Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Cannot install packages from repositories from which RPM-GPG-KEYs have not been installed.|
|Product:||[Fedora] Fedora||Reporter:||Patrick Klingemann <patrick.klingemann>|
|Component:||PackageKit||Assignee:||Robin Norwood <robin.norwood>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||diego.ml, kontakt, mail, mishu, nehm, projectu, redhat-bugzilla, richard, sleepylight, tla, wwoods|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-05-01 06:28:36 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
|Bug Blocks:||235706, 441857|
Description Patrick Klingemann 2008-04-21 12:14:59 EDT
There does not appear to be a mechanism in PackageKit to import RPM-GPG-KEYs for new repositories. Thus it is not possible to install packages from newly linked repositories. Steps to reproduce: 1. Add a new valid yum repository (software source). 2. Open PackageKit. 3. Select a package from the newly added repository. 4. Click the install button. 5. The installation hangs with "Checking Signatures" displayed in the statusbar. Actual Results: Installation hangs with "Checking Signatures" displayed in the statusbar. Expected Results: User is prompted to import the new repository's RPM-GPG-KEY and the package installs successfully. Build Date/Platform: PackageKit 0.1.12 Fedora 9 (rawhide) i686 Workaround: 1. Add a new valid yum repository. 2. Open a terminal. 3. su root 4. yum install package-name-from-new-repository 5. You are then prompted to import the new RPM-GPG-KEY for the new repository. 6. When the package finishes installing you should be able to install packages from the new repository via PackageKit.
Comment 2 Robin Norwood 2008-04-25 12:48:52 EDT
Patrick, if you get a chance, could you test this again with: http://koji.fedoraproject.org/koji/taskinfo?taskID=583037 ?
Comment 3 Patrick Klingemann 2008-04-25 14:25:22 EDT
Robin, I'm happy to test it, is there a repository I can enable to get those packages or should I install them manually?
Comment 4 Patrick Klingemann 2008-04-25 15:32:40 EDT
Robin, I installed the following packages via rpm -Uvh: PackageKit-0.1.12-7.20080425.fc9.i386.rpm PackageKit-cron-0.1.12-7.20080425.fc9.i386.rpm PackageKit-debuginfo-0.1.12-7.20080425.fc9.i386.rpm PackageKit-devel-0.1.12-7.20080425.fc9.i386.rpm PackageKit-libs-0.1.12-7.20080425.fc9.i386.rpm yum-packagekit-0.1.12-7.20080425.fc9.i386.rpm I removed each rpm-gpg-key via rpm -e gpg-pubkey-xxxxxxx I then restarted my machine. Opened PackageKit via System->Administration->Add/Remove Software Searched for wireshark, selected gnome-wireshark, and clicked install. After a minute or so a dialog box popped up with the following: A security trust relationship is not present GPG key xxxxxxxxx is required I'm not sure if that was the desirable result, please advise.
Comment 5 Will Woods 2008-04-25 15:49:47 EDT
New systems need to import GPG key(s) to install updates. So if PackageKit can't import GPG keys, we can't push updates to new systems. I'm not sure we can release with this unfixed.
Comment 6 Patrick Klingemann 2008-04-25 16:00:21 EDT
If I remember correctly the GPG keys for the Fedora repositories are installed with Fedora 9, thus updates from the Fedora repositories would install without issue. Can anyone confirm this? I noticed this bug after installing the Livna repository rpm and attempting to install a package from the livna repository.
Comment 7 Will Woods 2008-04-25 16:06:26 EDT
Rawhide packages aren't signed, so this never came up before. The gpg keys are shipped with Fedora but - unless I'm mistaken - they are not normally imported until your first update.
Comment 8 Will Woods 2008-04-25 17:43:55 EDT
Yeah, confirmed. GPG keys aren't imported during install. Thus updates are not installable until you run yum or import the keys by hand. I did this: 1) Fresh install of rawhide (works fine; anaconda doesn't check sigs) 2) Install new (unsigned) PackageKit RPMs from koji 3) Roll back to an unsigned package (e.g. ntfsprogs-2.0.0-6) 4) Attempt to install updates 5) Get error message and no updates installed.
