Bug 968529 - yum-cron does not install packages that need new keys
yum-cron does not install packages that need new keys
Product: Fedora
Classification: Fedora
Component: yum (Show other bugs)
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: packaging-team-maint
Fedora Extras Quality Assurance
: Reopened
: 983136 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2013-05-29 16:05 EDT by Orion Poplawski
Modified: 2014-09-03 11:14 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-09-03 11:14:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2013-05-29 16:05:11 EDT
Description of problem:

Freshly installed F19 system.  yum-cron daily fails to apply updates with:

warning: /var/cache/yum/x86_64/19/updates-testing/packages/libffi-3.0.13-4.fc19.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fb4b18e6: NOKEY
Public key for libffi-3.0.13-4.fc19.x86_64.rpm is not installed
Importing GPG key 0xFB4B18E6:
 Userid     : "Fedora (19) <fedora@fedoraproject.org>"
 Fingerprint: ca81 b2c8 5e4f 4d4a 1a3f 7234 0747 7e65 fb4b 18e6
 Package    : fedora-release-19-0.5.noarch (@anaconda)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64
The following updates will be applied on vmf19.cora.nwra.com:
 Package                  Arch    Version                Repository        Size
 freetype                 x86_64  2.4.11-6.fc19          updates-testing  383 k
 libffi                   x86_64  3.0.13-4.fc19          updates-testing   28 k
 ntfs-3g                  x86_64  2:2013.1.13-5.fc19     updates-testing  268 k
 ntfsprogs                x86_64  2:2013.1.13-5.fc19     updates-testing  253 k
 polkit                   x86_64  0.111-2.fc19           updates-testing  162 k
 selinux-policy-targeted  noarch  3.12.1-47.fc19         updates-testing  4.0 M
 unzip                    x86_64  6.0-9.fc19             updates-testing  166 k
Updating for dependencies:
 selinux-policy           noarch  3.12.1-47.fc19         updates-testing  261 k

Transaction Summary
Upgrade  7 Packages (+1 Dependent package)
Updates failed to install with the following error message: 
["Didn't install any keys"]

Version-Release number of selected component (if applicable):
Comment 1 Zdeněk Pavlas 2013-07-23 06:39:52 EDT
Since yum-cron does not run interactively we can't ask the user if the key is okay, so the key is not imported.  Had we set opts.assumeyes=True the key would get imported unconditionally, but that has obvious security implications.

Adding assumeyes option to yum-cron.conf is trivial, but I'd like to hear more comments on this first.
Comment 2 Orion Poplawski 2013-07-24 13:52:55 EDT
*** Bug 983136 has been marked as a duplicate of this bug. ***
Comment 3 Orion Poplawski 2013-08-15 13:59:11 EDT
I tried adding:

assumeyes = True

to /etc/yum/yum-cron.conf, but that didn't help.  Is that the right option?
Comment 4 Zdeněk Pavlas 2013-08-16 04:29:24 EDT
We have to also add some glue code to yum-cron.py.. and maybe also change the option name to something more meaningfull, eg "import_new_keys=True"?
Comment 5 Orion Poplawski 2013-08-16 11:20:56 EDT
Yes, a better name would be good.
Comment 6 Orion Poplawski 2013-09-10 15:39:02 EDT
Is there anything I can do to help get this fixed?
Comment 7 Zdeněk Pavlas 2013-09-11 03:52:38 EDT
Sorry, this was fixed upstream and released as 3.4.3-108 with other changes.. Basically we just apply everything in [main] section to override yum config, so since -108, you can just use what you wrote in comment #3.  There's a comment in yum-cron.conf.
Comment 8 Orion Poplawski 2013-09-11 11:39:51 EDT
Okay, so I'm just waiting for this to make it to F19 then.
Comment 9 Bill McGonigle 2013-09-22 01:18:16 EDT
@Orion: I see there's a build in koki:

doesn't look like updates-testing has been requested yet.  FYI, you can upgrade with:

  sudo rpm -Uhv http://kojipkgs.fedoraproject.org//packages/yum/3.4.3/108.fc19/noarch/yum-3.4.3-108.fc19.noarch.rpm
  sudo rpm -Uhv http://kojipkgs.fedoraproject.org//packages/yum/3.4.3/108.fc19/noarch/yum-cron-3.4.3-108.fc19.noarch.rpm

for testing purposes.

I don't think I'll use it myself, in case the repo gets compromised.  I'd love to see 'assumeyes = 7d' or some such thing in the future to accept new keys after some reasonable length of time for humans to detect a repo compromise; both are risks, it's just a matter of choosing the best compromise for a given system.
Comment 10 Orion Poplawski 2013-11-13 11:16:09 EST
So, looks like this in f19 but not f20?

yum.noarch    3.4.3-111.fc19           @updates
yum.noarch    3.4.3-106.fc20           @anaconda

That's a broken upgrade path.
Comment 11 Orion Poplawski 2014-08-11 13:50:53 EDT
This seems to be broken again with yum-3.4.3-153.fc21.noarch
Comment 12 Orion Poplawski 2014-09-03 11:14:57 EDT
Or maybe not.  Today it worked.

Note You need to log in before you can comment on or make changes to this bug.