Bug 1793298

Summary: dnf-automatic upgrade packages that does not have the signing key accepted
Product: Red Hat Enterprise Linux 8 Reporter: GV <rhel>
Component: dnfAssignee: Marek Blaha <mblaha>
Status: CLOSED ERRATA QA Contact: Luca Berton <lberton>
Severity: high Docs Contact: Mariya Pershina <mpershin>
Priority: high    
Version: 8.1CC: james.antill, lberton, mblaha, mpershin, nsella, pkratoch
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: dnf-4.2.23-1.el8 Doc Type: Bug Fix
Doc Text:
.`dnf-automatic` now updates only packages with correct GPG signatures Previously, the `dnf-automatic` configuration file did not check GPG signatures of downloaded packages before performing an update. As a consequence, unsigned updates or updates signed by key which was not imported could be installed by `dnf-automatic` even though repository configuration requires GPG signature check (`gpgcheck=1`). With this update, the problem has been fixed, and `dnf-automatic` checks GPG signatures of downloaded packages before performing the update. As a result, only updates with correct GPG signatures are installed from repositories that require GPG signature check.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:52:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
dnf-automatic configuration file none

Description GV 2020-01-21 06:10:41 UTC 
Created attachment 1654123 [details]
dnf-automatic configuration file

$ rpm -q -p dummy-1.0.0-1.c8.x86_64.rpm 
warning: dummy-1.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
dummy-1.0.0-1.c8.x86_64

$ rpm -q dummy-2.0.0-1.c8.x86_64.rpm 
warning: dummy-2.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
dummy-2.0.0-1.c8.x86_64

# rpm -ivh dummy-1.0.0-1.c8.x86_64.rpm 
warning: dummy-1.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:dummy-1.0.0-1.c8                 ################################# [100%]

# yum update
...
Dependencies resolved.
================================================================================
 Package         Architecture     Version                 Repository       Size
================================================================================
Upgrading:
 dummy           x86_64           2.0.0-1.c8              local           9.9 k

Transaction Summary
================================================================================
Upgrade  1 Package

Total size: 9.9 k
Is this ok [y/N]: y
Downloading Packages:
warning: /home/dummy/work/rpm/RPMS/x86_64/dummy-2.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
Public key for dummy-2.0.0-1.c8.x86_64.rpm is not installed
Error: GPG check FAILED

# systemctl status dnf-automatic
● dnf-automatic.service - dnf automatic
   Loaded: loaded (/usr/lib/systemd/system/dnf-automatic.service; static; vendor preset: disabled)
   Active: inactive (dead)

# systemctl start dnf-automatic
Job for dnf-automatic.service failed because the control process exited with error code.
See "systemctl status dnf-automatic.service" and "journalctl -xe" for details.

Relevant /var/log/message entries:

Jan 21 08:04:01 c8 systemd[1]: Starting dnf automatic...
Jan 21 08:04:01 c8 dnf-automatic[987]: Running transaction check
Jan 21 08:04:02 c8 dnf-automatic[987]: Transaction check succeeded.
Jan 21 08:04:02 c8 dnf-automatic[987]: Running transaction test
Jan 21 08:04:02 c8 dnf-automatic[987]: Transaction test succeeded.
Jan 21 08:04:02 c8 dnf-automatic[987]: Running transaction
Jan 21 08:04:06 c8 dnf-automatic[987]: Traceback (most recent call last):
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/bin/dnf-automatic", line 32, in <module>
Jan 21 08:04:06 c8 dnf-automatic[987]:    sys.exit(dnf.automatic.main.main(sys.argv[1:]))
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib/python3.6/site-packages/dnf/automatic/main.py", line 264, in main
Jan 21 08:04:06 c8 dnf-automatic[987]:    emitters.commit()
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib/python3.6/site-packages/dnf/util.py", line 493, in fn
Jan 21 08:04:06 c8 dnf-automatic[987]:    return list(map(call_what, self))
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib/python3.6/site-packages/dnf/util.py", line 492, in call_what
Jan 21 08:04:06 c8 dnf-automatic[987]:    return method(*args, **kwargs)
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib/python3.6/site-packages/dnf/automatic/emitter.py", line 103, in commit
Jan 21 08:04:06 c8 dnf-automatic[987]:    smtp = smtplib.SMTP(self._conf.email_host, timeout=300)
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib64/python3.6/smtplib.py", line 251, in __init__
Jan 21 08:04:06 c8 dnf-automatic[987]:    (code, msg) = self.connect(host, port)
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib64/python3.6/smtplib.py", line 336, in connect
Jan 21 08:04:06 c8 dnf-automatic[987]:    self.sock = self._get_socket(host, port, self.timeout)
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib64/python3.6/smtplib.py", line 307, in _get_socket
Jan 21 08:04:06 c8 dnf-automatic[987]:    self.source_address)
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib64/python3.6/socket.py", line 724, in create_connection
Jan 21 08:04:06 c8 dnf-automatic[987]:    raise err
Jan 21 08:04:06 c8 dnf-automatic[987]:  File "/usr/lib64/python3.6/socket.py", line 713, in create_connection
Jan 21 08:04:06 c8 dnf-automatic[987]:    sock.connect(sa)
Jan 21 08:04:06 c8 dnf-automatic[987]: OSError: [Errno 113] No route to host
Jan 21 08:04:06 c8 systemd[1]: dnf-automatic.service: Main process exited, code=exited, status=1/FAILURE
Jan 21 08:04:06 c8 systemd[1]: dnf-automatic.service: Failed with result 'exit-code'.
Jan 21 08:04:06 c8 systemd[1]: Failed to start dnf automatic.

# systemctl start dnf-automatic

Relevant /var/log/message entries:

Jan 21 08:04:09 c8 systemd[1]: Starting dnf automatic...
Jan 21 08:04:09 c8 systemd[1]: Started dnf automatic.

# rpm -q dummy
dummy-2.0.0-1.c8.x86_64

# yum history undo last
Undoing transaction 65, from Tue 21 Jan 2020 08:04:02 AM EET
    Upgrade  dummy-2.0.0-1.c8.x86_64 @local
    Upgraded dummy-1.0.0-1.c8.x86_64 @@System
Dependencies resolved.
================================================================================
 Package         Architecture     Version                 Repository       Size
================================================================================
Downgrading:
 dummy           x86_64           1.0.0-1.c8              local           9.9 k

Transaction Summary
================================================================================
Downgrade  1 Package

Total size: 9.9 k
Is this ok [y/N]: y
Downloading Packages:
warning: /home/dummy/work/rpm/RPMS/x86_64/dummy-1.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
Public key for dummy-1.0.0-1.c8.x86_64.rpm is not installed
Error: GPG check FAILED
Comment 1 Marek Blaha 2020-01-28 08:51:42 UTC 
dnf-automatic is not checking GPG keys of the packages before performing installation. PR https://github.com/rpm-software-management/dnf/pull/1580 addresses it.
Comment 16 errata-xmlrpc 2020-11-04 01:52:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (yum bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4510