Bug 1566988 - repomd.xml GPG signature verification error: gpgme_op_verify()
Summary: repomd.xml GPG signature verification error: gpgme_op_verify()
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gpgme
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Igor Gnatenko
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F28FinalFreezeException
TreeView+ depends on / blocked
 
Reported: 2018-04-13 09:31 UTC by Juan Orti Alcaine
Modified: 2018-05-04 01:02 UTC (History)
14 users (show)

Fixed In Version: gpgme-1.10.0-4.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-25 00:02:56 UTC
Type: Bug


Attachments (Terms of Use)

Description Juan Orti Alcaine 2018-04-13 09:31:17 UTC
Description of problem:
This repository works in F27 but fails to verify gpg signature in F28.

# cat /etc/yum.repos.d/google-cloud-sdk.repo 
[google-cloud-sdk]
name=Google Cloud SDK
baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg


# dnf -vvvv install google-cloud-sdk
Loaded plugins: builddep, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, needs-restarting, playground, repoclosure, repograph, repomanage, reposync, system-upgrade                                     
DNF version: 2.7.5                                                                                                                                                                                                                            
cachedir: /var/cache/dnf
repo: using cache for: jorti-pass-otp
not found deltainfo for: Copr repo for pass-otp owned by jorti
not found updateinfo for: Copr repo for pass-otp owned by jorti
jorti-pass-otp: using metadata from Sun Apr  1 10:26:03 2018.
repo: using cache for: adobe-linux-x86_64
not found deltainfo for: Adobe Systems Incorporated
not found updateinfo for: Adobe Systems Incorporated
adobe-linux-x86_64: using metadata from Tue Mar 27 05:12:51 2018.
repo: using cache for: updates-testing
updates-testing: using metadata from Thu Apr 12 00:32:30 2018.
repo: using cache for: updates
not found deltainfo for: Fedora 28 - x86_64 - Updates
not found updateinfo for: Fedora 28 - x86_64 - Updates
updates: using metadata from Tue Feb 20 20:18:14 2018.
repo: using cache for: fedora
not found deltainfo for: Fedora 28 - x86_64
not found updateinfo for: Fedora 28 - x86_64
fedora: using metadata from Thu Apr 12 13:12:27 2018.
Cannot download 'https://packages.cloud.google.com/yum/repos/cloud-sdk-el7-x86_64': repomd.xml GPG signature verification error: gpgme_op_verify() error: General error.
repo: using cache for: google-musicmanager
not found deltainfo for: google-musicmanager
not found updateinfo for: google-musicmanager
google-musicmanager: using metadata from Mon Mar 26 23:02:14 2018.
repo: using cache for: rpmfusion-free-updates-testing
not found deltainfo for: RPM Fusion for Fedora 28 - Free - Test Updates
not found updateinfo for: RPM Fusion for Fedora 28 - Free - Test Updates
rpmfusion-free-updates-testing: using metadata from Thu Apr 12 14:22:21 2018.
repo: using cache for: rpmfusion-free
not found deltainfo for: RPM Fusion for Fedora 28 - Free
not found updateinfo for: RPM Fusion for Fedora 28 - Free
rpmfusion-free: using metadata from Thu Apr 12 14:46:01 2018.
repo: using cache for: rpmfusion-nonfree-updates-testing
not found deltainfo for: RPM Fusion for Fedora 28 - Nonfree - Test Updates
not found updateinfo for: RPM Fusion for Fedora 28 - Nonfree - Test Updates
rpmfusion-nonfree-updates-testing: using metadata from Thu Apr 12 13:21:08 2018.
repo: using cache for: rpmfusion-nonfree
not found deltainfo for: RPM Fusion for Fedora 28 - Nonfree
not found updateinfo for: RPM Fusion for Fedora 28 - Nonfree
rpmfusion-nonfree: using metadata from Thu Apr 12 13:25:56 2018.
Failed to synchronize cache for repo 'google-cloud-sdk', disabling.
Last metadata expiration check: 0:06:53 ago on Fri Apr 13 11:14:40 2018.
Missing file *modules.yaml in metadata cache dir: /var/cache/dnf/jorti-pass-otp-35d99bf8c59f8f55
Missing file *modules.yaml in metadata cache dir: /var/cache/dnf/adobe-linux-x86_64-38ad0a49b0acdf73
Missing file *modules.yaml in metadata cache dir: /var/cache/dnf/updates-testing-3ab9f75e4a13f117
Missing file *modules.yaml in metadata cache dir: /var/cache/dnf/updates-8bd9ef368505a5fd
Missing file *modules.yaml in metadata cache dir: /var/cache/dnf/fedora-f21308f6293b3270
Missing file *modules.yaml in metadata cache dir: /var/cache/dnf/google-musicmanager-d5cfb98b5f436f25
Missing file *modules.yaml in metadata cache dir: /var/cache/dnf/rpmfusion-free-updates-testing-465f01c525458b82
Missing file *modules.yaml in metadata cache dir: /var/cache/dnf/rpmfusion-free-340f27dbf4d9eb4b
Missing file *modules.yaml in metadata cache dir: /var/cache/dnf/rpmfusion-nonfree-updates-testing-bbff737f0036e05b
Missing file *modules.yaml in metadata cache dir: /var/cache/dnf/rpmfusion-nonfree-fcea624146a658fc
No match for argument: google-cloud-sdk
Error: Unable to find a match



