Bug 966889 - can't install package, gpg key is not accepted
can't install package, gpg key is not accepted
Product: Fedora
Classification: Fedora
Component: yum (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Dennis Gilmore
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-05-24 04:27 EDT by cornel panceac
Modified: 2013-07-31 19:49 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-31 19:48:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
fedora repo (1.12 KB, text/plain)
2013-05-28 12:32 EDT, cornel panceac
no flags Details
package checking and attempt to install (1.90 KB, text/plain)
2013-05-28 12:34 EDT, cornel panceac
no flags Details

  None (edit)
Description cornel panceac 2013-05-24 04:27:59 EDT
Description of problem:
On this f17 x64 system, attempting to install / update any package (cntlm,mc,yum), ends with:

"The GPG keys listed for the Fedora 17 - x86_64 - Updates" repository are already installed but they are not correct for this package."

before, i have this warning:

"warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 1aca3465: NOKEY"

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. yum install cntlm

Actual results:

Expected results:

Additional info:
i"ve removed all keys and imported again, but still i get the same error. Looking into the fedora primary key in /etc/pki, it "looks" identical with the one on http://fedoraproject.org/keys .

An interesting info is that this system was probably not updated for a long time.
Comment 1 Jan Zeleny 2013-05-24 05:51:54 EDT
I don't see anything that would indicate a problem in yum or rpm. If the gpg key can't be used to verify the packages then there is probably something wrong with the package source. Changing the component to distribution so they can look at the bug. If you have any indication that there is a bug in rpm or yum, feel free to reassign back.
Comment 2 cornel panceac 2013-05-24 06:40:38 EDT
the problem seems to be this:

$ rpm -K cntlm-0.92-2.fc17.i686.rpm
cntlm-0.92-2.fc17.i686.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#1aca3465) 

a similar result i get for x86_64 package.

the package was downloaded from the base fedora repo so maybe the problem is there.
Comment 3 Bill Nottingham 2013-05-28 12:03:56 EDT
I can't reproduce this here.

$ rpm -K cntlm-0.92-2.fc17.i686.rpm 
cntlm-0.92-2.fc17.i686.rpm: rsa sha1 (md5) pgp md5 OK

$ rpm -qip cntlm-0.92-2.fc17.i686.rpm | grep Sig
Signature   : RSA/SHA256, Sun 22 Jan 2012 09:28:14 AM EST, Key ID 50e94c991aca3465

(note last 4 byes - 1ACA3465)

$ gpg -v RPM-GPG-KEY-fedora-17-primary
gpg: armor header: Version: GnuPG v1.4.5 (GNU/Linux)
pub  4096R/1ACA3465 2012-01-10 Fedora (17) <fedora@fedoraproject.org>
sig        1ACA3465 2012-01-10   [selfsig]

What does your .repo file look like?
Comment 4 cornel panceac 2013-05-28 12:32:52 EDT
Created attachment 753990 [details]
fedora repo

This is the fedora.repo
Comment 5 cornel panceac 2013-05-28 12:34:29 EDT
Created attachment 753991 [details]
package checking and attempt to install

Indeed the package seems to be correctly signed. However, it seems that somehow the right key is not installed or used by yum or rpm.
Comment 6 Bill Nottingham 2013-05-28 14:50:35 EDT
Please post the output of:

rpm -qf /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64

gpg -v /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64
Comment 7 cornel panceac 2013-05-29 02:02:13 EDT
Here'S the output:

# rpm -qf /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64

# gpg -v /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: armor header: Version: GnuPG v1.4.5 (GNU/Linux)
pub  4096R/1ACA3465 2012-01-10 Fedora (17) <fedora@fedoraproject.org>
sig        1ACA3465 2012-01-10   [selfsig]
Comment 8 Bill Nottingham 2013-05-29 10:09:56 EDT
And 'rpm -qi gpg-pubkey-1aca3465-4f0c91e2'?
Comment 9 cornel panceac 2013-05-29 10:28:09 EDT
$ rpm -qi gpg-pubkey-1aca3465-4f0c91e2
Name        : gpg-pubkey
Version     : 1aca3465
Release     : 4f0c91e2
Architecture: (none)
Install Date: Fri 24 May 2013 09:11:28 AM CEST
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Fri 24 May 2013 09:11:28 AM CEST
Build Host  : localhost
Relocations : (not relocatable)
Summary     : gpg(Fedora (17) <fedora@fedoraproject.org>)
Description :
Version: rpm- (NSS-3)

Comment 10 Bill Nottingham 2013-05-29 10:57:52 EDT
OK, looks fine to me. Moving over to yum, although I still can't reproduce this here.
Comment 11 cornel panceac 2013-05-30 02:37:11 EDT
Some new info that may be helpful:

- a lot of partitions are mounted 'nosuid' .
- on / (which does not have nosuid among its mount options), rpm -ivh cntlm* allows installing of the downloaded package. Also, yum localinstall cntlm* allows installing of the local package. Which are the interesting partitions for yum, that i should check?
Comment 12 Fedora End Of Life 2013-07-03 18:09:18 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 13 Fedora End Of Life 2013-07-31 19:49:02 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.