Bug 1741442 - GPG signature repomd.xml.asc is not available in fedora repositories, 404 if repo_gpgcheck=1
Summary: GPG signature repomd.xml.asc is not available in fedora repositories, 404 if ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnf
Version: 32
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukáš Hrázký
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-15 07:29 UTC by Phil V
Modified: 2020-05-05 07:16 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-05 07:16:12 UTC
Type: Bug


Attachments (Terms of Use)

Description Phil V 2019-08-15 07:29:03 UTC
Fedora repositories lack the .asc files to support repo_gpgcheck=1.

This is apparently an architectural decision with reasonable justification, according to 

https://fedoramagazine.org/fedora-secures-package-delivery/
.

However I wish it were more clearly documented because otherwise people will set repo_gpgcheck=1 and wonder why they are getting 404 errors. 

How reproducible: Always

Steps to Reproduce:

1. in any of /etc/yum.repos.d/fedora*.repo
   set repo_gpgcheck=1 

2. dnf clean all

3. dnf update -vvv 

Actual results:

Cannot download 'https://mirrors.fedoraproject.org/metalink?repo=updates-released-f30&arch=x86_64': 
GPG verification is enabled, but GPG signature repomd.xml.asc is not available: 
Status code: 404 for 
https://MIRROR/fedora/linux/updates/30/Everything/x86_64/repodata/repomd.xml.asc.

Expected results:
A repomd.xml.asc file should exist for each repomd.xml file

Additional info:
You can manually browse the repositories and see repomd.xml but not repomd.xml.asc


Conclusion: please put a note in the .repo files to avoid misleading users with the appearance that repo_gpgcheck=1 is an option.

I propose a comment in the files /etc/yum.repos.d/fedora-*.repo

#FEDORA: repo_gpgcheck=1 is not supported by Fedora repositories.
#FEDORA:  It can not protect against expired data or signatures.

Comment 2 Lukáš Hrázký 2019-09-04 15:33:09 UTC
I've adjusted the message to hopefully make it clearer and also display the full error even without -v. I think that should be sufficient to inform the user in case he does try to set repo_gpgcheck.

PRs:
https://github.com/rpm-software-management/librepo/pull/165
https://github.com/rpm-software-management/libdnf/pull/788
https://github.com/rpm-software-management/dnf/pull/1475
https://github.com/rpm-software-management/ci-dnf-stack/pull/620

Comment 3 Lukáš Hrázký 2019-09-20 11:11:48 UTC
Turns out this will mean not logging the error (in dnf.log) in case of usage through the API, I'll need to revisit this.

(The problem is everything logged at the ERROR level is also printed to stderr and that means the error is printed twice when running dnf from the command line)

Comment 4 Lukáš Hrázký 2019-10-16 14:09:40 UTC
We've determined logging the error is responsibility of the API user.

Comment 5 Fedora Update System 2019-11-11 09:43:14 UTC
FEDORA-2019-7cafbe66ba has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cafbe66ba

Comment 6 Fedora Update System 2019-11-11 09:43:47 UTC
FEDORA-2019-94393775ec has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-94393775ec

Comment 7 Fedora Update System 2019-11-12 03:07:39 UTC
dnf-4.2.15-1.fc30, dnf-plugins-core-4.0.11-1.fc30, dnf-plugins-extras-4.0.8-1.fc30, libdnf-0.37.2-2.fc30, librepo-1.11.0-1.fc30, microdnf-3.0.2-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cafbe66ba

Comment 8 Fedora Update System 2019-11-13 04:56:07 UTC
dnf-4.2.15-1.fc31, dnf-plugins-core-4.0.11-1.fc31, dnf-plugins-extras-4.0.8-1.fc31, libdnf-0.37.2-2.fc31, librepo-1.11.0-1.fc31, microdnf-3.0.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-94393775ec

Comment 9 Fedora Update System 2019-11-14 06:46:54 UTC
FEDORA-2019-7cafbe66ba has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cafbe66ba

Comment 10 Fedora Update System 2019-11-14 06:50:41 UTC
FEDORA-2019-94393775ec has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-94393775ec

Comment 11 Fedora Update System 2019-11-15 03:45:04 UTC
dnf-4.2.15-3.fc30, dnf-plugins-core-4.0.11-1.fc30, dnf-plugins-extras-4.0.8-1.fc30, libdnf-0.37.2-2.fc30, librepo-1.11.0-1.fc30, microdnf-3.0.2-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cafbe66ba

Comment 12 Fedora Update System 2019-11-15 04:38:37 UTC
dnf-4.2.15-2.fc31, dnf-plugins-core-4.0.11-1.fc31, dnf-plugins-extras-4.0.8-1.fc31, libdnf-0.37.2-2.fc31, librepo-1.11.0-1.fc31, microdnf-3.0.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-94393775ec

Comment 13 Fedora Update System 2019-11-19 01:35:08 UTC
dnf-4.2.15-2.fc31, dnf-plugins-core-4.0.11-1.fc31, dnf-plugins-extras-4.0.8-1.fc31, libdnf-0.37.2-2.fc31, librepo-1.11.0-1.fc31, microdnf-3.0.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2019-12-02 19:10:29 UTC
dnf-4.2.15-3.fc30, dnf-plugins-core-4.0.11-1.fc30, dnf-plugins-extras-4.0.8-1.fc30, libdnf-0.37.2-2.fc30, librepo-1.11.0-1.fc30, microdnf-3.0.2-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Ben Cotton 2020-02-11 17:42:42 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.


Note You need to log in before you can comment on or make changes to this bug.