Running rpm -qi rpm in container shows Signature as (none), for registry.fedoraproject.org/fedora:40 and registry.fedoraproject.org/fedora:41. Reproducible: Always Steps to Reproduce: 1. for i in 39 40 41 rawhide ; do podman pull registry.fedoraproject.org/fedora:$i podman run --rm registry.fedoraproject.org/fedora:$i rpm -qi rpm | grep Signature done Actual Results: Trying to pull registry.fedoraproject.org/fedora:39... Getting image source signatures Copying blob fbc22dc0332c skipped: already exists Copying config cce97b2b39 done | Writing manifest to image destination cce97b2b392b540099063389214c3d7e1589198f1df8cf385a7478ff8faf06cb Signature : RSA/SHA256, Wed Feb 7 16:16:31 2024, Key ID 75cf5ac418b8e74c Trying to pull registry.fedoraproject.org/fedora:40... Getting image source signatures Copying blob 6b90857c2b8f skipped: already exists Copying config 8b0c58dbef done | Writing manifest to image destination 8b0c58dbef543cd6ab521ba7a56d7d655eebad8d3051ca97903cb5a6d135fafd Signature : (none) Trying to pull registry.fedoraproject.org/fedora:41... Getting image source signatures Copying blob bcc5ccd37a52 skipped: already exists Copying config eb69d79bd0 done | Writing manifest to image destination eb69d79bd0f40fb5dae87ea5a999005ae753af7a58cf63f683d0c3ecf5be95d0 Signature : (none) Trying to pull registry.fedoraproject.org/fedora:rawhide... Getting image source signatures Copying blob b98685922fb4 skipped: already exists Copying config f618f30e28 done | Writing manifest to image destination f618f30e28883cbc694e01301e31ceca7d1cce3263f4398a72312e520b66f57c Signature : RSA/SHA256, Tue Aug 13 21:30:03 2024, Key ID c8ac4916105ef944 Expected Results: No Signature : (none) in the output. This is a possible reoccurrence of bug 2270397.
Looking at today's container build for f41, I think I see the issue: use_buildroot_repo is set to "True" instead of "False". Cf. https://koji.fedoraproject.org/koji/taskinfo?taskID=122587996
Yeah, so we dropped our downstream patch in favor of the one koji merged... but, we missed that it has a check to always pass use_buildroot_repo=True if koji hub version is older than 1.35.0. ;( So, I guess short term we need to patch koji downstream for this, since 1.35.0 is a few weeks out and we don't want to do a major upgrade right now. I'll work on updating koji early next week. Hopefully we can get it in before we start making any f41 rc's. Thanks again for noticing this and I'm sorry it happened. ;(
Well, I'm not as concerned bout the 41 image but 40 is still broken as well ...
Yes, they are all built in the same build system, so all new containers are affected. ;( I've put in for a freeze break to apply a patch to hopefully fix this. So, hopefully in the next few days here...
ok. I landed that change yesterday and all the composes last night ran with it, and it looks fixed to me. Can you please confirm?
It looks good now here as well. Do you think the fix is stable and we can close this bug?
Yep. I think so. The next upstream release should work and until then we will keep carrying our patch.