Bug 443445

Summary: Cannot install packages from repositories from which RPM-GPG-KEYs have not been installed.
Product: [Fedora] Fedora Reporter: Patrick Klingemann <patrick.klingemann>
Component: PackageKitAssignee: Robin Norwood <robin.norwood>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: urgent    
Version: rawhideCC: diego.ml, kontakt, mail, mishu, nehm, projectu, redhat-bugzilla, richard, sleepylight, tla, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://bugs.freedesktop.org/show_bug.cgi?id=15631
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-01 06:28:36 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 235706, 441857    

Description Patrick Klingemann 2008-04-21 12:14:59 EDT
There does not appear to be a mechanism in PackageKit to import RPM-GPG-KEYs
for new repositories.  Thus it is not possible to install packages from newly
linked repositories.

Steps to reproduce:
1.  Add a new valid yum repository (software source).
2.  Open PackageKit.
3.  Select a package from the newly added repository.
4.  Click the install button.
5.  The installation hangs with "Checking Signatures" displayed in the
statusbar.

Actual Results:
Installation hangs with "Checking Signatures" displayed in the statusbar.

Expected Results:
User is prompted to import the new repository's RPM-GPG-KEY and the package
installs successfully.

Build Date/Platform:
PackageKit 0.1.12
Fedora 9 (rawhide) i686

Workaround:
1.  Add a new valid yum repository.
2.  Open a terminal.
3.  su root
4.  yum install package-name-from-new-repository
5.  You are then prompted to import the new RPM-GPG-KEY for the new repository.
6.  When the package finishes installing you should be able to install packages
from the new repository via PackageKit.
Comment 1 Robin Norwood 2008-04-25 12:47:39 EDT
This may be related to bug #443972
Comment 2 Robin Norwood 2008-04-25 12:48:52 EDT
Patrick, if you get a chance, could you test this again with:

http://koji.fedoraproject.org/koji/taskinfo?taskID=583037

?
Comment 3 Patrick Klingemann 2008-04-25 14:25:22 EDT
Robin, I'm happy to test it, is there a repository I can enable to get those
packages or should I install them manually?
Comment 4 Patrick Klingemann 2008-04-25 15:32:40 EDT
Robin,  I installed the following packages via rpm -Uvh:

PackageKit-0.1.12-7.20080425.fc9.i386.rpm
PackageKit-cron-0.1.12-7.20080425.fc9.i386.rpm
PackageKit-debuginfo-0.1.12-7.20080425.fc9.i386.rpm
PackageKit-devel-0.1.12-7.20080425.fc9.i386.rpm
PackageKit-libs-0.1.12-7.20080425.fc9.i386.rpm
yum-packagekit-0.1.12-7.20080425.fc9.i386.rpm

I removed each rpm-gpg-key via rpm -e gpg-pubkey-xxxxxxx

I then restarted my machine.

Opened PackageKit via System->Administration->Add/Remove Software

Searched for wireshark, selected gnome-wireshark, and clicked install.  After a
minute or so a dialog box popped up with the following:

A security trust relationship is not present
GPG key xxxxxxxxx is required

I'm not sure if that was the desirable result, please advise.
Comment 5 Will Woods 2008-04-25 15:49:47 EDT
New systems need to import GPG key(s) to install updates. So if PackageKit can't
import GPG keys, we can't push updates to new systems.

I'm not sure we can release with this unfixed.
Comment 6 Patrick Klingemann 2008-04-25 16:00:21 EDT
If I remember correctly the GPG keys for the Fedora repositories are installed
with Fedora 9, thus updates from the Fedora repositories would install without
issue.  Can anyone confirm this?  I noticed this bug after installing the Livna
repository rpm and attempting to install a package from the livna repository.
Comment 7 Will Woods 2008-04-25 16:06:26 EDT
Rawhide packages aren't signed, so this never came up before. 

The gpg keys are shipped with Fedora but - unless I'm mistaken - they are not
normally imported until your first update.
Comment 8 Will Woods 2008-04-25 17:43:55 EDT
Yeah, confirmed. GPG keys aren't imported during install. Thus updates are not
installable until you run yum or import the keys by hand.

