Bug 1767007 - Can't pull from untrusted non-gpg verified remote when updating Flatpak Firefox 69 > 70
Summary: Can't pull from untrusted non-gpg verified remote when updating Flatpak Firef...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: flatpak
Version: ---
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Kalev Lember
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 1783954
TreeView+ depends on / blocked
 
Reported: 2019-10-30 13:30 UTC by David
Modified: 2020-04-28 16:11 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1783954 (view as bug list)
Environment:
Last Closed: 2020-04-28 16:10:29 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2020:1767 None None None 2020-04-28 16:11:10 UTC

Description David 2019-10-30 13:30:20 UTC
Description of problem:

I am using Centos 8, but I assume that makes this valid for RHEL 8.

Firefox 69 flatpak from Fedora flatpak OCI worked, but when I try to update to 70 I get "Can't pull from untrusted non-gpg verified remote" 
 
Version-Release number of selected component (if applicable):

Flatpak 1.0.6

Please see my report, the package maintainer suggested I make a bug report here:

https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2019-619c0a6211

I originally added the repo with flatpak remote-add --if-not-exists fedora oci+https://registry.fedoraproject.org

This is the output from the terminal when I try to update:

flatpak update
Looking for updates...
Installing in system:
org.freedesktop.Platform.openh264/x86_64/19.08 flathub 563e6c1a7173
Updating in system:
org.mozilla.Firefox/x86_64/stable fedora 445138d3b3fb
Is this ok [y/n]: y
Updating: org.mozilla.Firefox/x86_64/stable from fedora
Error: Failed to update org.mozilla.Firefox/x86_64/stable: Can't pull from untrusted non-gpg verified remote
Installing: org.freedesktop.Platform.openh264/x86_64/19.08 from flathub
Warning: Failed to install org.freedesktop.Platform.openh264/x86_64/19.08: runtime/org.freedesktop.Platform.openh264/x86_64/19.08 needs a later flatpak version (1.4.2;1.2.5;1.0.9;)
error: There were one or more errors

Comment 1 David King 2019-10-30 13:44:44 UTC
The other error message clearly states that you need a more recent flatpak version.

Comment 2 David 2019-10-30 16:24:21 UTC
(In reply to David King from comment #1)
> The other error message clearly states that you need a more recent flatpak
> version.

That is unrelated. It said that when I installed FF69 and worked fine. This bug report relates to "Can't pull from untrusted non-gpg verified remote"

Comment 3 David 2019-10-31 10:46:07 UTC
Gnome Software just tried to update Firefox, it claimed it was successfully updated, and then gave the exact same "Can't pull from untrusted non-gpg verified remote" error. It was not updated and remains in the list of software that has updates.

Comment 4 Kalev Lember 2019-11-06 13:06:31 UTC
Owen, do you know if we are missing an OCI patch for rhel 8.1.0 flatpak builds? I feel like we've had this error in Fedora as well in the past and you fixed it.

Comment 5 Owen Taylor 2019-11-12 17:47:56 UTC
Looks like https://lists.fedoraproject.org/archives/list/desktop@lists.fedoraproject.org/message/XV76QSHKUEKWQBZYPAMHJEIUSU26IQ5C/ - we patched it in 1.2.4-X for Fedora, and it was fixed in 1.4 upstream - so, yes, it wouldn't be fixed in the 8.1.0 1.0.6 unless we added a patch. 

Installing from https://firefox-flatpak.mojefedora.cz/ would be one workaround - this problem only occurs for OCI remotes, like the Fedora Flatpak remote.

Comment 12 Kalev Lember 2020-01-29 15:14:14 UTC
OK, patches backported and the build is under way.

Comment 13 Tomas Pelka 2020-01-29 20:51:53 UTC
The fix in field version belong to z-stream clone.

Kalev do you plan to create also 8.2.0 build or does 1.6 version that we have in 8.2 already contain these fixes?

Comment 15 Kalev Lember 2020-01-30 08:08:25 UTC
(In reply to Tomas Pelka from comment #13)
> The fix in field version belong to z-stream clone.

Oops, let me move it there.

