Bug 443445
Summary: | Cannot install packages from repositories from which RPM-GPG-KEYs have not been installed. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Patrick Klingemann <patrick.klingemann> |
Component: | PackageKit | Assignee: | Robin Norwood <robin.norwood> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | urgent | ||
Version: | rawhide | CC: | diego.ml, kontakt, linux, mishu, nehm, projectu, redhat-bugzilla, richard, sleepylight, tim.lauridsen, wwoods |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.freedesktop.org/show_bug.cgi?id=15631 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-01 10:28:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 235706, 441857 |
Description
Patrick Klingemann
2008-04-21 16:14:59 UTC
This may be related to bug #443972 Patrick, if you get a chance, could you test this again with: http://koji.fedoraproject.org/koji/taskinfo?taskID=583037 ? Robin, I'm happy to test it, is there a repository I can enable to get those packages or should I install them manually? Robin, I installed the following packages via rpm -Uvh: PackageKit-0.1.12-7.20080425.fc9.i386.rpm PackageKit-cron-0.1.12-7.20080425.fc9.i386.rpm PackageKit-debuginfo-0.1.12-7.20080425.fc9.i386.rpm PackageKit-devel-0.1.12-7.20080425.fc9.i386.rpm PackageKit-libs-0.1.12-7.20080425.fc9.i386.rpm yum-packagekit-0.1.12-7.20080425.fc9.i386.rpm I removed each rpm-gpg-key via rpm -e gpg-pubkey-xxxxxxx I then restarted my machine. Opened PackageKit via System->Administration->Add/Remove Software Searched for wireshark, selected gnome-wireshark, and clicked install. After a minute or so a dialog box popped up with the following: A security trust relationship is not present GPG key xxxxxxxxx is required I'm not sure if that was the desirable result, please advise. New systems need to import GPG key(s) to install updates. So if PackageKit can't import GPG keys, we can't push updates to new systems. I'm not sure we can release with this unfixed. If I remember correctly the GPG keys for the Fedora repositories are installed with Fedora 9, thus updates from the Fedora repositories would install without issue. Can anyone confirm this? I noticed this bug after installing the Livna repository rpm and attempting to install a package from the livna repository. Rawhide packages aren't signed, so this never came up before. The gpg keys are shipped with Fedora but - unless I'm mistaken - they are not normally imported until your first update. Yeah, confirmed. GPG keys aren't imported during install. Thus updates are not installable until you run yum or import the keys by hand. I did this: 1) Fresh install of rawhide (works fine; anaconda doesn't check sigs) 2) Install new (unsigned) PackageKit RPMs from koji 3) Roll back to an unsigned package (e.g. ntfsprogs-2.0.0-6) 4) Attempt to install updates 5) Get error message and no updates installed. I found an interesting discussion on Richard Hughes' (PackageKit maintainer) blog about this issue. I do not see a resolution to it though. I've CC'ed Richard on this bug, maybe he can shed some light. http://hughsient.livejournal.com/40208.html My apologies, I just finished reading through the comments on the bug that Robin referenced above: https://bugzilla.redhat.com/show_bug.cgi?id=443972 and the two bugs definitely have the same root cause. How do y'all go about merging bugs so there is no duplication of effort? Patrick: normally we'd close one bug as a duplicate of the other, but in this case they're not exactly duplicates. Bug #443972 concerns the PackageKit UI freezing / daemon crashing if it encounters signed packages. That bug is, technically, fixed, since it doesn't hang or crash anymore. This bug is about PK being unable to install signed packages until you import the keys yourself. Which is still an open problem. This same issue occurred when, after installing Fedora 9 Preview x86_64, a new fedora-release package was installed via an update, which, I guess, required new keys. All I noticed was PackageKit would stop progress for a while. I only discovered this after running yum manually. I did notice this when working with Livna as well, but it's the same problem, obviously. Yes, with 0.2.0 we can do the GPG auth dance. I still want to integrate with seahorse to make the GPG check suck less, as users shouldn't have to understand all this stuff. Sounds like a good plan, but when is 0.2.0 due for release? We're supposed to be composing the first Release Candidates for F9 at the end of next week (May 1 or so). Nobody who installs F9 will be able to install any updates until we address (or work around) this. *** Bug 440156 has been marked as a duplicate of this bug. *** *** Bug 444604 has been marked as a duplicate of this bug. *** *** Bug 444691 has been marked as a duplicate of this bug. *** http://koji.fedoraproject.org/koji/taskinfo?taskID=589979 and http://koji.fedoraproject.org/koji/taskinfo?taskID=589973 are new builds of PackageKit / gnome-packagekit which may fix this. The UI's not pretty, but seems to do the job. I agree with Richard's comments above. The result of the new builds is the following: 1. System -> Administration -> Add/Remove Software 2. Select a package to install, click the Install button. 3. A dialog opens: "Do you want to import key ******* from ******* for *****" Yes/No, click Yes 4. Another dialog opens: "Key will be imported, please try transaction again. This UI will be replaced in future versions of PackageKit - please don't file bugs as an update is being worked on...", click OK. 5. A dialog opens to authenticate as root. 6. After authenticating as root, you must go through the package install process again, which completes successfully without needing to import the key. Works for me here, too. Thanks a bunch, hughsie. Yeah, same results here. It's a start. The problem with this implementation is this: a month after F9 release, we'll have 100 updates. Installing those updates will require importing 3 keys - fedora, fedora-security, and fedora-updates. Even if that transaction *contains* a fixed PackageKit, the user will still have to go through the transaction-test/error message/restart transaction 3 times. Ugh. Okay, closing. What we need to do long term is just import all the keys in /etc/pki/fedora* at anaconda time. I don't know another distro that doesn't trust it's own updates... Last time this came up I think we discussed doing the key import in the %post of fedora-release. |