Bug 2242115

Summary: Binary PGP keys cannot be imported since librepo v1.16.0
Product: [Fedora] Fedora Reporter: Daan De Meyer <daan.j.demeyer>
Component: librepoAssignee: Jaroslav Rohel <jrohel>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 39CC: awilliam, daniel.mach, jkolarik, jmracek, jrohel, mblaha, pkratoch, robatino, rpm-software-management, tmlcoch
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: RejectedBlocker AcceptedFreezeException
Fixed In Version: librepo-1.17.0-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-22 08:24:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2143447    

Description Daan De Meyer 2023-10-04 12:22:42 UTC 
Since librepo v1.16.0, binary GPG keys cannot be imported anymore with librepo. This fails in librepo with the following error: "Failed to import pgp keys into temporary keyring: Public key not found". The keyring hosted at "https://fedoraproject.org/fedora.gpg" consists of binary keys which cannot be imported anymore by librepo (and thus dnf) on Fedora 39.

Reproducible: Always

Steps to Reproduce:
1. Use gpgkey=https://fedoraproject.org/fedora.gpg as the keyring in any Fedora repo file on Fedora 39
Actual Results:  
```
[7/7] Total                                                                                                                                                                                         100% |   0.0   B/s |   0.0   B |  00m00s
[1/8] https://fedoraproject.org/fedora.gpg                                                                                                                                                          100% |  66.8 KiB/s |  11.4 KiB |  00m00s
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[8/8] Total                                                                                                                                                                                         100% |   0.0   B/s |   0.0   B |  00m00s
Failed to import pgp keys into temporary keyring: Public key not found
‣ "/usr/bin/dnf5 --assumeyes --config=/home/daandemeyer/projects/mkosi/.mkosi-tmpal_fz7as/pkgmngr/etc/dnf/dnf.conf --best --releasever=38 --installroot=/home/daandemeyer/projects/mkosi/.mkosi-tmpal_fz7as/root --setopt=keepcache=1 '--setopt=cachedir=/home/daandemeyer/projects/mkosi/mkosi.cache/fedora~38' --setopt=reposdir=/home/daandemeyer/projects/mkosi/.mkosi-tmpal_fz7as/pkgmngr/etc/yum.repos.d --setopt=varsdir=/home/daandemeyer/projects/mkosi/.mkosi-tmpal_fz7as/pkgmngr/etc/dnf/vars --setopt=persistdir=/home/daandemeyer/projects/mkosi/.mkosi-tmpal_fz7as/pkgmngr/var/lib/dnf --setopt=check_config_file_age=0 '--disableplugin=*' --enableplugin=builddep --no-docs install filesystem" returned non-zero exit code 1.
```

Expected Results:  
Importing GPG key from fedora.gpg succeeds

Upstream bug report: https://github.com/rpm-software-management/librepo/issues/284
Comment 1 Fedora Blocker Bugs Application 2023-10-04 12:25:29 UTC 
Proposed as a Blocker for 39-final by Fedora user daandemeyer using the blocker tracking app because:

 Any application using binary GPG keys in dnf repo files will be broken on Fedora 39 as librepo will refuse to import these binary GPG keys. This seems serious enough to consider it as a release blocker.
Comment 2 Adam Williamson 2023-10-04 16:09:43 UTC 
I don't think the blocker proposal is clear enough. Does this violate any of the release criteria? What applications are there that actually *do* use binary GPG keys in dnf repo files?
Comment 3 Daan De Meyer 2023-10-04 20:06:29 UTC 
> What applications are there that actually *do* use binary GPG keys in dnf repo files?

Well any third party repo could theoretically be using these. For a more concrete example, in the mkosi image builder we use the keys from https://fedoraproject.org/fedora.gpg in our repo files and those are binary GPG keys, which is how I noticed this in the first place. As it is, trying to use mkosi to build Fedora images on F39 will fail because of this issue as dnf isn't able to import the keys from https://fedoraproject.org/fedora.gpg into the keyring.
Comment 4 Jaroslav Rohel 2023-10-05 09:17:27 UTC 
Fixed in PR https://github.com/rpm-software-management/librepo/pull/286
Comment 5 Adam Williamson 2023-10-09 15:31:07 UTC 
Per voting in https://pagure.io/fedora-qa/blocker-review/issue/1375 , marking rejected blocker, accepted FE. If somebody can come up with a clear criteria violation or other blocker justification here, we can revote.
Comment 6 Fedora Update System 2023-10-19 17:08:44 UTC 
FEDORA-2023-feae73ef8b has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-feae73ef8b
Comment 7 Fedora Update System 2023-10-22 08:24:39 UTC 
FEDORA-2023-feae73ef8b has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.