Bug 968529 - yum-cron does not install packages that need new keys
Summary: yum-cron does not install packages that need new keys
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: yum
Version: 19
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Packaging Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 983136 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-29 20:05 UTC by Orion Poplawski
Modified: 2014-09-03 15:14 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-03 15:14:57 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Orion Poplawski 2013-05-29 20:05:11 UTC
Description of problem:

Freshly installed F19 system.  yum-cron daily fails to apply updates with:

warning: /var/cache/yum/x86_64/19/updates-testing/packages/libffi-3.0.13-4.fc19.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fb4b18e6: NOKEY
Public key for libffi-3.0.13-4.fc19.x86_64.rpm is not installed
Importing GPG key 0xFB4B18E6:
 Userid     : "Fedora (19) <fedora>"
 Fingerprint: ca81 b2c8 5e4f 4d4a 1a3f 7234 0747 7e65 fb4b 18e6
 Package    : fedora-release-19-0.5.noarch (@anaconda)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64
The following updates will be applied on vmf19.cora.nwra.com:
================================================================================
 Package                  Arch    Version                Repository        Size
================================================================================
Updating:
 freetype                 x86_64  2.4.11-6.fc19          updates-testing  383 k
 libffi                   x86_64  3.0.13-4.fc19          updates-testing   28 k
 ntfs-3g                  x86_64  2:2013.1.13-5.fc19     updates-testing  268 k
 ntfsprogs                x86_64  2:2013.1.13-5.fc19     updates-testing  253 k
 polkit                   x86_64  0.111-2.fc19           updates-testing  162 k
 selinux-policy-targeted  noarch  3.12.1-47.fc19         updates-testing  4.0 M
 unzip                    x86_64  6.0-9.fc19             updates-testing  166 k
Updating for dependencies:
 selinux-policy           noarch  3.12.1-47.fc19         updates-testing  261 k

Transaction Summary
================================================================================
Upgrade  7 Packages (+1 Dependent package)
Updates failed to install with the following error message: 
["Didn't install any keys"]

Version-Release number of selected component (if applicable):
yum-cron-3.4.3-91.fc19.noarch

Comment 1 Zdeněk Pavlas 2013-07-23 10:39:52 UTC
Since yum-cron does not run interactively we can't ask the user if the key is okay, so the key is not imported.  Had we set opts.assumeyes=True the key would get imported unconditionally, but that has obvious security implications.

Adding assumeyes option to yum-cron.conf is trivial, but I'd like to hear more comments on this first.

Comment 2 Orion Poplawski 2013-07-24 17:52:55 UTC
*** Bug 983136 has been marked as a duplicate of this bug. ***

Comment 3 Orion Poplawski 2013-08-15 17:59:11 UTC
I tried adding:

[base]
assumeyes = True

to /etc/yum/yum-cron.conf, but that didn't help.  Is that the right option?

Comment 4 Zdeněk Pavlas 2013-08-16 08:29:24 UTC
We have to also add some glue code to yum-cron.py.. and maybe also change the option name to something more meaningfull, eg "import_new_keys=True"?

Comment 5 Orion Poplawski 2013-08-16 15:20:56 UTC
Yes, a better name would be good.

Comment 6 Orion Poplawski 2013-09-10 19:39:02 UTC
Is there anything I can do to help get this fixed?

Comment 7 Zdeněk Pavlas 2013-09-11 07:52:38 UTC
Sorry, this was fixed upstream and released as 3.4.3-108 with other changes.. Basically we just apply everything in [main] section to override yum config, so since -108, you can just use what you wrote in comment #3.  There's a comment in yum-cron.conf.

Comment 8 Orion Poplawski 2013-09-11 15:39:51 UTC
Okay, so I'm just waiting for this to make it to F19 then.

Comment 9 Bill McGonigle 2013-09-22 05:18:16 UTC
@Orion: I see there's a build in koki:
  https://koji.fedoraproject.org/koji/buildinfo?buildID=460846

doesn't look like updates-testing has been requested yet.  FYI, you can upgrade with:

  sudo rpm -Uhv http://kojipkgs.fedoraproject.org//packages/yum/3.4.3/108.fc19/noarch/yum-3.4.3-108.fc19.noarch.rpm
  sudo rpm -Uhv http://kojipkgs.fedoraproject.org//packages/yum/3.4.3/108.fc19/noarch/yum-cron-3.4.3-108.fc19.noarch.rpm

for testing purposes.

I don't think I'll use it myself, in case the repo gets compromised.  I'd love to see 'assumeyes = 7d' or some such thing in the future to accept new keys after some reasonable length of time for humans to detect a repo compromise; both are risks, it's just a matter of choosing the best compromise for a given system.

Comment 10 Orion Poplawski 2013-11-13 16:16:09 UTC
So, looks like this in f19 but not f20?

yum.noarch    3.4.3-111.fc19           @updates
yum.noarch    3.4.3-106.fc20           @anaconda

That's a broken upgrade path.

Comment 11 Orion Poplawski 2014-08-11 17:50:53 UTC
This seems to be broken again with yum-3.4.3-153.fc21.noarch

Comment 12 Orion Poplawski 2014-09-03 15:14:57 UTC
Or maybe not.  Today it worked.


Note You need to log in before you can comment on or make changes to this bug.