I did this:

1) Fresh install of rawhide (works fine; anaconda doesn't check sigs)
2) Install new (unsigned) PackageKit RPMs from koji
3) Roll back to an unsigned package (e.g. ntfsprogs-2.0.0-6)
4) Attempt to install updates
5) Get error message and no updates installed.
Comment 9 Patrick Klingemann 2008-04-25 18:16:44 EDT
I found an interesting discussion on Richard Hughes' (PackageKit maintainer)
blog about this issue.  I do not see a resolution to it though.  I've CC'ed
Richard on this bug, maybe he can shed some light.

http://hughsient.livejournal.com/40208.html
Comment 10 Patrick Klingemann 2008-04-25 18:31:26 EDT
My apologies, I just finished reading through the comments on the bug that Robin
referenced above: https://bugzilla.redhat.com/show_bug.cgi?id=443972  and the
two bugs definitely have the same root cause.  How do y'all go about merging
bugs so there is no duplication of effort?
Comment 11 Will Woods 2008-04-25 18:52:24 EDT
Patrick: normally we'd close one bug as a duplicate of the other, but in this
case they're not exactly duplicates. 

Bug #443972 concerns the PackageKit UI freezing / daemon crashing if it
encounters signed packages. That bug is, technically, fixed, since it doesn't
hang or crash anymore.

This bug is about PK being unable to install signed packages until you import
the keys yourself. Which is still an open problem.
Comment 12 Basil Mohamed Gohar 2008-04-25 21:19:35 EDT
This same issue occurred when, after installing Fedora 9 Preview x86_64, a new
fedora-release package was installed via an update, which, I guess, required new
keys.  All I noticed was PackageKit would stop progress for a while.  I only
discovered this after running yum manually.

I did notice this when working with Livna as well, but it's the same problem,
obviously.
Comment 13 Richard Hughes 2008-04-26 04:54:13 EDT
Yes, with 0.2.0 we can do the GPG auth dance. I still want to integrate with
seahorse to make the GPG check suck less, as users shouldn't have to understand
all this stuff.
Comment 14 Will Woods 2008-04-26 10:41:01 EDT
Sounds like a good plan, but when is 0.2.0 due for release? We're supposed to be composing the first 
Release Candidates for F9 at the end of next week (May 1 or so). 

Nobody who installs F9 will be able to install any updates until we address (or work around) this.
Comment 15 Robin Norwood 2008-04-29 17:08:06 EDT
*** Bug 440156 has been marked as a duplicate of this bug. ***
Comment 16 Robin Norwood 2008-04-29 17:11:26 EDT
*** Bug 444604 has been marked as a duplicate of this bug. ***
Comment 17 Richard Hughes 2008-04-30 04:39:18 EDT
*** Bug 444691 has been marked as a duplicate of this bug. ***
Comment 18 Will Woods 2008-04-30 11:42:55 EDT
http://koji.fedoraproject.org/koji/taskinfo?taskID=589979 and
http://koji.fedoraproject.org/koji/taskinfo?taskID=589973

are new builds of PackageKit / gnome-packagekit which may fix this.
Comment 19 Richard Hughes 2008-04-30 12:59:15 EDT
The UI's not pretty, but seems to do the job.
Comment 20 Patrick Klingemann 2008-04-30 14:15:32 EDT
I agree with Richard's comments above.  The result of the new builds is the
following:

1.  System -> Administration -> Add/Remove Software
2.  Select a package to install, click the Install button.
3.  A dialog opens: "Do you want to import key ******* from ******* for *****"
Yes/No, click Yes
4.  Another dialog opens: "Key will be imported, please try transaction again.
This UI will be replaced in future versions of PackageKit - please don't file
bugs as an update is being worked on...", click OK.
5.  A dialog opens to authenticate as root.
6.  After authenticating as root, you must go through the package install
process again, which completes successfully without needing to import the key.
Comment 21 Robin Norwood 2008-04-30 14:33:26 EDT
Works for me here, too.  Thanks a bunch, hughsie.
Comment 22 Will Woods 2008-04-30 15:43:58 EDT
Yeah, same results here. It's a start.

The problem with this implementation is this: a month after F9 release, we'll
have 100 updates. Installing those updates will require importing 3 keys -
fedora, fedora-security, and fedora-updates. 

Even if that transaction *contains* a fixed PackageKit, the user will still have
to go through the transaction-test/error message/restart transaction 3 times. Ugh.
Comment 23 Richard Hughes 2008-05-01 06:28:36 EDT
Okay, closing. What we need to do long term is just import all the keys in
/etc/pki/fedora* at anaconda time. I don't know another distro that doesn't
trust it's own updates...
Comment 24 Colin Walters 2008-05-02 13:54:56 EDT
Last time this came up I think we discussed doing the key import in the %post of
fedora-release.