Version-Release number of selected component (if applicable):
libdnf-0.11.1-1.fc27.x86_64
python3-dnf-plugin-system-upgrade-2.0.5-1.fc27.noarch
dnf-yum-2.7.5-2.fc27.noarch
dnf-2.7.5-2.fc27.noarch
dnf-conf-2.7.5-2.fc27.noarch
dnf-plugins-core-2.1.5-4.fc27.noarch
python3-dnf-2.7.5-2.fc27.noarch
python2-dnf-2.7.5-2.fc27.noarch
python3-dnf-plugins-extras-common-2.0.5-1.fc27.noarch
python3-dnf-plugins-core-2.1.5-4.fc27.noarch

Comment 1 Juan Orti Alcaine 2018-04-20 16:13:36 UTC
More errors, this time with fedora-cisco-openh264 repository: 

# dnf install gstreamer1-plugin-openh264 mozilla-openh264 -vvvv
Loaded plugins: builddep, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, needs-restarting, playground, repoclosure, repograph, repomanage, reposync, system-upgrade
DNF version: 2.7.5
cachedir: /var/cache/dnf
repo: using cache for: jorti-pass-otp
not found deltainfo for: Copr repo for pass-otp owned by jorti
not found updateinfo for: Copr repo for pass-otp owned by jorti
jorti-pass-otp: using metadata from dom 01 abr 2018 10:26:03 CEST.
repo: using cache for: adobe-linux-x86_64
not found deltainfo for: Adobe Systems Incorporated
not found updateinfo for: Adobe Systems Incorporated
adobe-linux-x86_64: using metadata from mar 27 mar 2018 05:12:51 CEST.
Cannot download 'https://codecs.fedoraproject.org/openh264/28/x86_64/': repomd.xml GPG signature verification error: gpgme_op_verify() error: General error.
Error: Failed to synchronize cache for repo 'fedora-cisco-openh264'

Comment 2 Mr.Sulu 2018-04-20 17:14:42 UTC
This issue is not limited to Fedora28, but also reproducible in Fedora27.

The issue seems to occur only when adding new repositories on a *fully updated* Fedora installation.
Adding the same repo's in a fresh install but before updating works fine.

The combination of the error "GPG signature verification error: gpgme_op_verify() error: General error." and the fact that the following 2 packages have been recently updated:
# rpm -qa|grep gnupg2
gnupg2-2.2.6-1.fc27.x86_64
gnupg2-smime-2.2.6-1.fc27.x86_64

make me think it's a GPG verification/key management issue when adding a new repo.



For reference, the repo's I'm using:

# cat kubernetes.repo 
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

cat virtualbox.repo 
[virtualbox]
name=Fedora $releasever - $basearch - VirtualBox
baseurl=http://download.virtualbox.org/virtualbox/rpm/fedora/$releasever/$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://www.virtualbox.org/download/oracle_vbox.asc


Also note, more users are experiencing this issue, some annecdotal evidence:
https://github.com/NVIDIA/nvidia-docker/issues/706#issuecomment-382541638

Comment 3 Todd Zullinger 2018-04-21 19:19:39 UTC
This appears to be fixed upstream:

    https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=e2bd152a928d79ddfb95fd2f7911c80a1a8d5a21

I've applied that to gnupg2 and confirmed that it resolves the issue for me.

A pull request to apply this change to the gnupg2 package is here:

    https://src.fedoraproject.org/rpms/gnupg2/pull-request/1

Let me know if I can help with getting that pushed out to current releases.