> Kalev do you plan to create also 8.2.0 build or does 1.6 version that we
> have in 8.2 already contain these fixes?

flatpak 1.6 already has all the fixes. We only needed to do the backport for 1.0.9 that was in RHEL 8.1.

Also, it would be nice to backport the same fixes to RHEL 7 that also has flatpak 1.0.9 -- do you think we could do that?

Comment 21 Martin Krajnak 2020-02-11 14:22:21 UTC
Thanks a lot for fix !

rpms:
flatpak-1.0.9-2.el8_1.x86_64

log:
[test@localhost ~]$ flatpak list --user -da | grep -i  org.mozilla.Firefox
org.mozilla.Firefox/x86_64/stable	OCI	30cb2f813bd4	-	256.1 MB	alt-id=08731b5f97b2,current
[test@localhost ~]$ flatpak -y --user update 
Looking for updates...
Updating in user:
org.fedoraproject.Platform/x86_64/f31 OCI 58bbb9bba8f8
org.mozilla.Firefox/x86_64/stable     OCI 41f6a5df5773
Updating for user: org.fedoraproject.Platform/x86_64/f31 from OCI
[####################] Downloading: 562.5 MB/562.5 MB (56.3 MB/s)
Now at 1735a0ef85e3.
Updating for user: org.mozilla.Firefox/x86_64/stable from OCI
[####################] Downloading: 121.7 MB/121.7 MB (60.9 MB/s)
Now at ea7830cade66.
[test@localhost ~]$ flatpak list --user -da | grep -i  org.mozilla.Firefox
org.mozilla.Firefox/x86_64/stable	OCI	ea7830cade66	-	256.1 MB	alt-id=41f6a5df5773,current
[test@localhost ~]$

Comment 22 Martin Krajnak 2020-02-11 14:27:37 UTC
Sorry wrong rpm in Comment 21:

the righ one is flatpak-1.6.1-1.el8.x86_64

Comment 23 Martin Krajnak 2020-02-11 15:11:40 UTC
Also the log differs in newer flatpak versions:

[test@localhost ~]$ flatpak --user update  
Looking for updates…


        ID                           Branch   Op  Remote  Download
 1.     org.fedoraproject.Platform   f31      u   OCI     < 562.5 MB
 2.     org.mozilla.Firefox          stable   u   OCI     < 121.7 MB

Proceed with these changes to the user installation? [Y/n]: ^C[test@localhost ~]$ 
[test@localhost ~]$ 
[test@localhost ~]$ 
[test@localhost ~]$ flatpak --user -y  update  
Looking for updates…


        ID                           Branch   Op  Remote  Download
 1. [✓] org.fedoraproject.Platform   f31      u   OCI     < 562.5 MB
 2. [✓] org.mozilla.Firefox          stable   u   OCI     < 121.7 MB

Warning: Ignoring release element without timestamp or date
Updates complete.
[test@localhost ~]$ rpm -q flatpak 
flatpak-1.6.1-1.el8.x86_64

Comment 24 Kalev Lember 2020-02-11 16:22:36 UTC
Oh, one thing I just noticed: the original bug was specifically about _system_ installed firefox updates not working, but you are testing _user_ installed.

Comment 25 Martin Krajnak 2020-02-17 12:44:28 UTC
Retested:

[test@localhost ~]$ flatpak -y update 
Looking for updates…


        ID                           Branch         Op         Remote         Download
 1. [✓] org.mozilla.Firefox          stable         u          OCI            122.5 MB / 122.5 MB

Warning: Ignoring release element without timestamp or date
Updates complete.
[test@localhost ~]$ flatpak list 
Name            Application ID                    Version       Branch       Installation
Platform        org.fedoraproject.Platform                      f31          system
Platform        org.fedoraproject.Platform                      f31          user
Firefox         org.mozilla.Firefox                             stable       system
Firefox         org.mozilla.Firefox                             stable       user
[test@localhost ~]$ flatpak run org.mozilla.Firefox --version 
Mozilla Firefox 73.0
[test@localhost ~]$

Comment 27 errata-xmlrpc 2020-04-28 16:10:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1767


Note You need to log in before you can comment on or make changes to this bug.