Bug 1473241 - rawhide wrong gpg keys?
rawhide wrong gpg keys?
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: fedora-repos (Show other bugs)
26
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Dennis Gilmore
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-20 05:54 EDT by lejeczek
Modified: 2017-09-29 01:32 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-31 07:14:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description lejeczek 2017-07-20 05:54:08 EDT
Description of problem:

Total                                                                             24 MB/s |  87 MB     00:03     
warning: /var/cache/dnf/rawhide-2d95c80a1fa0a67d/packages/kernel-4.13.0-0.rc1.git1.1.fc27.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f5282ee4: NOKEY
Importing GPG key 0x64DAB85D:
 Userid     : "Fedora 26 Primary (26) <fedora-26-primary@fedoraproject.org>"
 Fingerprint: E641 850B 77DF 4353 78D1 D7E2 812A 6B4B 64DA B85D
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-x86_64
Key imported successfully
Import of key(s) didn't help, wrong key(s)?
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: 


Public key for kernel-4.13.0-0.rc1.git1.1.fc27.x86_64.rpm is not installedFailing package is: kernel-4.13.0-0.rc1.git1.1.fc27.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-x86_64

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Miroslav Suchý 2017-07-31 06:00:59 EDT
What command did you run? Dnf/mock/yum? Please past full command you executed.
Comment 2 lejeczek 2017-07-31 06:10:08 EDT
$ sudo dnf update kernel\* --enablerepo rawhide 
Last metadata expiration check: 0:19:33 ago on Mon 31 Jul 2017 10:50:03 BST.
Dependencies resolved.
====================================================================================================================
 Package                     Arch                Version                                 Repository            Size
====================================================================================================================
Upgrading:
 kernel-headers              x86_64              4.13.0-0.rc2.git3.1.fc27                rawhide              1.2 M
Installing dependencies:
 kernel                      x86_64              4.13.0-0.rc2.git3.1.fc27                rawhide               66 k
 kernel-core                 x86_64              4.13.0-0.rc2.git3.1.fc27                rawhide               23 M
 kernel-modules              x86_64              4.13.0-0.rc2.git3.1.fc27                rawhide               25 M

Transaction Summary
====================================================================================================================
Install  3 Packages
Upgrade  1 Package

Total size: 48 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] kernel-4.13.0-0.rc2.git3.1.fc27.x86_64.rpm: Already downloaded                                           
[SKIPPED] kernel-core-4.13.0-0.rc2.git3.1.fc27.x86_64.rpm: Already downloaded                                      
[SKIPPED] kernel-modules-4.13.0-0.rc2.git3.1.fc27.x86_64.rpm: Already downloaded                                   
[SKIPPED] kernel-headers-4.13.0-0.rc2.git3.1.fc27.x86_64.rpm: Already downloaded                                   
warning: /var/cache/dnf/rawhide-2d95c80a1fa0a67d/packages/kernel-4.13.0-0.rc2.git3.1.fc27.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f5282ee4: NOKEY
Importing GPG key 0x64DAB85D:
 Userid     : "Fedora 26 Primary (26) <fedora-26-primary@fedoraproject.org>"
 Fingerprint: E641 850B 77DF 4353 78D1 D7E2 812A 6B4B 64DA B85D
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-x86_64
Is this ok [y/N]: y
Key imported successfully
Import of key(s) didn't help, wrong key(s)?
Import of key(s) didn't help, wrong key(s)?
Import of key(s) didn't help, wrong key(s)?
Import of key(s) didn't help, wrong key(s)?



Public key for kernel-4.13.0-0.rc2.git3.1.fc27.x86_64.rpm is not installedFailing package is: kernel-4.13.0-0.rc2.git3.1.fc27.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-x86_64




Public key for kernel-core-4.13.0-0.rc2.git3.1.fc27.x86_64.rpm is not installedFailing package is: kernel-core-4.13.0-0.rc2.git3.1.fc27.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-x86_64




Public key for kernel-modules-4.13.0-0.rc2.git3.1.fc27.x86_64.rpm is not installedFailing package is: kernel-modules-4.13.0-0.rc2.git3.1.fc27.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-x86_64




Public key for kernel-headers-4.13.0-0.rc2.git3.1.fc27.x86_64.rpm is not installedFailing package is: kernel-headers-4.13.0-0.rc2.git3.1.fc27.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-x86_64

The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
Comment 3 Peter Robinson 2017-07-31 07:14:54 EDT
(In reply to lejeczek from comment #2)
> $ sudo dnf update kernel\* --enablerepo rawhide 

Using it like that the error your see is expected because the gpg line (below) equates the $releasever to 26 and the rawhide packages are signed with the 27 key.

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
Comment 4 lejeczek 2017-07-31 08:37:19 EDT
it has worked ok until f26.
Comment 5 Peter Robinson 2017-07-31 08:46:35 EDT
(In reply to lejeczek from comment #4)
> it has worked ok until f26.

