1591270 – GS is not able to install any application

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1591270 - GS is not able to install any application

Summary: GS is not able to install any application

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	gnome-software
Sub Component:
Version:	7.9
Hardware:	x86_64
OS:	All
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Milan Crha
QA Contact:	Desktop QE
Docs Contact:	Marek Suchánek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-14 12:35 UTC by Martin Krajnak
Modified:	2021-02-15 07:39 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	.`GNOME Software` cannot install packages from unsigned repositories `GNOME Software` cannot install packages from repositories that have the following setting in the *.repo file: gpgcheck=0 If you attempt to install a package from such repository, `GNOME software` fails with a generic error. Currently, there is no workaround available.
Clone Of:
Clones:	1638755 (view as bug list)
Environment:
Last Closed:	2021-02-15 07:39:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
log for first reproducer (375.07 KB, text/plain) 2018-06-14 12:39 UTC, Martin Krajnak	no flags	Details
log for second reproducer (366.02 KB, text/plain) 2018-06-14 12:39 UTC, Martin Krajnak	no flags	Details
View All

Description Martin Krajnak 2018-06-14 12:35:28 UTC

Description of problem:
I wasn't able to install any application, tried on 3 machines.

We are probably dealing with 2 bugs I am not quite sure:
1. reproducer
Installing Audacity ended up with message that I don't have permission to install

Result: Output from gnome-software --verbose:
12:20:38:0871 As  run 0x2744370~GsPlugin::*(gs_plugin_app_install)
12:20:38:0871 As  run 0x2744370~GsPlugin::packagekit(gs_plugin_app_install)
12:20:38:0871 PK  adding state 0x7f31a8070900
12:20:38:0871 PK  role now install-packages
12:20:38:0967 Gs  emitting waiting(audacity.desktop)
12:20:38:0967 Gs  emitting waiting(audacity.desktop)
12:20:39:0039 PK  remove state 0x7f31a8070900
12:20:39:0040 Gs  recovering state on audacity.desktop from installing to available
12:20:39:0040 Gs  failed to call gs_plugin_app_install on packagekit: Failed to obtain authentication.

2. reproducer 
I tried to run with sudo, it again failed with message:
"Unable to install Audacity as not supported"

Result: Output from gnome-software --verbose:
12:31:59:0240 As  run 0x1da4800~GsPlugin::*(gs_plugin_app_install)
12:31:59:0240 As  run 0x1da4800~GsPlugin::packagekit(gs_plugin_app_install)
12:31:59:0240 PK  adding state 0x7f84dc08c810
12:31:59:0240 PK  role now install-packages
12:31:59:0275 As  run 0x1da4800~packagekit-refine::transaction
12:31:59:0295 Gs  emitting waiting(audacity.desktop)
12:31:59:0295 Gs  emitting waiting(audacity.desktop)
12:31:59:0295 Gs  emitting waiting(audacity.desktop)
12:31:59:0596 Gs  emitting setup(audacity.desktop)
12:31:59:0694 Gs  emitting querying(audacity.desktop)
12:32:01:0653 Gs  emitting downloading(audacity.desktop)
12:32:01:0653 PK  remove state 0x7f84dc08c810
12:32:01:0653 Gs  recovering state on audacity.desktop from installing to available
12:32:01:0653 Gs  failed to call gs_plugin_app_install on packagekit: could not do untrusted question as no klass support
12:32:01:0653 As  run 0x1da4800~GsPlugin::fwupd(gs_plugin_app_install)
12:32:01:0653 As  run 0x1da4800~GsPlugin::steam(gs_plugin_app_install)
12:32:01:0653 As  run 0x1da4800~GsPlugin::flatpak(gs_plugin_app_install)
12:32:01:0653 Gs  emitting setup(audacity.desktop)
12:32:01:0653 As  run 0x1da480


Version-Release number of selected component (if applicable):
gnome-software-3.28.2-1.el7.x86_64

How reproducible:
always

Additional info:

Comment 3 Martin Krajnak 2018-06-14 12:39:26 UTC

Created attachment 1451345 [details]
log for first reproducer

Comment 4 Martin Krajnak 2018-06-14 12:39:59 UTC

Created attachment 1451346 [details]
log for second reproducer

Comment 6 Richard Hughes 2018-06-19 10:39:57 UTC

Looks like a PolicyKit issue to me.