Comment 5 Fedora Blocker Bugs Application 2018-04-21 19:37:28 UTC
Proposed as a Freeze Exception for 28-final by Fedora user tmz using the blocker tracking app because:

 This bug prevents enabling repositories which enable repo_gpgcheck by default, like the fedora-cisco-openh264 repo which is shipped in fedora-repos.

A fix is in place upstream and I've filed a PR to fix the gnupg2 package, so it should be an easy change.

Comment 6 Todd Zullinger 2018-04-21 20:43:17 UTC
Reading further, after finding other issues with gpgme-1.10.0 and gnupg-2.2.6, upstream decided to patch gpgme instead.  That patch is now applied to the gpgme package on f27 and f28, with rawhide being updated to 1.11.1, which is not affected.

Updates don't seem to have been submitted.  There was some discussion on whether to submit updates in the gpgme PR (https://src.fedoraproject.org/rpms/gpgme/pull-request/3).  I've noted there that this bug affects more common user activities and likely warrants updates sooner rather than later.

Some references from upstream:

    https://gnupg.org/#sec-3-2 (recommends the gpgme patch)
    https://lists.gnupg.org/pipermail/gnupg-users/2018-April/060203.html (thread discussion the initial issue and subsequent problems found which led to patching gpgme rather than gnupg)

Comment 7 Todd Zullinger 2018-04-21 20:54:05 UTC
Reassigning to gpgme since it's the root of the bug (and already has an existing patch and koji builds).

Comment 8 Fedora Update System 2018-04-23 18:14:22 UTC
gpgme-1.10.0-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-82760371c4

Comment 9 Fedora Update System 2018-04-23 22:54:21 UTC
gpgme-1.10.0-4.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-82760371c4

Comment 10 Adam Williamson 2018-04-24 01:09:21 UTC
Discussed at 2018-04-23 freeze exception review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-04-23/f28-blocker-review.2018-04-23-16.00.html . Accepted as a freeze exception issue: this could potentially affect enabling repositories before the system is updated, so it cannot be fully addressed with an update, and ensuring it's fixed on the release media seems desirable.

Comment 11 Todd Zullinger 2018-04-24 02:36:07 UTC
For the upgrade case, is it also important that the f27 update is in place or will the dnf system-upgrade be using the f28 package set by that point?  If not, we might also need to push an f26 update.

Also, in the even that someone still runs into the issue, there's a few way to work around it.  Here's an excerpt from some testing I did over the weekend when this came up in #fedora with respect to the fedora-cisco-openh264 repo:

### Disable gpg checking and run repolist (with only the affected repo,
### though since no other fedora repos enable repo_gpgcheck by default, this
### was just overly cautious.
# dnf --nogpgcheck --disablerepo '*' --enablerepo fedora-cisco-openh264 repolist
Fedora 27 openh264 (From Cisco) - x86_64        8.4 kB/s | 2.8 kB     00:00
Last metadata expiration check: 0:00:00 ago on Sat Apr 21 21:32:06 2018.
repo id                    repo name                                      status
fedora-cisco-openh264      Fedora 27 openh264 (From Cisco) - x86_64       7

### Now list the repo with gpg checking enabled while the repo cache is still 
### valid.  dnf prompts to install the repo key and successfully installs it.
[root@d5849fadfc13 /]# dnf --disablerepo '*' --enablerepo fedora-cisco-openh264 list openh264
Importing GPG key 0xF5282EE4:
 Userid     : "Fedora 27 (27) <fedora-27@fedoraproject.org>"
 Fingerprint: 860E 19B0 AFA8 00A1 7518 81A6 F55E 7430 F528 2EE4
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-x86_64
Is this ok [y/N]: y
Fedora 27 openh264 (From Cisco) - x86_64         13 kB/s | 2.8 kB     00:00
Last metadata expiration check: 0:00:00 ago on Sat Apr 21 21:32:22 2018.
Installed Packages
openh264.x86_64               1.6.0-5.fc27                @fedora-cisco-openh264
Available Packages
openh264.i686                 1.6.0-5.fc27                fedora-cisco-openh264

This was taken from a paste I made to demonstrate the issue and workaround, here: https://paste.fedoraproject.org/paste/VIYYKUP08uZeqNVlptzTnw

Ideally no one will need to use this silly workaround, but I thought I would mention it in case anyone is curious.

More important is whether we need to ensure f26 and f27 also get the gpgme update before f28 is released.  I'm not sure it is, but it's also probably worth having just to be sure.  It is a one-line patch recommended by upstream, so it shouldn't be terribly risky.

Comment 12 Fedora Update System 2018-04-25 00:02:56 UTC
gpgme-1.10.0-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.