Since librepo v1.16.0, binary GPG keys cannot be imported anymore with librepo. This fails in librepo with the following error: "Failed to import pgp keys into temporary keyring: Public key not found". The keyring hosted at "https://fedoraproject.org/fedora.gpg" consists of binary keys which cannot be imported anymore by librepo (and thus dnf) on Fedora 39. Reproducible: Always Steps to Reproduce: 1. Use gpgkey=https://fedoraproject.org/fedora.gpg as the keyring in any Fedora repo file on Fedora 39 Actual Results: ``` [7/7] Total 100% | 0.0 B/s | 0.0 B | 00m00s [1/8] https://fedoraproject.org/fedora.gpg 100% | 66.8 KiB/s | 11.4 KiB | 00m00s -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [8/8] Total 100% | 0.0 B/s | 0.0 B | 00m00s Failed to import pgp keys into temporary keyring: Public key not found ‣ "/usr/bin/dnf5 --assumeyes --config=/home/daandemeyer/projects/mkosi/.mkosi-tmpal_fz7as/pkgmngr/etc/dnf/dnf.conf --best --releasever=38 --installroot=/home/daandemeyer/projects/mkosi/.mkosi-tmpal_fz7as/root --setopt=keepcache=1 '--setopt=cachedir=/home/daandemeyer/projects/mkosi/mkosi.cache/fedora~38' --setopt=reposdir=/home/daandemeyer/projects/mkosi/.mkosi-tmpal_fz7as/pkgmngr/etc/yum.repos.d --setopt=varsdir=/home/daandemeyer/projects/mkosi/.mkosi-tmpal_fz7as/pkgmngr/etc/dnf/vars --setopt=persistdir=/home/daandemeyer/projects/mkosi/.mkosi-tmpal_fz7as/pkgmngr/var/lib/dnf --setopt=check_config_file_age=0 '--disableplugin=*' --enableplugin=builddep --no-docs install filesystem" returned non-zero exit code 1. ``` Expected Results: Importing GPG key from fedora.gpg succeeds Upstream bug report: https://github.com/rpm-software-management/librepo/issues/284
Proposed as a Blocker for 39-final by Fedora user daandemeyer using the blocker tracking app because: Any application using binary GPG keys in dnf repo files will be broken on Fedora 39 as librepo will refuse to import these binary GPG keys. This seems serious enough to consider it as a release blocker.
I don't think the blocker proposal is clear enough. Does this violate any of the release criteria? What applications are there that actually *do* use binary GPG keys in dnf repo files?
> What applications are there that actually *do* use binary GPG keys in dnf repo files? Well any third party repo could theoretically be using these. For a more concrete example, in the mkosi image builder we use the keys from https://fedoraproject.org/fedora.gpg in our repo files and those are binary GPG keys, which is how I noticed this in the first place. As it is, trying to use mkosi to build Fedora images on F39 will fail because of this issue as dnf isn't able to import the keys from https://fedoraproject.org/fedora.gpg into the keyring.
Fixed in PR https://github.com/rpm-software-management/librepo/pull/286
Per voting in https://pagure.io/fedora-qa/blocker-review/issue/1375 , marking rejected blocker, accepted FE. If somebody can come up with a clear criteria violation or other blocker justification here, we can revote.
FEDORA-2023-feae73ef8b has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-feae73ef8b
FEDORA-2023-feae73ef8b has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.