search

coreos / rpm-ostree

⚛📦 Hybrid image/package system with atomic upgrades and package layering
https://coreos.github.io/rpm-ostree
Other
858 stars 195 forks source link

can't install rpms from repo with gpgkey=http(s) #1094

Open dustymabe opened 6 years ago

dustymabe commented 6 years ago

Tried on CentOS 7.1708 and Fedora 26.157.

I install cuda-repo-rhel7 rpm and it has a repo file like:

# cat /etc/yum.repos.d/cuda.repo 
[cuda]
name=cuda
baseurl=http://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64
enabled=1
gpgcheck=1
gpgkey=http://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/7fa2af80.pub

rpm-ostree install cuda-license-9-0 can't seem to handle the http(s) gpgkey file over http as I get:

error: package cuda-license-9-0-9.0.176-1.x86_64 cannot be verified and repo cuda is GPG enabled: failed to lookup digest in keyring for /var/cache/rpm-ostree/repomd/cuda/packages/cuda-license-9-0-9.0.176-1.x86_64.rpm

yum seems to handle this fine.

dustymabe commented 6 years ago

note this seems related to https://github.com/projectatomic/rpm-ostree/issues/1093 but in that case he/she got error: Failed to download gpg key for repo which is odd because my system doesn't seem to be attempting to download the file.

miabbott commented 5 years ago

This seems to affect installation of the Brave Browser, too. I used their install instructions as a guide and came up with the following:

$ cat /etc/yum.repos.d/brave.repo 
[brave-browser]
name=Brave Browser
baseurl=https://brave-browser-rpm-release.s3.brave.com/x86_64/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-brave-core
gpgcheck=1

$ sudo rpm-ostree install brave-browser
Checking out tree 986977e... done
Enabled rpm-md repositories: updates fedora fedora-cisco-openh264 rpmfusion-free-updates rpmfusion-free rpmfusion-nonfree-updates rpmfusion-nonfree brave-browser
rpm-md repo 'updates' (cached); generated: 2019-04-08T01:48:21Z
rpm-md repo 'fedora' (cached); generated: 2018-10-24T22:20:15Z
rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2019-03-21T14:55:22Z
rpm-md repo 'rpmfusion-free-updates' (cached); generated: 2019-04-07T20:27:32Z
rpm-md repo 'rpmfusion-free' (cached); generated: 2018-10-23T11:05:19Z
rpm-md repo 'rpmfusion-nonfree-updates' (cached); generated: 2019-04-07T21:10:51Z
rpm-md repo 'rpmfusion-nonfree' (cached); generated: 2018-10-23T11:34:17Z
rpm-md repo 'brave-browser' (cached); generated: 2019-04-05T18:57:39Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 3 packages (3.9 MB)
Downloading from 'fedora'... done
Importing packages... done
error: package brave-browser-0.62.51-1.x86_64 cannot be verified and repo brave-browser is GPG enabled: failed to lookup digest in keyring for /var/cache/rpm-ostree/repomd/brave-browser-29-x86_64/packages/brave-browser-0.62.51-1.x86_64.rpm

This also is affecting other Silverblue users in the forums

jlebon commented 5 years ago

Hmm I think that one is because the RPM is signed with a subkey:

[root@f29-ros ~]# gpg brave-core.asc
pub  4096R/C2D4E821 2018-10-15 Brave Software <support@brave.com>
sub  2048R/E3FFC656 2018-10-15 [expires: 2019-04-13]
[root@f29-ros ~]# rpm -qip /var/cache/rpm-ostree/repomd/brave-browser-29-x86_64/packages/brave-browser-0.62.51-1.x86_64.rpm  | grep Signature
warning: /var/cache/rpm-ostree/repomd/brave-browser-29-x86_64/packages/brave-browser-0.62.51-1.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID e3ffc656: NOKEY
Signature   : RSA/SHA512, Fri 05 Apr 2019 06:48:56 PM UTC, Key ID 4fe13824e3ffc656

(Notice the key ID of the package matches the subkey).

Fix in https://github.com/rpm-software-management/libdnf/pull/711.