search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.89k stars 2.34k forks source link

Mismatched public key and signing key for release channel #24886

Open bobanite opened 2 years ago

bobanite commented 2 years ago

Description

Trying to install browser (and keyring) from the release channel (currently version 1.42.97-1 for browser and 1.10-1 for keyring) on CentOS 7.9.2009 as per the instructions on the website. However it seems the key used to sign the current release is different from the key available on the brave server.

Steps to Reproduce

% sudo dnf install dnf-plugins-core
% sudo dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/x86_64/
% sudo rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
% sudo dnf install brave-browser

Actual result:

Downloading Packages:
(1/2): brave-keyring-1.10-1.noarch.rpm                                             59 kB/s |  11 kB     00:00    
(2/2): brave-browser-1.42.97-1.x86_64.rpm                                                                8.8 MB/s |  96 MB     00:10    
-----------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                    8.8 MB/s |  96 MB     00:10     
warning: /var/cache/dnf/brave-browser-rpm-release.s3.brave.com_x86_64_-d55d330619c02b48/packages/brave-browser-1.42.97-1.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 82d3dc6c: NOKEY
Public key for brave-browser-1.42.97-1.x86_64.rpm is not installed
Public key for brave-keyring-1.10-1.noarch.rpm is not installed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Version/Channel Information:

This is an issue with the release channel, but it is NOT an issue with the nightly channel. I followed the same procedure with the nightly channel and the keys for that seem to match. I therefore believe this is not an issue with my own setup/OS, but rather a genuine issue with mismatched keys (for the release channel only).

Other Additional Information:

I have tried removing and re-installing the public key from the brave server, but to no avail:

% rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-f4a80eb5-53a7ff4b    gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>)
gpg-pubkey-6a8a26f9-5b4e234c    gpg(Brave Software (Brave Core Nightly Key) (We're reinventing the browser as a user-first platform for speed and privacy.) <support@brave.com>)
gpg-pubkey-c2d4e821-6285304f    gpg(Brave Software <support@brave.com>)
PovelikinRostislav commented 2 years ago

The same issue for me on CentOS 7. After executing in accordance to the instructions:

sudo dnf install dnf-plugins-core
sudo dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/x86_64/
sudo rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
sudo dnf install brave-browser

Unfortunately, brave-keyring is failing the install with the following log:

sudo yum install brave-keyring
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.interhost.net.il
 * epel: mirror.de.leaseweb.net
 * extras: centos.interhost.net.il
 * updates: centos.interhost.net.il
Resolving Dependencies
--> Running transaction check
---> Package brave-keyring.noarch 0:1.10-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================================================================================================================================================
 Package                                                  Arch                                              Version                                            Repository                                                                                 Size
===============================================================================================================================================================================================================================================================
Installing:
 brave-keyring                                            noarch                                            1.10-1                                             brave-browser-rpm-release.s3.brave.com_x86_64_                                             11 k

Transaction Summary
===============================================================================================================================================================================================================================================================
Install  1 Package

Total size: 11 k
Installed size: 11 k
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/brave-browser-rpm-release.s3.brave.com_x86_64_/packages/brave-keyring-1.10-1.noarch.rpm: Header V4 RSA/SHA512 Signature, key ID 82d3dc6c: NOKEY

Public key for brave-keyring-1.10-1.noarch.rpm is not installed
aries223 commented 1 year ago

Same issue, GPG Check Failed..

madscientist16 commented 1 year ago

I had the same issue with brave-keyring failing to install but after adding the beta/nightly keys i was able to install it.