Bug 2365060
| Summary: | gpg: WARNING: No valid encryption subkey left over. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Joachim Backes <joachim.backes> |
| Component: | dnf5 | Assignee: | Petr Pisar <ppisar> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 42 | CC: | jonathan, nsella, pkratoch, ppisar, rpm-software-management |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | dnf5-5.2.14.0-1.fc43 dnf5-5.2.15.0-2.fc42 dnf5-5.2.15.0-2.fc41 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-07-31 00:53:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Joachim Backes
2025-05-08 08:21:23 UTC
dnf check: No output! The warning comes from GnuPG tool when checking an expiration time of installed keys by expired-pgp-keys libdnf5 plugin. The warning could be suppressed with <https://github.com/rpm-software-management/dnf5/commit/c910b09be803c2be95f4d5428285093d576bca9a> fix which is already in upstream but not yet in Fedora 42. To verify it I would need you to show me the public key you have in RPM database in which triggers this warning. I believe your system is secure despite the warning. I'm not sure whether the warning indeed only complains about missing a valid key for encryption (that's not a problem), or whether it mistakenly also pertain a missing valid key for verifying a signature (that should be a reason for removing the primary key from the system). To check it, I would again need to see the key. Is the warning followed by a DNF5 question for removing a key? To resolve the warning for good you would need to uninstall the key. To identify the key, you would have to import keys from RPM database one by one to GnuPG keyring and observe the warnings. A command like this could do it: for KEY in $(rpm -q gpg-pubkey); do echo $KEY; rpm -qi "$KEY" | gpg --import ; done Then paste an output for a key which triggered it here (an example: rpm -qi gpg-pubkey-e99d6ad1-64d2612c). I was able to reproduce it. The warning is triggered with a main key whose subkey is for encryption only and which has expired. That means the warning correctly only pertains encryption keys. I also verified that developmental DNF5 code does not print the warning anymore. FEDORA-2025-a5e5885906 (dnf5-5.2.15.0-1.fc42 and librepo-1.20.0-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-a5e5885906 FEDORA-2025-fb095dd283 (dnf5-5.2.15.0-1.fc41 and librepo-1.20.0-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-fb095dd283 FEDORA-2025-a5e5885906 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-a5e5885906` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-a5e5885906 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-fb095dd283 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-fb095dd283` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-fb095dd283 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-9ae670b810 (dnf5-5.2.15.0-2.fc42 and librepo-1.20.0-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-9ae670b810 FEDORA-2025-fdcda3af30 (dnf5-5.2.15.0-2.fc41 and librepo-1.20.0-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-fdcda3af30 FEDORA-2025-9ae670b810 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-9ae670b810` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-9ae670b810 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-fdcda3af30 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-fdcda3af30` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-fdcda3af30 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-9ae670b810 (dnf5-5.2.15.0-2.fc42 and librepo-1.20.0-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2025-fdcda3af30 (dnf5-5.2.15.0-2.fc41 and librepo-1.20.0-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. |