Red Hat Bugzilla – Bug 443445
Cannot install packages from repositories from which RPM-GPG-KEYs have not been installed.
Last modified: 2008-05-02 13:54:56 EDT
There does not appear to be a mechanism in PackageKit to import RPM-GPG-KEYs
for new repositories. Thus it is not possible to install packages from newly
Steps to reproduce:
1. Add a new valid yum repository (software source).
2. Open PackageKit.
3. Select a package from the newly added repository.
4. Click the install button.
5. The installation hangs with "Checking Signatures" displayed in the
Installation hangs with "Checking Signatures" displayed in the statusbar.
User is prompted to import the new repository's RPM-GPG-KEY and the package
Fedora 9 (rawhide) i686
1. Add a new valid yum repository.
2. Open a terminal.
3. su root
4. yum install package-name-from-new-repository
5. You are then prompted to import the new RPM-GPG-KEY for the new repository.
6. When the package finishes installing you should be able to install packages
from the new repository via PackageKit.
This may be related to bug #443972
Patrick, if you get a chance, could you test this again with:
Robin, I'm happy to test it, is there a repository I can enable to get those
packages or should I install them manually?
Robin, I installed the following packages via rpm -Uvh:
I removed each rpm-gpg-key via rpm -e gpg-pubkey-xxxxxxx
I then restarted my machine.
Opened PackageKit via System->Administration->Add/Remove Software
Searched for wireshark, selected gnome-wireshark, and clicked install. After a
minute or so a dialog box popped up with the following:
A security trust relationship is not present
GPG key xxxxxxxxx is required
I'm not sure if that was the desirable result, please advise.
New systems need to import GPG key(s) to install updates. So if PackageKit can't
import GPG keys, we can't push updates to new systems.
I'm not sure we can release with this unfixed.
If I remember correctly the GPG keys for the Fedora repositories are installed
with Fedora 9, thus updates from the Fedora repositories would install without
issue. Can anyone confirm this? I noticed this bug after installing the Livna
repository rpm and attempting to install a package from the livna repository.
Rawhide packages aren't signed, so this never came up before.
The gpg keys are shipped with Fedora but - unless I'm mistaken - they are not
normally imported until your first update.
Yeah, confirmed. GPG keys aren't imported during install. Thus updates are not
installable until you run yum or import the keys by hand.
I did this:
1) Fresh install of rawhide (works fine; anaconda doesn't check sigs)
2) Install new (unsigned) PackageKit RPMs from koji
3) Roll back to an unsigned package (e.g. ntfsprogs-2.0.0-6)
4) Attempt to install updates
5) Get error message and no updates installed.
I found an interesting discussion on Richard Hughes' (PackageKit maintainer)
blog about this issue. I do not see a resolution to it though. I've CC'ed
Richard on this bug, maybe he can shed some light.
My apologies, I just finished reading through the comments on the bug that Robin
referenced above: https://bugzilla.redhat.com/show_bug.cgi?id=443972 and the
two bugs definitely have the same root cause. How do y'all go about merging
bugs so there is no duplication of effort?
Patrick: normally we'd close one bug as a duplicate of the other, but in this
case they're not exactly duplicates.
Bug #443972 concerns the PackageKit UI freezing / daemon crashing if it
encounters signed packages. That bug is, technically, fixed, since it doesn't
hang or crash anymore.
This bug is about PK being unable to install signed packages until you import
the keys yourself. Which is still an open problem.
This same issue occurred when, after installing Fedora 9 Preview x86_64, a new
fedora-release package was installed via an update, which, I guess, required new
keys. All I noticed was PackageKit would stop progress for a while. I only
discovered this after running yum manually.
I did notice this when working with Livna as well, but it's the same problem,
Yes, with 0.2.0 we can do the GPG auth dance. I still want to integrate with
seahorse to make the GPG check suck less, as users shouldn't have to understand
all this stuff.
Sounds like a good plan, but when is 0.2.0 due for release? We're supposed to be composing the first
Release Candidates for F9 at the end of next week (May 1 or so).
Nobody who installs F9 will be able to install any updates until we address (or work around) this.
*** Bug 440156 has been marked as a duplicate of this bug. ***
*** Bug 444604 has been marked as a duplicate of this bug. ***
*** Bug 444691 has been marked as a duplicate of this bug. ***
are new builds of PackageKit / gnome-packagekit which may fix this.
The UI's not pretty, but seems to do the job.
I agree with Richard's comments above. The result of the new builds is the
1. System -> Administration -> Add/Remove Software
2. Select a package to install, click the Install button.
3. A dialog opens: "Do you want to import key ******* from ******* for *****"
Yes/No, click Yes
4. Another dialog opens: "Key will be imported, please try transaction again.
This UI will be replaced in future versions of PackageKit - please don't file
bugs as an update is being worked on...", click OK.
5. A dialog opens to authenticate as root.
6. After authenticating as root, you must go through the package install
process again, which completes successfully without needing to import the key.
Works for me here, too. Thanks a bunch, hughsie.
Yeah, same results here. It's a start.
The problem with this implementation is this: a month after F9 release, we'll
have 100 updates. Installing those updates will require importing 3 keys -
fedora, fedora-security, and fedora-updates.
Even if that transaction *contains* a fixed PackageKit, the user will still have
to go through the transaction-test/error message/restart transaction 3 times. Ugh.
Okay, closing. What we need to do long term is just import all the keys in
/etc/pki/fedora* at anaconda time. I don't know another distro that doesn't
trust it's own updates...
Last time this came up I think we discussed doing the key import in the %post of