Bug 1456419 - dnf update --refresh fails for repo_gpgcheck=1
Summary: dnf update --refresh fails for repo_gpgcheck=1
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnf (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: Unspecified Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Mach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Reopened, Triaged
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-29 11:21 UTC by Ondrej Holy
Modified: 2018-10-06 09:35 UTC (History)
7 users (show)

Fixed In Version: dnf-2.5.1-1.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1636743 (view as bug list)
Environment:
Last Closed: 2017-06-16 13:19:11 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Ondrej Holy 2017-05-29 11:21:17 UTC
Description of problem:

I use unitedrpms, which uses repo_gpgcheck=1
https://github.com/UnitedRPMs/unitedrpms.github.io/blob/master/unitedrpms.repo

"dnf update --refresh" fails if the metadata cache is already built.

Version-Release number of selected component (if applicable):
$ dnf --version
2.5.0
  Installed: dnf-0:2.4.1-1.fc27.noarch at 2017-05-17 06:16
  Built    : Fedora Project at 2017-05-11 08:43

  Installed: dnf-0:2.5.0-2.fc27.noarch at 2017-05-29 07:08
  Built    : Fedora Project at 2017-05-24 13:53

  Installed: rpm-0:4.13.0.1-20.fc27.x86_64 at 2017-05-01 18:10
  Built    : Fedora Project at 2017-04-25 15:51

  Installed: rpm-0:4.13.0.1-22.fc27.x86_64 at 2017-05-29 07:08
  Built    : Fedora Project at 2017-05-23 09:28


How reproducible:
always

Steps to Reproduce:
1) dnf clean all && dnf makecache
2) dnf update --refresh

Actual results:
$ dnf clean all && dnf makecache
...
unitedrpms                                                                                                                    197 kB/s | 693 kB     00:03    
...
$ dnf update --refresh -vvv
...
Cannot download 'https://raw.githubusercontent.com/UnitedRPMs/unitedrpms.github.io/master/mirrorlist_F$releasever_x86_64.txt': repomd.xml GPG signature verification error: Bad GPG signature.
Failed to synchronize cache for repo 'unitedrpms', disabling.

Expected results:
I suppose it should use the cached results and not disable the unitedrpms repo...

Additional info:
"dnf clean all && dnf update" works nicely, so it can be used as a workaround.

See https://github.com/UnitedRPMs/issues/issues/3

Comment 1 Sergio Monteiro Basto 2017-05-29 11:34:31 UTC
Hum , repo_gpgcheck=1 is not my issue 

if I do: 

dnf --releasever=24 --disablerepo='*' --enablerepo=unitedrpms repoquery --available "openssl*"

why when change to releasever=25 [1] it use the same cache of releasever=24 ? 

[1]
dnf --releasever=25 --disablerepo='*' --enablerepo=unitedrpms repoquery --available "openssl*" -vvv
cachedir: /var/cache/dnf
Loaded plugins: generate_completion_cache, reposync, Query, builddep, copr, playground, noroot, needs-restarting, protected_packages, config-manager, download, system-upgrade, leaves, debuginfo-install
DNF version: 1.1.10
repo: using cache for: unitedrpms
not found deltainfo for: unitedrpms 25 - x86_64
not found updateinfo for: unitedrpms 25 - x86_64
unitedrpms: using metadata from Sat May 27 08:38:04 2017.
Last metadata expiration check: 0:04:59 ago on Mon May 29 12:28:22 2017.
(...)

Comment 2 Igor Gnatenko 2017-05-29 11:40:58 UTC
I suppose that different mirrors or master changed signature. Unfortunately, dnf can't do much about this.

Comment 3 Sergio Monteiro Basto 2017-05-29 11:43:26 UTC
what signatures ? what is missing on unitedrpms repos ?

Comment 4 Sergio Monteiro Basto 2017-05-29 11:58:36 UTC
where is the documentation of signatures , why dnf doesn't use the url that is given ? 
why  dnf clean all make it works ? etc .

