2017069 – cannot build for Almalinux 8

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2017069 - cannot build for Almalinux 8

Summary: cannot build for Almalinux 8

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	yum
Sub Component:
Version:	7.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Packaging Maintenance Team
QA Contact:	swm-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-25 14:23 UTC by Götz Waschk
Modified:	2021-11-15 10:11 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-15 10:10:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-101215	0	None	None	None	2021-11-01 12:13:11 UTC

Description Götz Waschk 2021-10-25 14:23:31 UTC

Description of problem:
I cannot build any package with the included almalinux-8-x86_64.cfg configuration, it fails with a gpg error.

Version-Release number of selected component (if applicable):
mock-core-configs-36.1-1.el7.noarch
mock-2.12-1.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. mock -i rpm-build -r almalinux-8-x86_64
2.
3.

Actual results:
Downloading packages:
warning: /var/lib/mock/almalinux-8-x86_64-bootstrap/root/var/cache/yum/baseos/packages/gnutls-3.6.14-8.el8_3.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID c21ad6ea: NOKEY
Retrieving key from file:///usr/share/distribution-gpg-keys/alma/RPM-GPG-KEY-AlmaLinux


The GPG keys listed for the "AlmaLinux 8 - BaseOS" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.


 Failing package is: gnutls-3.6.14-8.el8_3.x86_64
 GPG Keys are configured as: file:///usr/share/distribution-gpg-keys/alma/RPM-GPG-KEY-AlmaLinux


Expected results:
no error

Additional info:
The package gnutls-3.6.14-8.el8_3.x86_64.rpm from AL8 is signed with the key  c21ad6ea which is part of the included configuration:
gpg --keyid-format 0xshort /usr/share/distribution-gpg-keys/alma/RPM-GPG-KEY-AlmaLinux
pub  4096R/0x3ABB34F8 2021-01-12 AlmaLinux <packager>
sub  3072R/0xC21AD6EA 2021-01-12 [expires: 2024-01-12]

But it is a subkey, apparently only the main key 3abb34f8 is used by dnf here.

Comment 1 Pavel Raiskup 2021-10-25 15:02:59 UTC

I think that YUM on EL7 doesn't support subkeys. This is though hard to configure in mock, I bet, @yum-folks?

Comment 2 Pavel Raiskup 2021-10-25 15:08:47 UTC

Meh, submitted too early.  What happens here is that Mock uses YUM to install the bootstrap chroot,
but /usr/share/distribution-gpg-keys/alma/RPM-GPG-KEY-AlmaLinux is what it is (see the comment #0).

I'm switching against YUM for documentation purposes, perhaps YUM maintainers can give
use more info on how to configure this.

From Mock perspective, any updates for Mock in epel7 will get only the important bugfixes;
the solution for this problem is to update the system to EL8.

Comment 6 Jaroslav Mracek 2021-11-15 10:10:34 UTC

I am really sorry, RHEL 7 is currently in Maintenance Support 2 Phase therefore we cannot delivery any bugfix or feature request. Only security issues can be resolved. To resolve the issue it would require not only YUM update, but also update RPM to 4.12 or backport gpg subkey support. It means the report is more feature request rather then a bugfix.


Because requested feature is supported in RHEL8, I am closing it as next release.

Note You need to log in before you can comment on or make changes to this bug.