There does not appear to be a mechanism in PackageKit to import RPM-GPG-KEYs for new repositories. Thus it is not possible to install packages from newly linked repositories. Steps to reproduce: 1. Add a new valid yum repository (software source). 2. Open PackageKit. 3. Select a package from the newly added repository. 4. Click the install button. 5. The installation hangs with "Checking Signatures" displayed in the statusbar. Actual Results: Installation hangs with "Checking Signatures" displayed in the statusbar. Expected Results: User is prompted to import the new repository's RPM-GPG-KEY and the package installs successfully. Build Date/Platform: PackageKit 0.1.12 Fedora 9 (rawhide) i686 Workaround: 1. Add a new valid yum repository. 2. Open a terminal. 3. su root 4. yum install package-name-from-new-repository 5. You are then prompted to import the new RPM-GPG-KEY for the new repository. 6. When the package finishes installing you should be able to install packages from the new repository via PackageKit.
This may be related to bug #443972
Patrick, if you get a chance, could you test this again with: http://koji.fedoraproject.org/koji/taskinfo?taskID=583037 ?
Robin, I'm happy to test it, is there a repository I can enable to get those packages or should I install them manually?
Robin, I installed the following packages via rpm -Uvh: PackageKit-0.1.12-7.20080425.fc9.i386.rpm PackageKit-cron-0.1.12-7.20080425.fc9.i386.rpm PackageKit-debuginfo-0.1.12-7.20080425.fc9.i386.rpm PackageKit-devel-0.1.12-7.20080425.fc9.i386.rpm PackageKit-libs-0.1.12-7.20080425.fc9.i386.rpm yum-packagekit-0.1.12-7.20080425.fc9.i386.rpm I removed each rpm-gpg-key via rpm -e gpg-pubkey-xxxxxxx I then restarted my machine. Opened PackageKit via System->Administration->Add/Remove Software Searched for wireshark, selected gnome-wireshark, and clicked install. After a minute or so a dialog box popped up with the following: A security trust relationship is not present GPG key xxxxxxxxx is required I'm not sure if that was the desirable result, please advise.
New systems need to import GPG key(s) to install updates. So if PackageKit can't import GPG keys, we can't push updates to new systems. I'm not sure we can release with this unfixed.
If I remember correctly the GPG keys for the Fedora repositories are installed with Fedora 9, thus updates from the Fedora repositories would install without issue. Can anyone confirm this? I noticed this bug after installing the Livna repository rpm and attempting to install a package from the livna repository.
Rawhide packages aren't signed, so this never came up before. The gpg keys are shipped with Fedora but - unless I'm mistaken - they are not normally imported until your first update.
Yeah, confirmed. GPG keys aren't imported during install. Thus updates are not installable until you run yum or import the keys by hand. I did this: 1) Fresh install of rawhide (works fine; anaconda doesn't check sigs) 2) Install new (unsigned) PackageKit RPMs from koji 3) Roll back to an unsigned package (e.g. ntfsprogs-2.0.0-6) 4) Attempt to install updates 5) Get error message and no updates installed.
I found an interesting discussion on Richard Hughes' (PackageKit maintainer) blog about this issue. I do not see a resolution to it though. I've CC'ed Richard on this bug, maybe he can shed some light. http://hughsient.livejournal.com/40208.html
My apologies, I just finished reading through the comments on the bug that Robin referenced above: https://bugzilla.redhat.com/show_bug.cgi?id=443972 and the two bugs definitely have the same root cause. How do y'all go about merging bugs so there is no duplication of effort?
Patrick: normally we'd close one bug as a duplicate of the other, but in this case they're not exactly duplicates. Bug #443972 concerns the PackageKit UI freezing / daemon crashing if it encounters signed packages. That bug is, technically, fixed, since it doesn't hang or crash anymore. This bug is about PK being unable to install signed packages until you import the keys yourself. Which is still an open problem.
This same issue occurred when, after installing Fedora 9 Preview x86_64, a new fedora-release package was installed via an update, which, I guess, required new keys. All I noticed was PackageKit would stop progress for a while. I only discovered this after running yum manually. I did notice this when working with Livna as well, but it's the same problem, obviously.
Yes, with 0.2.0 we can do the GPG auth dance. I still want to integrate with seahorse to make the GPG check suck less, as users shouldn't have to understand all this stuff.
Sounds like a good plan, but when is 0.2.0 due for release? We're supposed to be composing the first Release Candidates for F9 at the end of next week (May 1 or so). Nobody who installs F9 will be able to install any updates until we address (or work around) this.
*** Bug 440156 has been marked as a duplicate of this bug. ***
*** Bug 444604 has been marked as a duplicate of this bug. ***
*** Bug 444691 has been marked as a duplicate of this bug. ***
http://koji.fedoraproject.org/koji/taskinfo?taskID=589979 and http://koji.fedoraproject.org/koji/taskinfo?taskID=589973 are new builds of PackageKit / gnome-packagekit which may fix this.
The UI's not pretty, but seems to do the job.
I agree with Richard's comments above. The result of the new builds is the following: 1. System -> Administration -> Add/Remove Software 2. Select a package to install, click the Install button. 3. A dialog opens: "Do you want to import key ******* from ******* for *****" Yes/No, click Yes 4. Another dialog opens: "Key will be imported, please try transaction again. This UI will be replaced in future versions of PackageKit - please don't file bugs as an update is being worked on...", click OK. 5. A dialog opens to authenticate as root. 6. After authenticating as root, you must go through the package install process again, which completes successfully without needing to import the key.
Works for me here, too. Thanks a bunch, hughsie.
Yeah, same results here. It's a start. The problem with this implementation is this: a month after F9 release, we'll have 100 updates. Installing those updates will require importing 3 keys - fedora, fedora-security, and fedora-updates. Even if that transaction *contains* a fixed PackageKit, the user will still have to go through the transaction-test/error message/restart transaction 3 times. Ugh.
Okay, closing. What we need to do long term is just import all the keys in /etc/pki/fedora* at anaconda time. I don't know another distro that doesn't trust it's own updates...
Last time this came up I think we discussed doing the key import in the %post of fedora-release.