983136 – yum-cron will not import keys, fails to install any updates if a new key is needed

Bug 983136 - yum-cron will not import keys, fails to install any updates if a new key is needed

Summary: yum-cron will not import keys, fails to install any updates if a new key is n...

Keywords:
Status:	CLOSED DUPLICATE of bug 968529
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	yum
Sub Component:
Version:	19
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Packaging Maintenance Team
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-10 15:14 UTC by Orion Poplawski
Modified:	2013-07-24 17:52 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-24 17:52:55 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Orion Poplawski 2013-07-10 15:14:04 UTC

Description of problem:

If a key has not yet been imported into the database, yum-cron will not apply any of the updates.  e.g.:

warning: /var/cache/yum/x86_64/19/adobe-linux-x86_64/packages/flash-plugin-11.2.202.297-release.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID f6777c67: NOKEY
Public key for flash-plugin-11.2.202.297-release.x86_64.rpm is not installed
Importing GPG key 0xF6777C67:
 Userid     : "Adobe Systems Incorporated (Linux RPM Signing Key) <secure>"
 Fingerprint: 78a8 75e9 7f09 06bd 6355 73fa 3a69 bd24 f677 7c67
 Package    : adobe-release-x86_64-1.0-1.noarch (@adobe-linux-x86_64)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
The following updates will be applied on barry.cora.nwra.com:
================================================================================
 Package              Arch   Version                      Repository       Size
================================================================================
Updating:
 NetworkManager       x86_64 1:0.9.8.2-8.git20130709.fc19 updates-testing 1.0 M
 alsa-lib             i686   1.0.27.2-1.fc19              updates-testing 384 k
 alsa-lib             x86_64 1.0.27.2-1.fc19              updates-testing 385 k
 ca-certificates      noarch 2012.87-10.4.fc19            updates-testing 351 k
 colord               x86_64 1.0.2-1.fc19                 updates-testing 431 k
 colord-libs          x86_64 1.0.2-1.fc19                 updates-testing 145 k
 eclipse-photran      noarch 8.1.1-1.fc19                 updates-testing 6.9 M
 eclipse-photran-intel
                      noarch 8.1.1-1.fc19                 updates-testing  52 k
 eclipse-ptp          x86_64 7.0.1-1.fc19                 updates-testing  38 M
 eclipse-ptp-rdt-xlc  noarch 7.0.1-1.fc19                 updates-testing 120 k
 filesystem           x86_64 3.2-13.fc19                  updates-testing 1.0 M
 findutils            x86_64 1:4.5.11-2.fc19              updates-testing 557 k
 flash-plugin         x86_64 11.2.202.297-release         adobe-linux-x86_64
                                                                          6.9 M
 gimp                 x86_64 2:2.8.6-3.fc19               updates-testing  14 M
 glusterfs-api        x86_64 3.4.0-0.9.beta4.fc19         updates-testing  47 k
 glusterfs-fuse       x86_64 3.4.0-0.9.beta4.fc19         updates-testing  89 k
 grep                 x86_64 2.14-4.fc19                  updates-testing 330 k
 libX11-devel         x86_64 1.6.0-1.fc19                 updates-testing 978 k
 libXvMC-devel        x86_64 1.0.8-1.fc19                 updates-testing  19 k
 mercurial            x86_64 2.6.3-1.fc19                 updates-testing 2.6 M
 nss-sysinit          x86_64 3.15.1-1.fc19                updates-testing  44 k
 nss-tools            x86_64 3.15.1-1.fc19                updates-testing 459 k
 python-devel         x86_64 2.7.5-3.fc19                 updates-testing 387 k
 ruby-devel           x86_64 2.0.0.247-12.fc19            updates-testing 124 k
 ruby-irb             noarch 2.0.0.247-12.fc19            updates-testing  85 k
 ruby-libs            x86_64 2.0.0.247-12.fc19            updates-testing 2.8 M
 rubygem-bigdecimal   x86_64 1.2.0-12.fc19                updates-testing  76 k
 rubygem-io-console   x86_64 0.4.2-12.fc19                updates-testing  47 k
 rubygem-psych        x86_64 2.0.0-12.fc19                updates-testing  74 k
 rubygems-devel       noarch 2.0.3-12.fc19                updates-testing  40 k
 seabios-bin          noarch 1.7.2.2-2.fc19               updates-testing  71 k
 seavgabios-bin       noarch 1.7.2.2-2.fc19               updates-testing  27 k
 tcp_wrappers         x86_64 7.6-74.fc19                  updates-testing  78 k
 tigervnc             x86_64 1.3.0-1.fc19                 updates-testing 207 k
 tigervnc-icons       noarch 1.3.0-1.fc19                 updates-testing  33 k
 tigervnc-license     noarch 1.3.0-1.fc19                 updates-testing  23 k
 tree                 x86_64 1.6.0-9.fc19                 updates-testing  46 k
 webkitgtk3           x86_64 2.0.3-2.fc19                 updates-testing  11 M
 xorg-x11-server-Xorg x86_64 1.14.2-3.fc19                updates-testing 1.3 M
 xorg-x11-server-Xvfb x86_64 1.14.2-3.fc19                updates-testing 800 k
 yum                  noarch 3.4.3-100.fc19               updates-testing 1.2 M
 yum-cron             noarch 3.4.3-100.fc19               updates-testing  52 k
Updating for dependencies:
 NetworkManager-glib  x86_64 1:0.9.8.2-8.git20130709.fc19 updates-testing 317 k
 eclipse-ptp-rdt      noarch 7.0.1-1.fc19                 updates-testing 2.5 M
 gimp-libs            x86_64 2:2.8.6-3.fc19               updates-testing 1.3 M
 glusterfs            x86_64 3.4.0-0.9.beta4.fc19         updates-testing 1.1 M
 libX11               i686   1.6.0-1.fc19                 updates-testing 596 k
 libX11               x86_64 1.6.0-1.fc19                 updates-testing 594 k
 libX11-common        noarch 1.6.0-1.fc19                 updates-testing 181 k
 libXvMC              x86_64 1.0.8-1.fc19                 updates-testing  22 k
 nss                  i686   3.15.1-1.fc19                updates-testing 840 k
 nss                  x86_64 3.15.1-1.fc19                updates-testing 843 k
 nss-softokn          i686   3.15.1-1.fc19                updates-testing 296 k
 nss-softokn          x86_64 3.15.1-1.fc19                updates-testing 293 k
 nss-softokn-freebl   i686   3.15.1-1.fc19                updates-testing 145 k
 nss-softokn-freebl   x86_64 3.15.1-1.fc19                updates-testing 160 k
 nss-util             i686   3.15.1-1.fc19                updates-testing  66 k
 nss-util             x86_64 3.15.1-1.fc19                updates-testing  67 k
 python               x86_64 2.7.5-3.fc19                 updates-testing  84 k
 python-libs          x86_64 2.7.5-3.fc19                 updates-testing 5.5 M
 ruby                 x86_64 2.0.0.247-12.fc19            updates-testing  64 k
 rubygems             noarch 2.0.3-12.fc19                updates-testing 322 k
 tcp_wrappers-libs    i686   7.6-74.fc19                  updates-testing  66 k
 tcp_wrappers-libs    x86_64 7.6-74.fc19                  updates-testing  66 k
 xorg-x11-server-common
                      x86_64 1.14.2-3.fc19                updates-testing  44 k