Comment 7 Martin Krajnak 2018-06-19 15:16:10 UTC

(In reply to Richard Hughes from comment #6)
> Looks like a PolicyKit issue to me.

Hi Richard, based on your comment I would like to ask 2 questions:

1.So, Should I switch the component to PolicyKit?
2.Is it ok that flatpak installation process is without autentication? I know that apps are sandboxed but it somehow look wrong to me.

Thanks.

Comment 8 Kalev Lember 2018-08-13 12:30:17 UTC

I was debugging this together with Martin and here's what we found out:

Martin's .repo files include internal repos that have gpgcheck=0. When the transaction includes packages that are from gpgcheck=0 repos, then it hits a packagekit code path for unsigned repos. pkcon has a "Do you want to install unsigned packages..." question for that, but gnome-software doesn't have that and just fails with a generic error.

Customers should hopefully not get that error at all as the public repos have gpgcheck=1. I don't think it's a regression or anything, just something that came up with testing with internal repos that have gpgcheck=0.

There's two things we could do here:

a) If we don't want to allow installing from gpgcheck=0 repos at all, then we need a better error message in gnome-software.

b) If we'd like to make gpgcheck=0 repos work in gnome-software (which I think is the pragmatic thing to do to) we should be able to wire up the packagekit "Do you want to install unsigned packages..." in gnome-software. Or alternatively just install without the question.

From quick irc discussion hughsie prefers option a.

Comment 9 Richard Hughes 2018-09-21 12:34:19 UTC

> then we need a better error message in gnome-software

Ahh, I was under the impression we didn't show anything. "...as not supported." as a notification is actually true -- we don't support installing unsigned software insecurely. I don't think having a dialog saying "Do something that's hugely dangerous [Yes] [No]" is helpful, or a good idea. If the user wants to install unsigned builds over http:// then they can use dnf on the command line as the root user.

I'm not sure I can come up with a non-technical explanation of this suitable for an in-app notification, and even if we did we'd have no way of getting the new localized string into RHEL7.6 without a whole heap of translator pain.

I guess one thing we could do is show the long detailed error -- but that makes the design team unhappy. Given that gpgcheck=no is the uncommon (and unsupported) case, I don't think we should do anything for this bug. Sorry.

The only-being-able-to-install-as-root issue isn't the same cause, and I'd wager it's some kind of policykit/gnome-shell/gnome-session issue. GNOME Software doesn't even issue the requests -- they come from packagekitd out of band back to the desktop and back again.

Comment 10 Matthias Clasen 2018-09-21 12:57:25 UTC

I agree that having a notification like that is not useful.

Comment 11 Red Hat Bugzilla Rules Engine 2018-09-25 14:10:30 UTC

Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Comment 12 Martin Krajnak 2018-11-05 14:36:15 UTC

Even with rhel-7 out I have problem with installing packages:

14:19:55:0332 Gs  failed to call gs_plugin_app_install on packagekit: could not do untrusted question as no klass support


looks like the problem is the same as in rhel-8

Adding the repo used on new freshly installed rhel machine:
[test@beaker-gnome-software-rhel-7 /]$ cat etc/yum.repos.d/repofile.repo 
[RHEL-7.6-20181010.0_Server]
name=RHEL-7.6-20181010.0_Server
baseurl=http://download.eng.rdu2.redhat.com/rel-eng/RHEL-7.6-20181010.0/compose/Server/x86_64/os/
enabled=1
gpgcheck=0
skip_if_unavailable=1


[RHEL-7.6-20181010.0_Server-optional]
name=RHEL-7.6-20181010.0_Server-optional
baseurl=http://download.eng.rdu2.redhat.com/rel-eng/RHEL-7.6-20181010.0/compose/Server-optional/x86_64/os/
enabled=1
gpgcheck=0
skip_if_unavailable=1

I couldn't find gpg key within the repo but I don't think it is only a signature problem aj I am getting slightly different message:

Unable to install Brasero: you don't have permission to install the software

I am running the app under the regular user with sudo configured.

If you are sure that it is only caused by the missing gpg signatures please Close

Comment 13 Martin Krajnak 2019-04-09 12:34:24 UTC

Still hitting this in 7.7, but not I can confirm for sure that it's because of applications not being signed since I am able to install apps from epel without problem, so I think this should be documented as known issues - An unsigned application cannot be installed by Application Installer

Comment 27 RHEL Program Management 2021-02-15 07:39:34 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.