Comment 5 Daniel Mach 2017-05-29 13:50:27 UTC
I tried to reproduce it by myself and this is what I got on Fedora 26:

$ cd /etc/yum.repos.d/
$ wget https://raw.githubusercontent.com/UnitedRPMs/unitedrpms.github.io/master/unitedrpms.repo
# looks like `dnf clean all` doesn't remove keyrings, I removed the whole cache instead to ensure clean environment:
$ rm /var/cache/dnf/* -rfv
$ dnf --disablerepo='*' --enablerepo=unitedrpms makecache
Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/URPMS-GPG-PUBLICKEY-Fedora-26 [Couldn't open file /etc/pki/rpm-gpg/URPMS-GPG-PUBLICKEY-Fedora-26]


This is *expected*.

The reason is that the GPG key file is not found on your system.

You have 2 options:
 * install unitedrpms RPM from web which installs the repo file and gpg key 
 * use the repo file from git and then run $ dnf install unitedrpms --nogpgcheck to avoid repo gpg verification for this step


If you still think this is a bug, can you provide more detailed reproducer in clean environment and reopen this bug?

Comment 6 Ondrej Holy 2017-05-29 14:19:53 UTC
But I don't have a problem with a missing gpg key, I have a problem with a signature verification. The certificate is successfully imported and "dnf clean all && dnf update" works correctly with that certificate, but "dnf update --refresh" fails...

Steps to Reproduce:
1) rpm --import https://raw.githubusercontent.com/UnitedRPMs/unitedrpms/master/URPMS-GPG-PUBLICKEY-Fedora-24
2) dnf -y install https://github.com/UnitedRPMs/unitedrpms/releases/download/3/unitedrpms-$(rpm -E %fedora)-3.fc$(rpm -E %fedora).noarch.rpm
3) dnf clean all && dnf makecache
4) dnf update --refresh
...
Cannot download 'https://raw.githubusercontent.com/UnitedRPMs/unitedrpms.github.io/master/mirrorlist_F$releasever_x86_64.txt': repomd.xml GPG signature verification error: Bad GPG signature.
Failed to synchronize cache for repo 'unitedrpms', disabling.

Comment 7 Sergio Monteiro Basto 2017-05-29 14:28:07 UTC
(In reply to Daniel Mach from comment #5)

cd /etc/pki/rpm-gpg/
ln -s URPMS-GPG-PUBLICKEY-Fedora-24 URPMS-GPG-PUBLICKEY-Fedora-25
ln -s URPMS-GPG-PUBLICKEY-Fedora-24 URPMS-GPG-PUBLICKEY-Fedora-26


rm /var/cache/dnf/* -rf

dnf --releasever=24 --disablerepo='*' --enablerepo=unitedrpms repoquery --available "openssl*" 

openssl-freeworld-2:1.0.2k-5.fc24.x86_64
etc

dnf --releasever=25 --disablerepo='*' --enablerepo=unitedrpms repoquery --available "openssl*" -vvv

openssl-freeworld-2:1.0.2k-5.fc24.x86_64
etc

dnf --releasever=25 --disablerepo='*' --enablerepo=unitedrpms clean all
dnf --releasever=25 --disablerepo='*' --enablerepo=unitedrpms repoquery --available "openssl*" -vvv

openssl-freeworld-2:1.0.2k-5.fc25.x86_64
etc 

maybe is not a dnf problem but could someone help us to understand what is wrong 

Many thanks

Comment 8 Daniel Mach 2017-05-30 10:18:00 UTC
Thanks for your endurance and re-opening this bug.
It seems to be a legitimate problem after all.

I've put together a patch:
https://github.com/rpm-software-management/dnf/pull/832

Could you test it?
It's a one-liner, it's possible to tweak your installed dnf package (if you're brave enough).

Comment 9 Ondrej Holy 2017-05-30 10:51:03 UTC
Thanks a lot, it fixes the problem for me, but not sure about Sergio's issue...