Transaction Summary
================================================================================
Upgrade  42 Packages (+23 Dependent packages)
Updates failed to install with the following error message: 
["Didn't install any keys"]

Version-Release number of selected component (if applicable):
yum-cron-3.4.3-99.fc19.noarch

Comment 1 Habig, Alec 2013-07-10 16:05:15 UTC

[caveat - I'm not the yum-cron maintainer anymore, it's part of yum proper]

But - is this really a bug?  I'm not sure I _want_ a cron job accepting new keys automatically.  The whole point of yum asking the user about a new key is so that the user can go verify that the key represents someone whom they trust to be updating their system with root authority.

In this case, yum-cron is doing the right thing by alerting the root email address that there's a new key, a human needs to verify that this key is trusted.  Looks like here that means that the human who enabled the adobe repository should verify that that it's really Adobe interactively: then yum-cron will happily keep things updated (till Adobe chances their key, which is another appropriate time for human intervention).

Comment 2 Orion Poplawski 2013-07-10 19:35:25 UTC

Bah, I knew it was part of yum now, just fat fingered the component I guess.

I'm not sure about the correct behavior here, although it is different than before.  However, in a managed, deployed environment (where yum-cron is probably most often used) manually checking that is not an option.  If there is no option to force yum-cron to accept new gpg keys, I guess I'll just import the keys in my kickstart %post or some such.

Comment 3 Habig, Alec 2013-07-11 00:06:08 UTC

Ahh, good point - didn't think of the initial run on a lot of recently deployed machines.  Rooting around on the man pages I didn't see a yum option for this (there is with rpm, of course).  If there were such an option, then adding that option to the yum-cron config file would do the trick for you.

I'll punt and hope one of the yum core guys knows?

Comment 4 Orion Poplawski 2013-07-24 17:52:55 UTC


*** This bug has been marked as a duplicate of bug 968529 ***

Note You need to log in before you can comment on or make changes to this bug.