1767007 – Can't pull from untrusted non-gpg verified remote when updating Flatpak Firefox 69 > 70

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1767007 - Can't pull from untrusted non-gpg verified remote when updating Flatpak Firefox 69 > 70

Summary: Can't pull from untrusted non-gpg verified remote when updating Flatpak Firef...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	flatpak
Sub Component:
Version:	---
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Kalev Lember
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1783954
TreeView+	depends on / blocked

Reported:	2019-10-30 13:30 UTC by David
Modified:	2022-05-06 01:03 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1783954 (view as bug list)
Environment:
Last Closed:	2020-04-28 16:10:29 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-29771	0	None	None	None	2022-05-06 01:03:09 UTC
Red Hat Product Errata	RHEA-2020:1767	0	None	None	None	2020-04-28 16:11:10 UTC

Description David 2019-10-30 13:30:20 UTC

Description of problem:

I am using Centos 8, but I assume that makes this valid for RHEL 8.

Firefox 69 flatpak from Fedora flatpak OCI worked, but when I try to update to 70 I get "Can't pull from untrusted non-gpg verified remote" 
 
Version-Release number of selected component (if applicable):

Flatpak 1.0.6

Please see my report, the package maintainer suggested I make a bug report here:

https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2019-619c0a6211

I originally added the repo with flatpak remote-add --if-not-exists fedora oci+https://registry.fedoraproject.org

This is the output from the terminal when I try to update:

flatpak update
Looking for updates...
Installing in system:
org.freedesktop.Platform.openh264/x86_64/19.08 flathub 563e6c1a7173
Updating in system:
org.mozilla.Firefox/x86_64/stable fedora 445138d3b3fb
Is this ok [y/n]: y
Updating: org.mozilla.Firefox/x86_64/stable from fedora
Error: Failed to update org.mozilla.Firefox/x86_64/stable: Can't pull from untrusted non-gpg verified remote
Installing: org.freedesktop.Platform.openh264/x86_64/19.08 from flathub
Warning: Failed to install org.freedesktop.Platform.openh264/x86_64/19.08: runtime/org.freedesktop.Platform.openh264/x86_64/19.08 needs a later flatpak version (1.4.2;1.2.5;1.0.9;)
error: There were one or more errors

Comment 1 David King 2019-10-30 13:44:44 UTC

The other error message clearly states that you need a more recent flatpak version.

Comment 2 David 2019-10-30 16:24:21 UTC

(In reply to David King from comment #1)
> The other error message clearly states that you need a more recent flatpak
> version.

That is unrelated. It said that when I installed FF69 and worked fine. This bug report relates to "Can't pull from untrusted non-gpg verified remote"

Comment 3 David 2019-10-31 10:46:07 UTC

Gnome Software just tried to update Firefox, it claimed it was successfully updated, and then gave the exact same "Can't pull from untrusted non-gpg verified remote" error. It was not updated and remains in the list of software that has updates.

Comment 4 Kalev Lember 2019-11-06 13:06:31 UTC

Owen, do you know if we are missing an OCI patch for rhel 8.1.0 flatpak builds? I feel like we've had this error in Fedora as well in the past and you fixed it.

Comment 5 Owen Taylor 2019-11-12 17:47:56 UTC

Looks like https://lists.fedoraproject.org/archives/list/desktop@lists.fedoraproject.org/message/XV76QSHKUEKWQBZYPAMHJEIUSU26IQ5C/ - we patched it in 1.2.4-X for Fedora, and it was fixed in 1.4 upstream - so, yes, it wouldn't be fixed in the 8.1.0 1.0.6 unless we added a patch. 

Installing from https://firefox-flatpak.mojefedora.cz/ would be one workaround - this problem only occurs for OCI remotes, like the Fedora Flatpak remote.

Comment 12 Kalev Lember 2020-01-29 15:14:14 UTC

OK, patches backported and the build is under way.

Comment 13 Tomas Pelka 2020-01-29 20:51:53 UTC

The fix in field version belong to z-stream clone.

Kalev do you plan to create also 8.2.0 build or does 1.6 version that we have in 8.2 already contain these fixes?

Comment 15 Kalev Lember 2020-01-30 08:08:25 UTC

(In reply to Tomas Pelka from comment #13)
> The fix in field version belong to z-stream clone.