Comment 9 Patrick Klingemann 2008-04-25 18:16:44 EDT
I found an interesting discussion on Richard Hughes' (PackageKit maintainer) blog about this issue. I do not see a resolution to it though. I've CC'ed Richard on this bug, maybe he can shed some light. http://hughsient.livejournal.com/40208.html
Comment 10 Patrick Klingemann 2008-04-25 18:31:26 EDT
My apologies, I just finished reading through the comments on the bug that Robin referenced above: https://bugzilla.redhat.com/show_bug.cgi?id=443972 and the two bugs definitely have the same root cause. How do y'all go about merging bugs so there is no duplication of effort?
Comment 11 Will Woods 2008-04-25 18:52:24 EDT
Patrick: normally we'd close one bug as a duplicate of the other, but in this case they're not exactly duplicates. Bug #443972 concerns the PackageKit UI freezing / daemon crashing if it encounters signed packages. That bug is, technically, fixed, since it doesn't hang or crash anymore. This bug is about PK being unable to install signed packages until you import the keys yourself. Which is still an open problem.
Comment 12 Basil Mohamed Gohar 2008-04-25 21:19:35 EDT
This same issue occurred when, after installing Fedora 9 Preview x86_64, a new fedora-release package was installed via an update, which, I guess, required new keys. All I noticed was PackageKit would stop progress for a while. I only discovered this after running yum manually. I did notice this when working with Livna as well, but it's the same problem, obviously.
Comment 13 Richard Hughes 2008-04-26 04:54:13 EDT
Yes, with 0.2.0 we can do the GPG auth dance. I still want to integrate with seahorse to make the GPG check suck less, as users shouldn't have to understand all this stuff.
Comment 14 Will Woods 2008-04-26 10:41:01 EDT
Sounds like a good plan, but when is 0.2.0 due for release? We're supposed to be composing the first Release Candidates for F9 at the end of next week (May 1 or so). Nobody who installs F9 will be able to install any updates until we address (or work around) this.
Comment 15 Robin Norwood 2008-04-29 17:08:06 EDT
*** Bug 440156 has been marked as a duplicate of this bug. ***
Comment 16 Robin Norwood 2008-04-29 17:11:26 EDT
*** Bug 444604 has been marked as a duplicate of this bug. ***
Comment 17 Richard Hughes 2008-04-30 04:39:18 EDT
*** Bug 444691 has been marked as a duplicate of this bug. ***
Comment 18 Will Woods 2008-04-30 11:42:55 EDT
http://koji.fedoraproject.org/koji/taskinfo?taskID=589979 and http://koji.fedoraproject.org/koji/taskinfo?taskID=589973 are new builds of PackageKit / gnome-packagekit which may fix this.
Comment 19 Richard Hughes 2008-04-30 12:59:15 EDT
The UI's not pretty, but seems to do the job.
Comment 20 Patrick Klingemann 2008-04-30 14:15:32 EDT
I agree with Richard's comments above. The result of the new builds is the following: 1. System -> Administration -> Add/Remove Software 2. Select a package to install, click the Install button. 3. A dialog opens: "Do you want to import key ******* from ******* for *****" Yes/No, click Yes 4. Another dialog opens: "Key will be imported, please try transaction again. This UI will be replaced in future versions of PackageKit - please don't file bugs as an update is being worked on...", click OK. 5. A dialog opens to authenticate as root. 6. After authenticating as root, you must go through the package install process again, which completes successfully without needing to import the key.
Comment 21 Robin Norwood 2008-04-30 14:33:26 EDT
Works for me here, too. Thanks a bunch, hughsie.
Comment 22 Will Woods 2008-04-30 15:43:58 EDT
Yeah, same results here. It's a start. The problem with this implementation is this: a month after F9 release, we'll have 100 updates. Installing those updates will require importing 3 keys - fedora, fedora-security, and fedora-updates. Even if that transaction *contains* a fixed PackageKit, the user will still have to go through the transaction-test/error message/restart transaction 3 times. Ugh.
Comment 23 Richard Hughes 2008-05-01 06:28:36 EDT
Okay, closing. What we need to do long term is just import all the keys in /etc/pki/fedora* at anaconda time. I don't know another distro that doesn't trust it's own updates...
Comment 24 Colin Walters 2008-05-02 13:54:56 EDT
Last time this came up I think we discussed doing the key import in the %post of fedora-release.