Description of problem: Version-Release number of selected component (if applicable): dnf --version 4.16.1 Installed: dnf-0:4.15.0-1.fc37.noarch at Mon 24 Apr 2023 08:00:18 AM GMT Built : Fedora Project at Thu 06 Apr 2023 08:40:00 AM GMT How reproducible: Steps to Reproduce: 1. dnf remove{reinstall,install} <module> 2. module for example brave-browser 3. Actual results: Dependencies resolved. ... Removing: brave-browser x86_64 1.51.114-1 @brave-browser-rpm-release.s3.brave.com_x86_64 322 M Removing unused dependencies: brave-keyring noarch 1.10-1 @brave-browser-rpm-release.s3.brave.com_x86_64 4.4 k Transaction Summary ... Remove 2 Packages Freed space: 322 M Is this ok [y/N]: y Running transaction check error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support>): Certificate 0BB75829C2D4E821 invalid: policy violation because: No binding signature at time 2023-05-09T19:32:44Z error: rpmdbNextIterator: skipping h# 3966 Header V4 RSA/SHA512 Signature, key ID 82d3dc6c: BAD Header SHA256 digest: OK Header SHA1 digest: OK Error: An rpm exception occurred: package not installed Expected results: Removed,instaled,reinstalled component Additional info:
Most likely this is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=2214345 As a workaround, would upgrading `brave-keyring` package to the latest version help?
I have the same problem(https://bugzilla.redhat.com/show_bug.cgi?id=2215440): Unfortunately upgrading `brave-keyring` package, doesn't help on my machine
The error message probably comes rpm-sequoia, a GPG backend for rpm library, and it means that a a stored time of a self-signature of a PGP key signing the package is bogus. Could you please provide us with an URL to the repository and to the repository key? Is it <https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo>?
Indeed dnf has no say in this matter, this comes from rpm-sequoia, reassigning. The issue is being discussed upstream: https://github.com/rpm-software-management/rpm-sequoia/issues/46 with a suggested PR that will allow people to upgrade away from affected packages: https://github.com/rpm-software-management/rpm-sequoia/pull/47 As a temporary workaround you can 'rpm -e --nosignature brave-keyring' after which the new package can be installed cleanly.
Updating rpm-sequoia to 1.4.1 should allow for a clean upgrade path from this situation. It's now in rawhide (bug 2217961) but needs pulling into F38 too.
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
rpm-sequoia is now at version 1.6.0 across all branches of Fedora. Is this issue resolved?
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21. Fedora Linux 38 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.