Oops, let me move it there.

> Kalev do you plan to create also 8.2.0 build or does 1.6 version that we
> have in 8.2 already contain these fixes?

flatpak 1.6 already has all the fixes. We only needed to do the backport for 1.0.9 that was in RHEL 8.1.

Also, it would be nice to backport the same fixes to RHEL 7 that also has flatpak 1.0.9 -- do you think we could do that?

Comment 21 Martin Krajnak 2020-02-11 14:22:21 UTC

Thanks a lot for fix !

rpms:
flatpak-1.0.9-2.el8_1.x86_64

log:
[test@localhost ~]$ flatpak list --user -da | grep -i  org.mozilla.Firefox
org.mozilla.Firefox/x86_64/stable	OCI	30cb2f813bd4	-	256.1 MB	alt-id=08731b5f97b2,current
[test@localhost ~]$ flatpak -y --user update 
Looking for updates...
Updating in user:
org.fedoraproject.Platform/x86_64/f31 OCI 58bbb9bba8f8
org.mozilla.Firefox/x86_64/stable     OCI 41f6a5df5773
Updating for user: org.fedoraproject.Platform/x86_64/f31 from OCI
[####################] Downloading: 562.5 MB/562.5 MB (56.3 MB/s)
Now at 1735a0ef85e3.
Updating for user: org.mozilla.Firefox/x86_64/stable from OCI
[####################] Downloading: 121.7 MB/121.7 MB (60.9 MB/s)
Now at ea7830cade66.
[test@localhost ~]$ flatpak list --user -da | grep -i  org.mozilla.Firefox
org.mozilla.Firefox/x86_64/stable	OCI	ea7830cade66	-	256.1 MB	alt-id=41f6a5df5773,current
[test@localhost ~]$

Comment 22 Martin Krajnak 2020-02-11 14:27:37 UTC

Sorry wrong rpm in Comment 21:

the righ one is flatpak-1.6.1-1.el8.x86_64

Comment 23 Martin Krajnak 2020-02-11 15:11:40 UTC

Also the log differs in newer flatpak versions:

[test@localhost ~]$ flatpak --user update  
Looking for updates…


        ID                           Branch   Op  Remote  Download
 1.     org.fedoraproject.Platform   f31      u   OCI     < 562.5 MB
 2.     org.mozilla.Firefox          stable   u   OCI     < 121.7 MB

Proceed with these changes to the user installation? [Y/n]: ^C[test@localhost ~]$ 
[test@localhost ~]$ 
[test@localhost ~]$ 
[test@localhost ~]$ flatpak --user -y  update  
Looking for updates…


        ID                           Branch   Op  Remote  Download
 1. [✓] org.fedoraproject.Platform   f31      u   OCI     < 562.5 MB
 2. [✓] org.mozilla.Firefox          stable   u   OCI     < 121.7 MB

Warning: Ignoring release element without timestamp or date
Updates complete.
[test@localhost ~]$ rpm -q flatpak 
flatpak-1.6.1-1.el8.x86_64

Comment 24 Kalev Lember 2020-02-11 16:22:36 UTC

Oh, one thing I just noticed: the original bug was specifically about _system_ installed firefox updates not working, but you are testing _user_ installed.

Comment 25 Martin Krajnak 2020-02-17 12:44:28 UTC

Retested:

[test@localhost ~]$ flatpak -y update 
Looking for updates…


        ID                           Branch         Op         Remote         Download
 1. [✓] org.mozilla.Firefox          stable         u          OCI            122.5 MB / 122.5 MB

Warning: Ignoring release element without timestamp or date
Updates complete.
[test@localhost ~]$ flatpak list 
Name            Application ID                    Version       Branch       Installation
Platform        org.fedoraproject.Platform                      f31          system
Platform        org.fedoraproject.Platform                      f31          user
Firefox         org.mozilla.Firefox                             stable       system
Firefox         org.mozilla.Firefox                             stable       user
[test@localhost ~]$ flatpak run org.mozilla.Firefox --version 
Mozilla Firefox 73.0
[test@localhost ~]$

Comment 27 errata-xmlrpc 2020-04-28 16:10:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1767

Note You need to log in before you can comment on or make changes to this bug.