Prior to F26 rawhide wasn't signed so it would install it because there was no signatures to verify
Comment 6 Dennis Gilmore 2017-07-31 08:51:16 EDT
you need to add --releasever=27 on the command line, it is a new change since rawhide is now signed with the key for the next fedora.
Comment 7 lejeczek 2017-07-31 09:00:42 EDT
$ sudo dnf update kernel\* --enablerepo rawhide --releasever=27 -d5
Loaded plugins: builddep, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, needs-restarting, playground, repoclosure, repograph, repomanage, reposync
DNF version: 2.6.2
cachedir: /var/cache/dnf
repo: using cache for: rawhide
not found updateinfo for: Fedora - Rawhide - Developmental packages for the next Fedora release
rawhide: using metadata from Sat 29 Jul 2017 23:50:53 BST.
Cannot download 'https://mirrors.fedoraproject.org/metalink?repo=updates-released-f27&arch=x86_64': Cannot prepare internal mirrorlist: file "repomd.xml" was not found in metalink.
Error: Failed to synchronize cache for repo 'updates'

I'll keep on patiently checking until it worked.
thanks.
Comment 8 Peter Robinson 2017-07-31 09:03:23 EDT
> 'https://mirrors.fedoraproject.org/metalink?repo=updates-released-
> f27&arch=x86_64': Cannot prepare internal mirrorlist: file "repomd.xml" was
> not found in metalink.
> Error: Failed to synchronize cache for repo 'updates'

There is no updates repo for f27 until branched happens, it all goes into the one repo. You'll need to --disablerepo=* --enablerepo=rawhide --releasever=27
Comment 9 lejeczek 2017-07-31 16:39:44 EDT
gee, guys, when things like this change, even though from devel point of view changes might seem procedural you& devel must bare in mind that to the rest of(users) us the only place that ever catches any attention is: a changelog!! - _bold _ - readme!! - _bold -_ or anything you stick a "!!" to.

also, fist thing you do before give something(tool) to users - is - do that thing a user is doing already with that thing - paradoxical but very practical(procedural testing)

put it out there and stick !! to it please. (so we would not have to bother you with "false" bug reports.
Comment 10 Kevin Fenzi 2017-07-31 17:55:14 EDT
Well, the official documentation on this is: don't do it. :) 

https://fedoraproject.org/wiki/Releases/Rawhide#Questions_and_Answers

Mixing stable releases + rawhide packages is likely to really mess things up. Now, that said, the kernel is usually pretty self contained so you can do it with the above commands. Other packages are much less likely to end well however.
Comment 11 lejeczek 2017-08-21 03:48:29 EDT
yes, that risk is there is obvious.
Now what you suggested fails too:

$ sudo dnf update kernel\* mesa\* xorg-x11\* vulkan\* libdrm* llvm --disablerepo=\* --enablerepo rawhide --releasever=27 -y
Last metadata expiration check: 0:12:18 ago on Mon 21 Aug 2017 08:30:43 BST.
Dependencies resolved.
===============================================================================================================
 Package                    Arch               Version                               Repository           Size
===============================================================================================================
Upgrading:
 kernel-headers             x86_64             4.13.0-0.rc5.git4.1.fc28              rawhide             1.2 M
Installing dependencies:
 kernel                     x86_64             4.13.0-0.rc5.git4.1.fc28              rawhide              69 k
 kernel-core                x86_64             4.13.0-0.rc5.git4.1.fc28              rawhide              21 M
 kernel-modules             x86_64             4.13.0-0.rc5.git4.1.fc28              rawhide              24 M

Transaction Summary
===============================================================================================================
Install  3 Packages
Upgrade  1 Package

Total size: 46 M
Downloading Packages:
[SKIPPED] kernel-4.13.0-0.rc5.git4.1.fc28.x86_64.rpm: Already downloaded                                      
[SKIPPED] kernel-core-4.13.0-0.rc5.git4.1.fc28.x86_64.rpm: Already downloaded                                 
[SKIPPED] kernel-modules-4.13.0-0.rc5.git4.1.fc28.x86_64.rpm: Already downloaded                              
[SKIPPED] kernel-headers-4.13.0-0.rc5.git4.1.fc28.x86_64.rpm: Already downloaded                              
warning: /var/cache/dnf/rawhide-2d95c80a1fa0a67d/packages/kernel-4.13.0-0.rc5.git4.1.fc28.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 9db62fb1: NOKEY
Importing GPG key 0xF5282EE4:
 Userid     : "Fedora 27 (27) <fedora-27@fedoraproject.org>"
 Fingerprint: 860E 19B0 AFA8 00A1 7518 81A6 F55E 7430 F528 2EE4
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-x86_64
Key imported successfully
Import of key(s) didn't help, wrong key(s)?
Import of key(s) didn't help, wrong key(s)?
Import of key(s) didn't help, wrong key(s)?
Import of key(s) didn't help, wrong key(s)?



