19 kB/s | 7.5 kB 00:00 RPM Fusion for Fedora Rawhide - Nonfree 13 kB/s | 7.5 kB 00:00 RPM Fusion for Fedora Rawhide - Nonfree - Debug 14 kB/s | 7.7 kB 00:00 Scooter Software 3.9 kB/s | 2.9 kB 00:00 Sublime Text - x86_64 - Dev 4.5 kB/s | 2.9 kB 00:00 Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Upgrading: bcompare x86_64 4.4.5-27371 scootersoftware 18 M Transaction Summary ================================================================================ Upgrade 1 Package Total size: 18 M Is this ok [y/N]: y Downloading Packages: [SKIPPED] bcompare-4.4.5.27371.x86_64.rpm: Already downloaded Running transaction check error: rpmdbNextIterator: skipping h# 2135 Header V4 DSA/SHA1 Signature, key ID 7f8840ce: BAD Header SHA256 digest: OK Header SHA1 digest: OK error: rpmdbNextIterator: skipping h# 2135 Header V4 DSA/SHA1 Signature, key ID 7f8840ce: BAD Header SHA256 digest: OK Header SHA1 digest: OK The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: An rpm exception occurred: package not installed What if gpg key contains two signature packets? One with hash algo SHA256 and another with hash algo SHA1? ❯ sq packet dump RPM-GPG-KEY-scootersoftware Public-Key Packet, old CTB, 418 bytes Version: 4 Creation time: 2010-03-30 16:12:05 UTC Pk algo: DSA Pk size: 1024 bits Fingerprint: C9467A8216C570CDFBAC3AFD331D6DDE7F8840CE KeyID: 331D6DDE7F8840CE User ID Packet, old CTB, 46 bytes Value: Scooter Software <support> Signature Packet, old CTB, 97 bytes Version: 4 Type: PositiveCertification Pk algo: DSA Hash algo: SHA256 ^^^^^^^^^^^^^^^^^ Hashed area: Key flags: CS Features: MDC Keyserver preferences: no modify Signature creation time: 2016-08-23 21:59:52 UTC Symmetric algo preferences: AES256, AES192, AES128, CAST5 Hash preferences: SHA512, SHA384, SHA256, SHA224 Compression preferences: Zlib, BZip2, Zip, Uncompressed Unhashed area: Issuer: 331D6DDE7F8840CE Digest prefix: 9577 Level: 0 (signature over data) Public-Subkey Packet, old CTB, 525 bytes Version: 4 Creation time: 2010-03-30 16:12:14 UTC Pk algo: ElGamal Pk size: 2048 bits Fingerprint: 927FE44F49099955FE39EC655DC979E13CAF4617 KeyID: 5DC979E13CAF4617 Signature Packet, old CTB, 73 bytes Version: 4 Type: SubkeyBinding Pk algo: DSA Hash algo: SHA1 ^^^^^^^^^^^^^^^ Hashed area: Signature creation time: 2010-03-30 16:12:14 UTC Key flags: EtEr Unhashed area: Issuer: 331D6DDE7F8840CE Digest prefix: C821 Level: 0 (signature over data) |