Prolonged GPG keys are not updated on the system

[praiskup]

[root@pc-loznice yum.repos.d]# LANG=en_US.utf8 dnf update myvpn
Repository copr:copr.fedorainfracloud.org:praiskup:myvpn is listed more than once in the configuration
Last metadata expiration check: 2:15:50 ago on Thu 31 Aug 2023 08:22:03 PM CEST.
Dependencies resolved.
========================================================================================================================
 Package         Architecture     Version                 Repository                                               Size
========================================================================================================================
Upgrading:
 myvpn           x86_64           1.3-6.fc38              copr:copr.fedorainfracloud.org:praiskup:myvpn            36 k

Transaction Summary
========================================================================================================================
Upgrade  1 Package

Total size: 36 k
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] myvpn-1.3-6.fc38.x86_64.rpm: Already downloaded                                                              
error: Verifying a signature using certificate 519B71E71D5251A03A517DF8454724A7D1C452B2 (praiskup_myvpn (None) <praiskup#[email protected]>):
  1. Certificiate 454724A7D1C452B2 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-09-02T17:42:01Z
  2. Key 454724A7D1C452B2 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-09-02T17:42:01Z
error: Verifying a signature using certificate 519B71E71D5251A03A517DF8454724A7D1C452B2 (praiskup_myvpn (None) <praiskup#[email protected]>):
  1. Certificiate 454724A7D1C452B2 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-09-02T17:42:01Z
  2. Key 454724A7D1C452B2 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-09-02T17:42:01Z
Copr repo for myvpn owned by praiskup                                                   194  B/s | 998  B     00:05    
GPG key at https://download.copr.fedorainfracloud.org/results/praiskup/myvpn/pubkey.gpg (0xD1C452B2) is already installed
The GPG keys listed for the "Copr repo for myvpn owned by praiskup" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: myvpn-1.3-6.fc38.x86_64
 GPG Keys are configured as: https://download.copr.fedorainfracloud.org/results/praiskup/myvpn/pubkey.gpg
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

[praiskup]

[root@pc-loznice yum.repos.d]# rpm -qi gpg-pubkey-d1c452b2-59ac3ee9
Name        : gpg-pubkey
Version     : d1c452b2
Release     : 59ac3ee9
Architecture: (none)
Install Date: Pá 14. prosince 2018, 15:18:58
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Ne 3. září 2017, 19:42:01
Build Host  : localhost
Packager    : praiskup_myvpn (None) <praiskup#[email protected]>
Summary     : gpg(praiskup_myvpn (None) <praiskup#[email protected]>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.14.2.1 (NSS-3)

mQENBFmsPukBCADQShlYpNGZu+8+4gGWvDB82Z2AyWso+d9DpTHy/qTvU93oOR6V
hwVZgVT4ci9EU82GpC4HX9KEzm7CtJ9FC73r48W7zVzIpR4Crpci1l3zWEfiHSON
rTdcyifdHt9e1pG6WgiOLv8ToeNXZH7xpj0ijtepN0vngw0KNujFxYXZ+JH+SRPo
Dmaa8s/YQb9Pd1F3laDJm+I+rjz4MuSuBDpDxwUfJYhtItJM4tCMXMtIgUF5rT4/
Fax5GgpCFTsR+d0pg4S/sIx+qY14g2T3ibeqCmJdvLIIogxSK9XxEN46JiKnWz/W
fOGP7YyFovRNIJDxNK4fDFBAzHd+SNgRl821ABEBAAG0PHByYWlza3VwX215dnBu
IChOb25lKSA8cHJhaXNrdXAjbXl2cG5AY29wci5mZWRvcmFob3N0ZWQub3JnPokB
PQQTAQgAJwUCWaw+6QIbLwUJCWYBgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK
CRBFRySn0cRSshOOCADNOp6wJU92iMOfIMYLH7nbs2NFyPrboeuLFpRaxO3LFqyK
RuLzJP8hEqAoiVqsR0+GckLZ9D+LE3lAElgiHX52LRVSwdNv2w1sqm/NSNfBuqdj
U1Gu5vOnRgeYgPlll7HK+gnGJ6zhXrR7M+ZuY36sEI7LrtYUTAy6CY47kjYuqgss
sTYHQT3VzALbK7SY32V1BBS9p4iMwkMPDfHzR6tBKNmf8nE7cGpjHPds9ZJXOlVD
Z/HMuhAtTqwFy1yOJUVi6foGQGHvxh+0pmlaeR4Or57pAii1hLWH2ScE4dY2xEf/
kWOQeu3lqU7KR5asFBd2xjQpHVMAvAzmT/xkJzF4
=U0/K
-----END PGP PUBLIC KEY BLOCK-----

[praiskup]

Way around:

$ # drop the old key
$ rpm -e gpg-pubkey-d1c452b2-59ac3ee9  # drop the old key
$ # install the prolonged one
$ rpm --import https://download.copr.fedorainfracloud.org/results/praiskup/myvpn/pubkey.gpg

Is there a way to automatize this?

[praiskup]

Mirek claims that DNF and RPM has a separate gpg key database

[praiskup]

From Mirek, see also: https://bugzilla.redhat.com/show_bug.cgi?id=1768206

[praiskup]

See also discussion in #2935 -> that might open a door for very fast RPM re-signing.

