Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2170839

Summary: workstation repos contain Google Chrome repo, but Chrome can't be installed
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: fedora-workstation-repositoriesAssignee: Matthias Clasen <mclasen>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: aalmeleh.whatever.0101, cra, gnome-sig, lruzicka, mattdm, mcatanza, mclasen, robatino, sbarcomb, scott.beamer, tpopela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: https://discussion.fedoraproject.org/t/78878
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-07 20:46:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2083912    
Attachments:
Description Flags
installing Chrome in Gnome software none

Description Kamil Páral 2023-02-17 11:16:39 UTC
Description of problem:
fedora-workstation-repositories contains /etc/yum.repos.d/google-chrome.repo, but Google Chrome can't be installed in Fedora 38. This is caused by security policies enforcement in RPM, which is described in more detail here:
https://ask.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/31594

Please see the included screenshot to see what happens when a user tries to install Google Chrome in F38 Workstation.

The google repo should probably removed from fedora-workstation-repositories, because it's non-functional.

I'm also suggesting this for a blocker discussion. We don't have a direct criterion saying we can't ship broken repositories, but we have some related criteria, so it's worth a discussion.


Version-Release number of selected component (if applicable):
fedora-workstation-repositories-38-2.fc38.x86_64

How reproducible:
always

Steps to Reproduce:
1. install F38 Workstation
2. enable third-party repositories in initial setup, or enable Google repo in Gnome Software
3. try to install Chrome in Gnome Software

Comment 1 Kamil Páral 2023-02-17 11:33:31 UTC
Created attachment 1944744 [details]
installing Chrome in Gnome software

An error message presented by Gnome Software at the front, a PackageKit error message in the background.

Comment 2 Tomas Popela 2023-02-20 07:15:13 UTC
This is tracked upstream as https://bugs.chromium.org/p/chromium/issues/detail?id=1383526

Comment 3 Kamil Páral 2023-02-20 14:01:33 UTC
Note that there is also bug 2170878 which is more phrased as "too many third-party apps are broken, and they can block system updates", while this one is "we're shipping a non-functional repo". Both are of course tightly connected.

Comment 4 Ahmed Almeleh 2023-02-20 19:43:40 UTC
Can Chromium be installed as an alternative or still not?

Comment 5 Lukas Ruzicka 2023-02-27 19:36:31 UTC
(In reply to Ahmed Almeleh from comment #4)
> Can Chromium be installed as an alternative or still not?

Chromium can be installed. I solved my situation doing exactly this.

Comment 6 Scott Beamer 2023-03-02 16:57:15 UTC
I just thought I'd add that this GPG issue doesn't affect just Chrome, it also affects Microsoft Edge (my default browser).  It does not, however, affect Brave, Vivaldi, and Opera (which are also Chromium-based).

$ sudo rpm --import https://repo.vivaldi.com/stable/linux_signing_key.pub
$ sudo rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
$ sudo rpm --import https://rpm.opera.com/rpmrepo.key

$ sudo rpm --import https://dl.google.com/linux/linux_signing_key.pub
error: Certificate A040830F7FAC5991:
  Policy rejects A040830F7FAC5991: No binding signature at time 2023-03-02T16:31:48Z
error: https://dl.google.com/linux/linux_signing_key.pub: key 1 import failed.
error: Certificate 7721F63BD38B4796:
  Policy rejects 7721F63BD38B4796: No binding signature at time 2023-03-02T16:31:48Z
error: https://dl.google.com/linux/linux_signing_key.pub: key 2 import failed.

$ sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
error: Certificate EB3E94ADBE1229CF:
  Policy rejects EB3E94ADBE1229CF: No binding signature at time 2023-03-02T16:32:19Z
error: https://packages.microsoft.com/keys/microsoft.asc: key 1 import failed.

Comment 7 Kamil Páral 2023-03-03 08:03:19 UTC
Scott, that's a separate problem tracked in bug 2170878 and also described in the Fedora Ask link above. Yes, we know ;-)

Comment 8 Matthew Miller 2023-03-04 12:31:56 UTC
I apologize for the over-zealous bot. Should be fixed now.

Comment 9 Michael Catanzaro 2023-03-07 20:46:16 UTC
We decline to make any changes in fedora-workstation-repositories.

I'm going to mark this as a duplicate of bug #2170878.

*** This bug has been marked as a duplicate of bug 2170878 ***

Comment 10 Kamil Páral 2023-03-08 16:18:47 UTC
Well, now that the underlying issue has been resolved in bug 2170839 , this whole ticket basically becomes obsolete.