Bug 983136 - yum-cron will not import keys, fails to install any updates if a new key is needed
yum-cron will not import keys, fails to install any updates if a new key is n...
Status: CLOSED DUPLICATE of bug 968529
Product: Fedora
Classification: Fedora
Component: yum (Show other bugs)
19
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: packaging-team-maint
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-10 11:14 EDT by Orion Poplawski
Modified: 2013-07-24 13:52 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-24 13:52:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2013-07-10 11:14:04 EDT
Description of problem:

If a key has not yet been imported into the database, yum-cron will not apply any of the updates.  e.g.:

warning: /var/cache/yum/x86_64/19/adobe-linux-x86_64/packages/flash-plugin-11.2.202.297-release.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID f6777c67: NOKEY
Public key for flash-plugin-11.2.202.297-release.x86_64.rpm is not installed
Importing GPG key 0xF6777C67:
 Userid     : "Adobe Systems Incorporated (Linux RPM Signing Key) <secure@adobe.com>"
 Fingerprint: 78a8 75e9 7f09 06bd 6355 73fa 3a69 bd24 f677 7c67
 Package    : adobe-release-x86_64-1.0-1.noarch (@adobe-linux-x86_64)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
The following updates will be applied on barry.cora.nwra.com:
================================================================================
 Package              Arch   Version                      Repository       Size
================================================================================
Updating:
 NetworkManager       x86_64 1:0.9.8.2-8.git20130709.fc19 updates-testing 1.0 M
 alsa-lib             i686   1.0.27.2-1.fc19              updates-testing 384 k
 alsa-lib             x86_64 1.0.27.2-1.fc19              updates-testing 385 k
 ca-certificates      noarch 2012.87-10.4.fc19            updates-testing 351 k
 colord               x86_64 1.0.2-1.fc19                 updates-testing 431 k
 colord-libs          x86_64 1.0.2-1.fc19                 updates-testing 145 k
 eclipse-photran      noarch 8.1.1-1.fc19                 updates-testing 6.9 M
 eclipse-photran-intel
                      noarch 8.1.1-1.fc19                 updates-testing  52 k
 eclipse-ptp          x86_64 7.0.1-1.fc19                 updates-testing  38 M
 eclipse-ptp-rdt-xlc  noarch 7.0.1-1.fc19                 updates-testing 120 k
 filesystem           x86_64 3.2-13.fc19                  updates-testing 1.0 M
 findutils            x86_64 1:4.5.11-2.fc19              updates-testing 557 k
 flash-plugin         x86_64 11.2.202.297-release         adobe-linux-x86_64
                                                                          6.9 M
 gimp                 x86_64 2:2.8.6-3.fc19               updates-testing  14 M
 glusterfs-api        x86_64 3.4.0-0.9.beta4.fc19         updates-testing  47 k
 glusterfs-fuse       x86_64 3.4.0-0.9.beta4.fc19         updates-testing  89 k
 grep                 x86_64 2.14-4.fc19                  updates-testing 330 k
 libX11-devel         x86_64 1.6.0-1.fc19                 updates-testing 978 k
 libXvMC-devel        x86_64 1.0.8-1.fc19                 updates-testing  19 k
 mercurial            x86_64 2.6.3-1.fc19                 updates-testing 2.6 M
 nss-sysinit          x86_64 3.15.1-1.fc19                updates-testing  44 k
 nss-tools            x86_64 3.15.1-1.fc19                updates-testing 459 k
 python-devel         x86_64 2.7.5-3.fc19                 updates-testing 387 k
 ruby-devel           x86_64 2.0.0.247-12.fc19            updates-testing 124 k
 ruby-irb             noarch 2.0.0.247-12.fc19            updates-testing  85 k
 ruby-libs            x86_64 2.0.0.247-12.fc19            updates-testing 2.8 M
 rubygem-bigdecimal   x86_64 1.2.0-12.fc19                updates-testing  76 k
 rubygem-io-console   x86_64 0.4.2-12.fc19                updates-testing  47 k
 rubygem-psych        x86_64 2.0.0-12.fc19                updates-testing  74 k
 rubygems-devel       noarch 2.0.3-12.fc19                updates-testing  40 k
 seabios-bin          noarch 1.7.2.2-2.fc19               updates-testing  71 k
 seavgabios-bin       noarch 1.7.2.2-2.fc19               updates-testing  27 k
 tcp_wrappers         x86_64 7.6-74.fc19                  updates-testing  78 k
 tigervnc             x86_64 1.3.0-1.fc19                 updates-testing 207 k
 tigervnc-icons       noarch 1.3.0-1.fc19                 updates-testing  33 k
 tigervnc-license     noarch 1.3.0-1.fc19                 updates-testing  23 k
 tree                 x86_64 1.6.0-9.fc19                 updates-testing  46 k
 webkitgtk3           x86_64 2.0.3-2.fc19                 updates-testing  11 M
 xorg-x11-server-Xorg x86_64 1.14.2-3.fc19                updates-testing 1.3 M
 xorg-x11-server-Xvfb x86_64 1.14.2-3.fc19                updates-testing 800 k
 yum                  noarch 3.4.3-100.fc19               updates-testing 1.2 M
 yum-cron             noarch 3.4.3-100.fc19               updates-testing  52 k
Updating for dependencies:
 NetworkManager-glib  x86_64 1:0.9.8.2-8.git20130709.fc19 updates-testing 317 k
 eclipse-ptp-rdt      noarch 7.0.1-1.fc19                 updates-testing 2.5 M
 gimp-libs            x86_64 2:2.8.6-3.fc19               updates-testing 1.3 M
 glusterfs            x86_64 3.4.0-0.9.beta4.fc19         updates-testing 1.1 M
 libX11               i686   1.6.0-1.fc19                 updates-testing 596 k
 libX11               x86_64 1.6.0-1.fc19                 updates-testing 594 k
 libX11-common        noarch 1.6.0-1.fc19                 updates-testing 181 k
 libXvMC              x86_64 1.0.8-1.fc19                 updates-testing  22 k
 nss                  i686   3.15.1-1.fc19                updates-testing 840 k
 nss                  x86_64 3.15.1-1.fc19                updates-testing 843 k
 nss-softokn          i686   3.15.1-1.fc19                updates-testing 296 k
 nss-softokn          x86_64 3.15.1-1.fc19                updates-testing 293 k
 nss-softokn-freebl   i686   3.15.1-1.fc19                updates-testing 145 k
 nss-softokn-freebl   x86_64 3.15.1-1.fc19                updates-testing 160 k
 nss-util             i686   3.15.1-1.fc19                updates-testing  66 k
 nss-util             x86_64 3.15.1-1.fc19                updates-testing  67 k
 python               x86_64 2.7.5-3.fc19                 updates-testing  84 k
 python-libs          x86_64 2.7.5-3.fc19                 updates-testing 5.5 M
 ruby                 x86_64 2.0.0.247-12.fc19            updates-testing  64 k
 rubygems             noarch 2.0.3-12.fc19                updates-testing 322 k
 tcp_wrappers-libs    i686   7.6-74.fc19                  updates-testing  66 k
 tcp_wrappers-libs    x86_64 7.6-74.fc19                  updates-testing  66 k
 xorg-x11-server-common
                      x86_64 1.14.2-3.fc19                updates-testing  44 k

