Bug 856225 - PackageKit can't import Fedora GPG key
PackageKit can't import Fedora GPG key
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Fedora Packaging Toolset Team
Fedora Extras Quality Assurance
https://fedoraproject.org/wiki/Common...
: CommonBugs, Upstream
Depends On:
Blocks: F18Beta/F18BetaBlocker
  Show dependency treegraph
 
Reported: 2012-09-11 09:47 EDT by Kamil Páral
Modified: 2012-10-08 10:08 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-08 10:08:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
python script to reproduce the problem (515 bytes, text/plain)
2012-09-14 10:37 EDT, Richard Hughes
no flags Details

  None (edit)
Description Kamil Páral 2012-09-11 09:47:06 EDT
Description of problem:
If you install from other mean than Live, you don't have the default Fedora GPG key imported (light years old bug). PackageKit fails on this:

$ pkcon install htop
Installing                    [=========================]         
Waiting in queue              [=========================]         
Waiting for authentication    [=========================]         
Waiting in queue              [=========================]         
Starting                      [=========================]         
Running                       [=========================]         
Resolving dependencies        [=========================]         
Installing packages           [=========================]         
Installing                    [=========================]         
Waiting in queue              [=========================]         
Waiting for authentication    [=========================]         
Waiting in queue              [=========================]         
Starting                      [=========================]         
Running                       [=========================]         
Resolving dependencies        [=========================]         
Downloading packages          [=========================]         
Checking signatures           [                         ] (0%)  
Software source signature required
 Package: htop-1.0.1-2.fc18.x86_64
 Software source name: fedora
 Key URL: /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64
 Key user: Fedora (18) <fedora@fedoraproject.org>
 Key ID: DE7F38BD
 Key fingerprint: 7efb8811dd11e380b679fcedff01125cde7f38bd
 Key Timestamp: Mon Aug  6 06:34:44 2012
Do you accept this signature? [N/y] y

                              [=========================]         
Installing signature          [=========================]         
Waiting in queue              [=========================]         
Waiting for authentication    [=========================]         
Waiting in queue              [=========================]         
Starting                      [=========================]         
Getting information           [=========================]         
Fatal error: The backend exited unexpectedly. This is a serious error as the spawned backend did not complete the pending transaction.


The GUI fails too. Also update manager fails.

Once it fails, further invocations fail immediately:
$ pkcon install htop
Command failed: This tool could not find any available package: Failed: failed

The workaround is to do
$ sudo rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-primary
and then reboot the computer.


Version-Release number of selected component (if applicable):
PackageKit-gstreamer-plugin-0.8.3-2.fc18.x86_64
PackageKit-command-not-found-0.8.3-2.fc18.x86_64
PackageKit-yum-0.8.3-2.fc18.x86_64
PackageKit-gtk3-module-0.8.3-2.fc18.x86_64
PackageKit-0.8.3-2.fc18.x86_64
PackageKit-yum-plugin-0.8.3-2.fc18.x86_64
PackageKit-glib-0.8.3-2.fc18.x86_64
PackageKit-device-rebind-0.8.3-2.fc18.x86_64


How reproducible:
always

Steps to Reproduce:
1. install from DVD/netinst
2. try to use PackageKit
3. see it fails after question whether to import the key
Comment 1 Kamil Páral 2012-09-11 09:47:47 EDT
Proposing as Alpha blocker:
" The installed system must be able to download and install updates with yum and the default graphical package manager in all release-blocking desktops "
https://fedoraproject.org/wiki/Fedora_18_Alpha_Release_Criteria
Comment 2 Adam Williamson 2012-09-11 12:45:52 EDT
+1 blocker, per criterion.
Comment 3 Tim Flink 2012-09-11 14:55:42 EDT
I also hit this on a fresh install of F18 alpha RC2 from DVD in a VM.

+1 blocker, per criterion.
Comment 4 Adam Williamson 2012-09-11 17:43:59 EDT
Oh - does the behaviour vary depending on whether the user is an 'admin' or not, like some other bugs?
Comment 5 Jóhann B. Guðmundsson 2012-09-11 17:59:30 EDT
+1 blocker per criteria...
Comment 6 satellitgo 2012-09-11 18:52:53 EDT
I have hit this also as user as part of admin group with Gnome in RC2-DVD x86_64 install to HD; root password set.