Public key for kernel-4.13.0-0.rc5.git4.1.fc28.x86_64.rpm is not installedFailing package is: kernel-4.13.0-0.rc5.git4.1.fc28.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-x86_64




Public key for kernel-core-4.13.0-0.rc5.git4.1.fc28.x86_64.rpm is not installedFailing package is: kernel-core-4.13.0-0.rc5.git4.1.fc28.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-x86_64




Public key for kernel-modules-4.13.0-0.rc5.git4.1.fc28.x86_64.rpm is not installedFailing package is: kernel-modules-4.13.0-0.rc5.git4.1.fc28.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-x86_64




Public key for kernel-headers-4.13.0-0.rc5.git4.1.fc28.x86_64.rpm is not installedFailing package is: kernel-headers-4.13.0-0.rc5.git4.1.fc28.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-x86_64

The downloaded packages were saved in cache until the next successful transaction.
Comment 12 Peter Robinson 2017-08-21 04:07:41 EDT
> $ sudo dnf update kernel\* mesa\* xorg-x11\* vulkan\* libdrm* llvm
> --disablerepo=\* --enablerepo rawhide --releasever=27 -y

rawhide is now F28 not F27 so putting enablerepo rawhide and releasever 27 is no longer correct so it's failing as expected.
Comment 13 lejeczek 2017-08-25 07:31:13 EDT
since f26 rawhide got bit messy - it's a general impression - until then it worked nicely.

warning: /var/cache/dnf/rawhide-2d95c80a1fa0a67d/packages/kernel-4.13.0-0.rc6.git2.1.fc28.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 9db62fb1: NOKEY
Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-28-x86_64 [Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-28-x86_64]
The downloaded packages were saved in cache until the next successful transaction.
Comment 14 Kevin Fenzi 2017-08-25 14:21:00 EDT
You need the latest fedora-repos package installed (that has the f28 key) or manually importing it from https://pagure.io/fedora-repos/raw/master/f/RPM-GPG-KEY-fedora-28-primary before you try and upgrade.
Comment 15 lejeczek 2017-08-26 06:27:41 EDT
I do have latest fedora-repos
This bug report should be about how current & rawhide & etc got out of sync(and maybe out of control)
Comment 16 Kevin Fenzi 2017-08-26 14:57:46 EDT
(In reply to lejeczek from comment #15)
> I do have latest fedora-repos

rpm -q fedora-repos fedora-repos-rawhide

If you did you would have the f28 key file. 

> This bug report should be about how current & rawhide & etc got out of
> sync(and maybe out of control)

well, this bug is closed. ;) So, I guess I should stop replying to it...
Comment 17 lejeczek 2017-08-28 08:44:53 EDT
$ rpm -q fedora-repos fedora-repos-rawhide
fedora-repos-26-1.noarch
fedora-repos-rawhide-26-1.noarch

Now, if I wanted to try something:
 sudo dnf install /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-28-x86_64  --enablerepo=rawhide --releasever=27
[sudo] password for pe243: 
Fedora 27 - x86_64 - Updates                                                      2.1 kB/s | 373  B     00:00    
Fedora 27 - x86_64                                                                 25 MB/s |  65 MB     00:02    
Failed to synchronize cache for repo 'rpmfusion-free-updates', disabling.
Failed to synchronize cache for repo 'rpmfusion-free', disabling.
Failed to synchronize cache for repo 'rpmfusion-nonfree-updates', disabling.
Failed to synchronize cache for repo 'rpmfusion-nonfree', disabling.
Last metadata expiration check: 0:00:00 ago on Mon 28 Aug 2017 13:39:12 BST.
Error: 
 Problem: conflicting requests
  - package fedora-repos-28-0.1.noarch requires system-release(28), but none of the providers can be installed
  - package fedora-repos-27-0.3.noarch requires system-release(27), but none of the providers can be installed
  - cannot install both fedora-release-28-0.1.noarch and fedora-release-26-1.noarch
  - package generic-release-28-0.1.noarch conflicts with fedora-release provided by fedora-release-26-1.noarch
  - cannot install both fedora-release-27-0.3.noarch and fedora-release-26-1.noarch
  - package generic-release-27-0.1.noarch conflicts with fedora-release provided by fedora-release-26-1.noarch
  - package rpmfusion-free-release-26-1.noarch requires system-release(26), but none of the providers can be installed
  - problem with installed package rpmfusion-free-release-26-1.noarch
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstalable packages)


I is one big mess, nut it had been fine until a few weeks ago.
And it should not be funny, as readily available users dev packages to end users mean better/more feedback on those to developers, which consequently mean... obvious.
Comment 18 Beni Paskin-Cherniavsky 2017-09-29 01:32:02 EDT
I'm on F26 (also have fedora-repos-26-1.noarch fedora-repos-rawhide-26-1.noarch),
and can confirm I managed to install nodejs 1:8.5.0-3.fc28 package from rawhide, by doing:

sudo rpm --import https://pagure.io/fedora-repos/raw/master/f/RPM-GPG-KEY-fedora-28-primary
sudo dnf install --enablerepo rawhide --best --allowerasing nodejs

(Actaully that gave me file conflicts with existing nodejs 1:6.11.2-1.fc26.i686,
I ended up removing nodejs & npm first, but for purpose of this BZ it worked without any GPG errors)

Note You need to log in before you can comment on or make changes to this bug.