Transaction Summary
================================================================================
Upgrade  42 Packages (+23 Dependent packages)
Updates failed to install with the following error message: 
["Didn't install any keys"]

Version-Release number of selected component (if applicable):
yum-cron-3.4.3-99.fc19.noarch
Comment 1 Habig, Alec 2013-07-10 12:05:15 EDT
[caveat - I'm not the yum-cron maintainer anymore, it's part of yum proper]

But - is this really a bug?  I'm not sure I _want_ a cron job accepting new keys automatically.  The whole point of yum asking the user about a new key is so that the user can go verify that the key represents someone whom they trust to be updating their system with root authority.

In this case, yum-cron is doing the right thing by alerting the root email address that there's a new key, a human needs to verify that this key is trusted.  Looks like here that means that the human who enabled the adobe repository should verify that that it's really Adobe interactively: then yum-cron will happily keep things updated (till Adobe chances their key, which is another appropriate time for human intervention).
Comment 2 Orion Poplawski 2013-07-10 15:35:25 EDT
Bah, I knew it was part of yum now, just fat fingered the component I guess.

I'm not sure about the correct behavior here, although it is different than before.  However, in a managed, deployed environment (where yum-cron is probably most often used) manually checking that is not an option.  If there is no option to force yum-cron to accept new gpg keys, I guess I'll just import the keys in my kickstart %post or some such.
Comment 3 Habig, Alec 2013-07-10 20:06:08 EDT
Ahh, good point - didn't think of the initial run on a lot of recently deployed machines.  Rooting around on the man pages I didn't see a yum option for this (there is with rpm, of course).  If there were such an option, then adding that option to the yum-cron config file would do the trick for you.

I'll punt and hope one of the yum core guys knows?
Comment 4 Orion Poplawski 2013-07-24 13:52:55 EDT

*** This bug has been marked as a duplicate of bug 968529 ***

Note You need to log in before you can comment on or make changes to this bug.