Bug 856225
Summary: | PackageKit can't import Fedora GPG key | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Kamil Páral <kparal> | ||||
Component: | rpm | Assignee: | Fedora Packaging Toolset Team <packaging-team> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 18 | CC: | acook, awilliam, ffesti, hughsient, jnovy, johannbg, jreznik, jzeleny, kevin, packaging-team, pknirsch, pmatilai, rhughes, robatino, satellitgo, tflink | ||||
Target Milestone: | --- | Keywords: | CommonBugs, Upstream | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | https://fedoraproject.org/wiki/Common_F18_bugs#packagekit-import-gpg AcceptedBlocker | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-10-08 14:08:03 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 752660 | ||||||
Attachments: |
|
Description
Kamil Páral
2012-09-11 13:47:06 UTC
Proposing as Alpha blocker: " The installed system must be able to download and install updates with yum and the default graphical package manager in all release-blocking desktops " https://fedoraproject.org/wiki/Fedora_18_Alpha_Release_Criteria +1 blocker, per criterion. I also hit this on a fresh install of F18 alpha RC2 from DVD in a VM. +1 blocker, per criterion. Oh - does the behaviour vary depending on whether the user is an 'admin' or not, like some other bugs? +1 blocker per criteria... I have hit this also as user as part of admin group with Gnome in RC2-DVD x86_64 install to HD; root password set. Workaround: root terminal: yum upgrade asks if you want to import GPG key and works Could this perhaps be related to https://bugzilla.redhat.com/show_bug.cgi?id=852403 ? Does it work in Permissive mode, or if selinux-policy is updated? reply to self: no, doesn't seem related. I hit this with an 'admin' user, with selinux in Permissive. 12:59:43 PackageKit failed to parse: Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64: invalid command 'Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64' 12:59:43 PackageKit emitting changed 12:59:43 PackageKit emitting allow-cancel 1 12:59:43 PackageKit emitting changed 12:59:43 PackageKit emitting changed 12:59:43 PackageKit ignoring message (turn on DeveloperMode): Failed to parse output: invalid command 'Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64' 12:59:43 PackageKit failed to parse: error unknown cannot install signature: Key import failed (code 2): Error enum not recognised, and hence ignored: 'unknown' 12:59:43 PackageKit failed to parse: : invalid command '(null)' 12:59:43 PackageKit failed to parse: : invalid command '(null)' 12:59:43 PackageKit failed to parse: Failing package is: 1:tk-8.5.12-1.fc18.x86_64: invalid command ' Failing package is: 1:tk-8.5.12-1.fc18.x86_64' 12:59:43 PackageKit failed to parse: GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64: invalid command ' GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64' 12:59:43 PackageKit failed to parse: : invalid command '(null)' 12:59:43 PackageKit ignoring message (turn on DeveloperMode): Failed to parse output: Error enum not recognised, and hence ignored: 'unknown' 12:59:43 PackageKit ignoring message (turn on DeveloperMode): Failed to parse output: invalid command '(null)' 12:59:43 PackageKit ignoring message (turn on DeveloperMode): Failed to parse output: invalid command '(null)' 12:59:43 PackageKit ignoring message (turn on DeveloperMode): Failed to parse output: invalid command ' Failing package is: 1:tk-8.5.12-1.fc18.x86_64' 12:59:43 PackageKit ignoring message (turn on DeveloperMode): Failed to parse output: invalid command ' GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64' 12:59:43 PackageKit ignoring message (turn on DeveloperMode): Failed to parse output: invalid command '(null)' 12:59:43 PackageKit backend was exited rather than finished Discussed at 2012-09-12 blocker review meeting. We agreed that this bug is a violation of the criterion "The installed system must be able to download and install updates with yum and the default graphical package manager in all release-blocking desktops", but can be sufficiently worked around by performing just one yum operation - PK will work correctly after that. So it's rejected as a blocker, accepted as NTH. There was also some discussion of whether the criterion should really require graphical updating to work, as to some, on consideration, it seems like too strict a requirement for an Alpha release. But we will continue that discussion on the list. What's clear is that the criterion does require graphical updating to work, so I don't see how this is not a blocker. Created attachment 612908 [details]
python script to reproduce the problem
This will explode with the following backtrace:
yum.Errors.YumBaseError: Key import failed (code 2)
This is (I think) because:
* getKeyForPackage calls pgpImportPubkey() in yum/__init__.py
* which in turn calls rpmts_PgpImportPubkey() in rpm/python/rpmts.py
* which calls rpmtsImportPubkey() in rpm/lib/rpmts.c
* which calls rpmPubkeyNew() then rpmKeyringAddKey() in rpm/rpmio/rpmkeyring.c
* which checks if the keyring is NULL, which it is, and returns -1
* which causes rpmtsImportPubkey() to return RPMRC_FAIL
Now, the PackageKit key import code has not changed in over a year,
so i can only assume that something loaded the default keyring (either yum or rpm) so that this code worked before and doesn't work now.
I've tested this with yum-3.4.3-28.fc17 on F18, and it fails, so that leads me to think that something's changed in rpm, although yum is able to import the same key somehow.
Panu, any ideas?
Hmm, yup... This is a combination of a change in rpm 4.10 to avoid loading the keyring on transactions where signature checking is disabled, and the fact that yum defaults to non-signature checking settings on transactions. The ability to import keys shouldn't be tied to signature checking enabled/disabled though, this is an unintended side-effect of the keyring loading change. Will fix. Fixed upstream: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=9209e6cd78a1e6814f3038734cdd300b97ddcf1b (In reply to comment #14) > Fixed upstream: > http://rpm.org/gitweb?p=rpm.git;a=commitdiff; > h=9209e6cd78a1e6814f3038734cdd300b97ddcf1b Brilliant, thanks. Any ETA on a Fedora 18 package or is rpm-4.10.1 coming before the beta? I can build a package with the fix if you're super busy. Richard. Discussed at 2012-09-26 blocker review meeting: http://meetbot.fedoraproject.org/fedora-qa/2012-09-26/f18-beta-blocker-review-1.2012-09-26-16.03.log.txt . Accepted as a blocker for Beta: the criterion is the same as for Alpha, "The installed system must be able to download and install updates with yum and the default graphical package manager in all release-blocking desktops". For Alpha we considered 'run yum once' to be an acceptable workaround, but for the higher standards expected of a Beta, we don't consider it good enough. rpm-4.10.1-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/rpm-4.10.1-1.fc18 Package rpm-4.10.1-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing rpm-4.10.1-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15295/rpm-4.10.1-1.fc18 then log in and leave karma (feedback). With rpm-4.10.1-1.fc18 PackageKit was able to install the gpg key. The update was pushed stable, closing. |