[FrostyX]

Triage: We probably need to solve this in the DNF Copr plugin

[praiskup]

Related RPM discussion: rpm-software-management/rpm-sequoia#50 (comment)

[praiskup]

Triage time:

• could we have systemd timer for checking updated keys?
• could we a dnf plugin post-transaction? (but this woudl be too verbose and visible, slowing things down)
• could we dnf copr enable (re-enable) and do some magic in the background?
• could we have dnf copr refres-keys?

[FrostyX]

For the record, this happened to me with korkeala/clojure, we also got Matrix report about agriffis/neovim-nightly and Reddit post here https://www.reddit.com/r/Fedora/comments/181omz0/how_to_fix_expired_gpg_keys_on_old_copr_repos/

[praiskup]

New ticket against DNF4 rpm-software-management/dnf#2075

[purpleidea]

Certificiate

I've hit this issue too. As an aside, I greped a few repos to find this typo and I couldn't. If anyone could point me to that code I'd be interested, thanks!

[FrostyX]

Hello @purpleidea, I am not sure what typo do you mean and what code are you interested in. But here are few relevant links for you :-)

• Ticket for Dnf4 - Refresh PGP keys, e.g. when prolonging an expiration time rpm-software-management/dnf#2075
• Ticket for Dnf5 - Refresh PGP keys, e.g. when prolonging an expiration time rpm-software-management/dnf5#1192
• Ticket for RPM - rpm --import does not replace old keys with new keys rpm-software-management/rpm#2577
• PR fixing this in RPM - Implement merging of new key material when importing pubkeys rpm-software-management/rpm#3083
• PR with a Dnf4 plugin working around the issue - expired-gpg-keys: new plugin to detect expired GPG keys rpm-software-management/dnf-plugins-core#533
  • IIRC Something like this will be implemented for Dnf5 as well

We keep this Copr issue open so that users know this can happen and use it as a starting point but there isn't actually any relevant bug in Copr. Everything needs to be fixed on the Dnf and RPM side of things.

[FrostyX]

Current status:

• The rpm and rpm-sequoia code is finished and merged to master but not released yet
• The DNF4 plugin was released in dnf-plugins-core-4.9.0, but it is disabled by default. Users need to explicitly use --enableplugin=expired-pgp-keys or enable the plugin in /etc/dnf/plugins/expired-pgp-keys.conf. We agreed with @jan-kolarik that it needs to be disabled by default but that we should change the "GPG check FAILED" error to provide instructions to use the plugin for resolving the issue.
  • On GPG check FAILED recommend using --enableplugin=expired-pgp-keys rpm-software-management/dnf#2156
• AFAIK there are no blockers for DNF5 anymore, and the feature (enabled by default) could potentially land in F42. I pinged the ticket but no response yet.

[FrostyX]

Users need to explicitly use --enableplugin=expired-pgp-keys or enable the plugin in /etc/dnf/plugins/expired-pgp-keys.conf. We agreed with @jan-kolarik that it needs to be disabled by default but that we should change the "GPG check FAILED" error to provide instructions to use the plugin for resolving the issue.

I submitted a PR rpm-software-management/dnf#2166

[FrostyX]

Change proposal for F42 - https://fedoraproject.org/wiki/Changes/Dnf5ExpiredPGPKeys

[praiskup]

Kept open just to track Jakub's PR against DNF4

[praiskup]

PR merged. Closing, nice!

[TomaszGasior]

@praiskup Is this issue solved also when using DNF5 which is default in current Fedora?

[FrostyX]

@TomaszGasior, no, unfortunately F41 is the one weird release in-between fixes.

F39 with DNF4 has a plugin to remove the expired keys
https://github.com/rpm-software-management/dnf-plugins-core/blob/master/plugins/expired-pgp-keys.py
and should start recommending the plugin soon
rpm-software-management/dnf#2166

F42+ with DNF5 should have this behavior in the DNF itself and enabled by default
https://fedoraproject.org/wiki/Changes/Dnf5ExpiredPGPKeys

On F41 you should IMHO be able to use the DNF4 plugin even if you use DNF5 as your main package manager. But as a user, you have no way of knowing about it.

[TomaszGasior]

@FrostyX

But as a user, you have no way of knowing about it.

That's important issue. Can we somehow fix it? Maybe some noticeable message in COPR website?

[FrostyX]

That's important issue.

I agree with you that it is, that's why I submitted the PR for DNF4 to improve the error message :-)

But no, I don't think there is anything we can do for F41. We are constrained by the fact that DNF5 is the default package manager and the feature is not yet implemented there. It should be ready for F42 and enabled by default, so there won't be any need to discover this in a short future. Someone could improve the DNF5 error message for F41 specifically, to recommend the DNF4 plugin, but this brings additional issues (e.g. what if DNF4 isn't installed?). So I think it's not worth it, given the fact, RPM, Yum, and DNF have had this issue from the very beginning. Leaving F41 as the only not-fixed version is something I can live with :D

Though, I am not trying to discourage anyone from improving the situation on F41. If anyone is interested, please do so. Feel free to ping me off-list, I can give you some pointers. But I am not planning to work on it any further, and I think the rest of the Copr team isn't either.