Bug 2215440 - error: Verifying a signature using certificate
Summary: error: Verifying a signature using certificate
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: rust-rpm-sequoia
Version: 38
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Rust SIG
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-16 03:14 UTC by Donald O'Dona
Modified: 2023-06-28 06:33 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github rpm-software-management rpm-sequoia issues 46 0 None open Relax "No binding signature" 2023-06-21 08:36:51 UTC

Description Donald O'Dona 2023-06-16 03:14:15 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
dnf --version

4.16.1
  Installed: dnf-0:4.15.0-1.fc37.noarch at Mon 24 Apr 2023 08:00:18 AM GMT
  Built    : Fedora Project at Thu 06 Apr 2023 08:40:00 AM GMT


How reproducible:


Steps to Reproduce:
1. dnf remove{reinstall,install} <module>
2. module for example brave-browser
3.

Actual results:
Dependencies resolved.
...
Removing:
 brave-browser                                       x86_64                                       1.51.114-1                                         @brave-browser-rpm-release.s3.brave.com_x86_64                                       322 M
Removing unused dependencies:
 brave-keyring                                       noarch                                       1.10-1                                             @brave-browser-rpm-release.s3.brave.com_x86_64                                       4.4 k

Transaction Summary
...
Remove  2 Packages

Freed space: 322 M
Is this ok [y/N]: y
Running transaction check
error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support>):
  Certificate 0BB75829C2D4E821 invalid: policy violation
      because: No binding signature at time 2023-05-09T19:32:44Z
error: rpmdbNextIterator: skipping h#    3966
Header V4 RSA/SHA512 Signature, key ID 82d3dc6c: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
Error: An rpm exception occurred: package not installed



Expected results:
Removed,instaled,reinstalled component

Additional info:
Comment 1 Marek Blaha 2023-06-16 06:29:18 UTC 
Most likely this is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=2214345

As a workaround, would upgrading `brave-keyring` package to the latest version help?
Comment 2 Donald O'Dona 2023-06-19 08:16:49 UTC 
I have the same problem(https://bugzilla.redhat.com/show_bug.cgi?id=2215440):

Unfortunately upgrading `brave-keyring` package, doesn't help on my machine
Comment 3 Petr Pisar 2023-06-19 13:00:01 UTC 
The error message probably comes rpm-sequoia, a GPG backend for rpm library, and it means that a a stored time of a self-signature of a PGP key signing the package is bogus. Could you please provide us with an URL to the repository and to the repository key? Is it <https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo>?
Comment 4 Panu Matilainen 2023-06-21 08:36:51 UTC 
Indeed dnf has no say in this matter, this comes from rpm-sequoia, reassigning. The issue is being discussed upstream: https://github.com/rpm-software-management/rpm-sequoia/issues/46 with a suggested PR that will allow people to upgrade away from affected packages: https://github.com/rpm-software-management/rpm-sequoia/pull/47

As a temporary workaround you can 'rpm -e --nosignature brave-keyring' after which the new package can be installed cleanly.
Comment 5 Panu Matilainen 2023-06-28 06:33:39 UTC 
Updating rpm-sequoia to 1.4.1 should allow for a clean upgrade path from this situation.
It's now in rawhide (bug 2217961) but needs pulling into F38 too.
Note You need to log in before you can comment on or make changes to this bug.