Workaround:
root terminal: yum upgrade
asks if you want to import GPG key and works
Comment 7 Adam Williamson 2012-09-11 21:02:15 EDT
Could this perhaps be related to https://bugzilla.redhat.com/show_bug.cgi?id=852403 ? Does it work in Permissive mode, or if selinux-policy is updated?
Comment 8 Adam Williamson 2012-09-12 00:13:35 EDT
reply to self: no, doesn't seem related. I hit this with an 'admin' user, with selinux in Permissive.
Comment 9 Jaroslav Reznik 2012-09-12 07:06:41 EDT
12:59:43        PackageKit          failed to parse: Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64: invalid command 'Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64'
12:59:43        PackageKit          emitting changed
12:59:43        PackageKit          emitting allow-cancel 1
12:59:43        PackageKit          emitting changed
12:59:43        PackageKit          emitting changed
12:59:43        PackageKit          ignoring message (turn on DeveloperMode): Failed to parse output: invalid command 'Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64'
12:59:43        PackageKit          failed to parse: error      unknown cannot install signature: Key import failed (code 2): Error enum not recognised, and hence ignored: 'unknown'
12:59:43        PackageKit          failed to parse: : invalid command '(null)'
12:59:43        PackageKit          failed to parse: : invalid command '(null)'
12:59:43        PackageKit          failed to parse:  Failing package is: 1:tk-8.5.12-1.fc18.x86_64: invalid command ' Failing package is: 1:tk-8.5.12-1.fc18.x86_64'
12:59:43        PackageKit          failed to parse:  GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64: invalid command ' GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64'
12:59:43        PackageKit          failed to parse: : invalid command '(null)'
12:59:43        PackageKit          ignoring message (turn on DeveloperMode): Failed to parse output: Error enum not recognised, and hence ignored: 'unknown'
12:59:43        PackageKit          ignoring message (turn on DeveloperMode): Failed to parse output: invalid command '(null)'
12:59:43        PackageKit          ignoring message (turn on DeveloperMode): Failed to parse output: invalid command '(null)'
12:59:43        PackageKit          ignoring message (turn on DeveloperMode): Failed to parse output: invalid command ' Failing package is: 1:tk-8.5.12-1.fc18.x86_64'
12:59:43        PackageKit          ignoring message (turn on DeveloperMode): Failed to parse output: invalid command ' GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64'
12:59:43        PackageKit          ignoring message (turn on DeveloperMode): Failed to parse output: invalid command '(null)'
12:59:43        PackageKit          backend was exited rather than finished
Comment 10 Adam Williamson 2012-09-12 14:18:53 EDT
Discussed at 2012-09-12 blocker review meeting. We agreed that this bug is a violation of the criterion "The installed system must be able to download and install updates with yum and the default graphical package manager in all release-blocking desktops", but can be sufficiently worked around by performing just one yum operation - PK will work correctly after that. So it's rejected as a blocker, accepted as NTH.

There was also some discussion of whether the criterion should really require graphical updating to work, as to some, on consideration, it seems like too strict a requirement for an Alpha release. But we will continue that discussion on the list.
Comment 11 Kevin Kofler 2012-09-13 17:35:16 EDT
What's clear is that the criterion does require graphical updating to work, so I don't see how this is not a blocker.
Comment 12 Richard Hughes 2012-09-14 10:37:20 EDT
Created attachment 612908 [details]
python script to reproduce the problem

This will explode with the following backtrace:
yum.Errors.YumBaseError: Key import failed (code 2)

This is (I think) because:
 * getKeyForPackage calls pgpImportPubkey() in yum/__init__.py
 * which in turn calls rpmts_PgpImportPubkey() in rpm/python/rpmts.py
 * which calls rpmtsImportPubkey() in rpm/lib/rpmts.c
 * which calls rpmPubkeyNew() then rpmKeyringAddKey() in rpm/rpmio/rpmkeyring.c
 * which checks if the keyring is NULL, which it is, and returns -1
 * which causes rpmtsImportPubkey() to return RPMRC_FAIL

Now, the PackageKit key import code has not changed in over a year,
so i can only assume that something loaded the default keyring (either yum or rpm) so that this code worked before and doesn't work now.
I've tested this with yum-3.4.3-28.fc17 on F18, and it fails, so that leads me to think that something's changed in rpm, although yum is able to import the same key somehow.

Panu, any ideas?
Comment 13 Panu Matilainen 2012-09-17 03:23:01 EDT
Hmm, yup... This is a combination of a change in rpm 4.10 to avoid loading the keyring on transactions where signature checking is disabled, and the fact that yum defaults to non-signature checking settings on transactions.

The ability to import keys shouldn't be tied to signature checking enabled/disabled though, this is an unintended side-effect of the keyring loading change. Will fix.
Comment 15 Richard Hughes 2012-09-17 05:18:21 EDT
(In reply to comment #14)
> Fixed upstream:
> http://rpm.org/gitweb?p=rpm.git;a=commitdiff;
> h=9209e6cd78a1e6814f3038734cdd300b97ddcf1b

Brilliant, thanks. Any ETA on a Fedora 18 package or is rpm-4.10.1 coming before the beta? I can build a package with the fix if you're super busy.

Richard.
Comment 16 Adam Williamson 2012-09-26 14:32:06 EDT
Discussed at 2012-09-26 blocker review meeting: http://meetbot.fedoraproject.org/fedora-qa/2012-09-26/f18-beta-blocker-review-1.2012-09-26-16.03.log.txt . Accepted as a blocker for Beta: the criterion is the same as for Alpha, "The installed system must be able to download and install updates with yum and the default graphical package manager in all release-blocking desktops". For Alpha we considered 'run yum once' to be an acceptable workaround, but for the higher standards expected of a Beta, we don't consider it good enough.
Comment 17 Fedora Update System 2012-10-03 07:40:18 EDT
rpm-4.10.1-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/rpm-4.10.1-1.fc18
Comment 18 Fedora Update System 2012-10-03 13:04:51 EDT
Package rpm-4.10.1-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rpm-4.10.1-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15295/rpm-4.10.1-1.fc18
then log in and leave karma (feedback).
Comment 19 Kamil Páral 2012-10-03 14:16:05 EDT
With rpm-4.10.1-1.fc18 PackageKit was able to install the gpg key.
Comment 20 Kamil Páral 2012-10-08 10:08:03 EDT
The update was pushed stable, closing.

Note You need to log in before you can comment on or make changes to this bug.