Comment 10 Sergio Monteiro Basto 2017-05-30 11:13:55 UTC
this fix is not applicable on F25 , you may test it with [1] example


https://bugzilla.redhat.com/show_bug.cgi?id=1456419#c7

Comment 11 Ondrej Holy 2017-05-30 11:25:33 UTC
I can reproduce it on F26 with dnf 2.3.0. But it doesn't fail on key verification, it just uses an old cached data. So it is a different bug, can you please file another bug report for it?

Just a note that I can't reproduce it on rawhide with dnf 2.5.0, because that command from Comment 7 doesn't return anything for some reason...

Comment 12 Sergio Monteiro Basto 2017-05-30 11:31:26 UTC
(In reply to Ondrej Holy from comment #11)
OK it is another bug (dnf uses an old cached), I'm just not sure where is the bug. Conclusion we may close this bug , I will open another bug when find a way to report it 

Thanks.

Comment 13 Ondrej Holy 2017-05-30 11:47:46 UTC
You can use the following link to report the bug for dnf:
https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=dnf

Comment 14 Fedora Update System 2017-06-12 15:30:51 UTC
dnf-plugins-core-2.1.1-1.fc26 libdnf-0.9.1-1.fc26 dnf-2.5.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c87c47dccb

Comment 15 Fedora Update System 2017-06-14 01:36:14 UTC
dnf-2.5.1-1.fc26, dnf-plugins-core-2.1.1-1.fc26, libdnf-0.9.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c87c47dccb

Comment 16 Fedora Update System 2017-06-14 05:34:47 UTC
dnf-2.5.1-1.fc26 dnf-plugins-core-2.1.1-1.fc26 dnfdaemon-0.3.18-3.fc26 libdnf-0.9.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c87c47dccb

Comment 17 Fedora Update System 2017-06-15 13:56:20 UTC
dnf-2.5.1-1.fc26, dnf-plugins-core-2.1.1-1.fc26, dnfdaemon-0.3.18-3.fc26, libdnf-0.9.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c87c47dccb

Comment 18 Fedora Update System 2017-06-16 13:19:11 UTC
dnf-2.5.1-1.fc26, dnf-plugins-core-2.1.1-1.fc26, dnfdaemon-0.3.18-3.fc26, libdnf-0.9.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Hristo Venev 2018-09-28 15:41:38 UTC
This seems to be broken again in Fedora 29

$ dnf --version
3.5.1
  Installed: dnf-0:3.5.1-1.fc29.noarch at Thu Sep 20 15:16:41 2018
  Built    : Fedora Project at Thu Sep 13 15:57:06 2018

  Installed: rpm-0:4.14.2-1.fc29.x86_64 at Thu Sep 20 15:13:33 2018
  Built    : Fedora Project at Wed Aug 22 08:07:47 2018

I think it worked fine in Fedora 28 a week ago.

Comment 20 Michael 2018-10-06 09:35:40 UTC
I can confirm that this is also broken on my side with Fedora 29 beta. I have 2 repositories which cause troubles. One is atom and the other is unitedrpms.

When I force the deletion of the whole DNF cache, the keys are newly imported and everything is fine. When I do an upgrade --refresh, the signature verification fails. :-(

sudo dnf --disablerepo '*' --enablerepo unitedrpms upgrade --refresh --verbose

Loaded plugins: builddep, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, needs-restarting, playground, repoclosure, repograph, repomanage, reposync, system-upgrade
DNF version: 3.6.1
cachedir: /var/cache/dnf
unitedrpms 29 - x86_64
unitedrpms 29 - x86_64
repo unitedrpms: 0xEE788F495250AEF3 already imported
unitedrpms 29 - x86_64
Cannot download 'https://sourceforge.net/projects/unitedrpms/files/29/x86_64/': repomd.xml GPG signature verification error: Bad GPG signature.
Failed to synchronize cache for repo 'unitedrpms', ignoring this repo.
--> Starting dependency resolution
--> Finished dependency resolution
Dependencies resolved.
Nothing to do.
Complete!


Note You need to log in before you can comment on or make changes to this bug.