Bug 2130122 - Switch rpm to use Sequoia OpenPGP
Summary: Switch rpm to use Sequoia OpenPGP
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: 38
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Ben Cotton
QA Contact:
URL:
Whiteboard:
Depends On: 2087499 2141686 2170878 2180049
Blocks: F38Changes
TreeView+ depends on / blocked
 
Reported: 2022-09-27 09:13 UTC by Panu Matilainen
Modified: 2023-04-18 14:06 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-04-18 14:06:36 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Panu Matilainen 2022-09-27 09:13:25 UTC
Description of problem:
Rpm has been using it's own simple and flawed OpenPGP parser ever since v4.0 or so. There's now a much more advanced alternative in rpm-sequoia, we should switch rpm to use it instead.

Initial plan for this change is early in Fedora 38 release process to have time to deal with any potential teething issues.

Comment 1 Panu Matilainen 2022-10-10 11:39:44 UTC
(This is a tracking bug for https://fedoraproject.org/wiki/Changes/RpmSequoia)

Comment 2 Panu Matilainen 2022-11-09 09:16:06 UTC
Blocked by https://pagure.io/fedora-ci/general/issue/371

Comment 3 Panu Matilainen 2022-11-10 10:40:57 UTC
Aand we're live in rawhide, including builders.

Comment 4 Panu Matilainen 2022-11-11 08:32:35 UTC
This is on hold until Sequoia adds support for V3 signatures, those were discovered to be the predominant life-form in the rpm ecosystem (see https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c23 for details).

Comment 5 neal 2022-11-11 08:36:25 UTC
FYI, I'm currently testing it (see https://gitlab.com/sequoia-pgp/sequoia/-/merge_requests/1377)

Comment 6 Panu Matilainen 2022-11-11 08:43:24 UTC
Wow, that was quick :) Thanks a lot for working on that!

Comment 7 neal 2022-11-11 14:24:58 UTC
I believe this is the output that we want to see:

```
$ ~/rpm/_build/rpmkeys -K /tmp/python3-docutils-0.19-1.fc38.noarch.rpm 
/tmp/python3-docutils-0.19-1.fc38.noarch.rpm: digests signatures OK
```

:D

Comment 8 Panu Matilainen 2022-11-14 07:54:33 UTC
(In reply to neal from comment #7)
> I believe this is the output that we want to see:
> 
> ```
> $ ~/rpm/_build/rpmkeys -K /tmp/python3-docutils-0.19-1.fc38.noarch.rpm 
> /tmp/python3-docutils-0.19-1.fc38.noarch.rpm: digests signatures OK
> ```
> 
> :D

Yay, indeed :)

FWIW, for troubleshooting and such, you typically want to use 'rpmkeys -Kv' which produces more information about what exactly is being verified.

Comment 9 neal 2022-11-14 10:52:22 UTC
> FWIW, for troubleshooting and such, you typically want to use 'rpmkeys -Kv' which produces more information about what exactly is being verified.

Good point, thanks for the tip!

```
$ ~/rpm/_build/rpmkeys -Kv /tmp/python3-pytest-7.1.3-1.fc38.noarch.rpm 
/tmp/python3-pytest-7.1.3-1.fc38.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID 6326b335: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 6326b335: OK
    MD5 digest: OK
```

Comment 10 neal 2022-11-23 20:51:45 UTC
(In reply to Panu Matilainen from comment #4)
> This is on hold until Sequoia adds support for V3 signatures, those were
> discovered to be the predominant life-form in the rpm ecosystem (see
> https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c23 for details).

As also mentioned here https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c33 ,
I've added support for v3 signatures to sequoia-openpgp and rpm-sequoia, and
the relevant packages are in rawhide.

Comment 11 Panu Matilainen 2022-11-24 09:21:32 UTC
Back in game now with rpm-4.18.0-7.fc38 and rpm-sequoia 1.2.0.

Comment 12 ojab 2023-03-08 21:59:41 UTC
I _guess_ this broke 
```
[google-cloud-cli]
name=Google Cloud CLI
baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=0
gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
```
worked fine on f37 and getting 
```
Google Cloud CLI                                                                                                                                                                                               2.9 kB/s | 975  B     00:00    
GPG key at https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg (0x3E1BA8D5) is already installed
The GPG keys listed for the "Google Cloud CLI" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: google-cloud-cli-421.0.0-1.x86_64
 GPG Keys are configured as: https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Public key for f14f10a3db2f20011b10638bca848d4cc5a46123e72b580a4172261ee76ec8d8-google-cloud-cli-gke-gcloud-auth-plugin-421.0.0-1.x86_64.rpm is not trusted. Failing package is: google-cloud-cli-gke-gcloud-auth-plugin-421.0.0-1.x86_64
 GPG Keys are configured as: https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
```
after update to f38

Comment 13 Panu Matilainen 2023-03-09 10:17:10 UTC
Make sure you have the versions from https://bodhi.fedoraproject.org/updates/FEDORA-2023-bd9a4614ad (see bug 2170878 for the long story). If it still fails that then we'll need to open a separate bug to track that.


Note You need to log in before you can comment on or make changes to this bug.