Open dwrobel opened 11 months ago
One addition which might shed some light:
# cat old.gpg | sq packet dump >dump.old
# wget -q -O - https://openhab.jfrog.io/artifactory/api/gpg/key/public | sq packet dump >dump.new
# diff -u dump.old dump.new
--- dump.old 2023-07-19 15:33:58.584109235 -0400
+++ dump.new 2023-07-19 15:34:02.996026883 -0400
@@ -22,11 +22,11 @@
Features: MDC
Keyserver preferences: no modify
Issuer Fingerprint: EDB7D0304E2FCAF629DF1163075721F6A224060A
- Signature creation time: 2019-07-24 20:40:44 UTC
- Key expiration time: P2921DT6022S
+ Signature creation time: 2023-07-02 14:30:08 UTC
+ Key expiration time: P5524DT62971S
Unhashed area:
Issuer: 075721F6A224060A
- Digest prefix: 67CC
+ Digest prefix: E246
Level: 0 (signature over data)
Public-Subkey Packet, old CTB, 525 bytes
@@ -45,10 +45,10 @@
Hashed area:
Key flags: EtEr
Issuer Fingerprint: EDB7D0304E2FCAF629DF1163075721F6A224060A
- Signature creation time: 2019-07-24 20:46:24 UTC
- Key expiration time: P2922DT6362S
+ Signature creation time: 2023-07-02 19:19:02 UTC
+ Key expiration time: P5524DT80312S
Unhashed area:
Issuer: 075721F6A224060A
- Digest prefix: 0CB8
+ Digest prefix: EB75
Level: 0 (signature over data)
Were there any changes with the key on: 2023-07-02 14:30:08 UTC
?
Hi @dwrobel, thanks for letting us know!
The public key was expiring so was updated on the 2023-07-02. There was no change to the private key used to sign the package so I am a little unsure what would be causing the issue.
I'll try to recreate the problem and advise.
@dwrobel, I couldn't replicate the issue but in each test the DNF install had to install the new key.
# rpmkeys --checksig --root / --verbose --define="_pkgverify_level signature" --define="_pkgverify_flags 0x0" openhab-3.4.4-2.noarch.rpm
openhab-3.4.4-2.noarch.rpm:
Header V4 RSA/SHA256 Signature, key ID a224060a: OK
[...]
Does dnf clean all
and dnf install openhab --refresh
solve the issue?
I couldn't replicate the issue but in each test the DNF install had to install the new key.
I can reproduce it without any problem. It's just enough for me to remove the good GPG key (the one which content ends up with '=r37a' string):
# rpm -qi gpg-pubkey-a224060a-55b3f8e6 | tail -n3
=r37a
-----END PGP PUBLIC KEY BLOCK-----
# rpm -e gpg-pubkey-a224060a-55b3f8e6
# rpm -qv openhab
openhab-3.4.4-2.noarch
# dnf install openhab --refresh
Copr repo for bcm283x-firmware-rpi owned by dwrobel 5.7 kB/s | 1.8 kB 00:00
Copr repo for bcm434xx-firmware-rpi owned by dwrobel 6.4 kB/s | 1.8 kB 00:00
Copr repo for kernel-rpi owned by dwrobel 3.4 kB/s | 1.8 kB 00:00
Copr repo for livecd-tools owned by dwrobel 5.1 kB/s | 3.0 kB 00:00
Copr repo for pykickstart owned by dwrobel 10 kB/s | 3.0 kB 00:00
Copr repo for golang-github-influxdata-influxdb owned by dwrobel 12 kB/s | 3.3 kB 00:00
Copr repo for mqtt-mysensors owned by dwrobel 3.3 kB/s | 1.8 kB 00:00
Fedora 38 - aarch64 17 kB/s | 14 kB 00:00
Fedora 38 openh264 (From Cisco) - aarch64 1.5 kB/s | 990 B 00:00
Fedora Modular 38 - aarch64 21 kB/s | 14 kB 00:00
Fedora 38 - aarch64 - Updates 18 kB/s | 13 kB 00:00
Fedora Modular 38 - aarch64 - Updates 19 kB/s | 13 kB 00:00
openHAB Stable 2.3 kB/s | 1.4 kB 00:00
Package openhab-3.4.4-2.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
# dnf reinstall openhab
Last metadata expiration check: 0:01:12 ago on Fri 21 Jul 2023 02:48:07 PM CEST.
Dependencies resolved.
================================================================================================================================================================================================================
Package Architecture Version Repository Size
================================================================================================================================================================================================================
Reinstalling:
openhab noarch 3.4.4-2 openHAB-Stable 99 M
Transaction Summary
================================================================================================================================================================================================================
Total size: 99 M
Installed size: 110 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] openhab-3.4.4-2.noarch.rpm: Already downloaded
openHAB Stable 5.0 kB/s | 3.1 kB 00:00
Importing GPG key 0xA224060A:
Userid : "openHAB Bintray Repositories <owner@openhab.org>"
Fingerprint: EDB7 D030 4E2F CAF6 29DF 1163 0757 21F6 A224 060A
From : https://openhab.jfrog.io/artifactory/api/gpg/key/public
Is this ok [y/N]: y
Key imported successfully
error: Verifying a signature using certificate EDB7D0304E2FCAF629DF1163075721F6A224060A (openHAB Bintray Repositories <owner@openhab.org>):
1. Certificate 075721F6A224060A invalid: policy violation
because: No binding signature at time 2023-05-07T20:56:18Z
2. Certificate has no valid binding signature as of the signature's creation time, but is valid now. The certificate has probably been stripped or minimized.
error: Verifying a signature using certificate EDB7D0304E2FCAF629DF1163075721F6A224060A (openHAB Bintray Repositories <owner@openhab.org>):
1. Certificate 075721F6A224060A invalid: policy violation
because: No binding signature at time 2023-05-07T20:56:29Z
2. Certificate has no valid binding signature as of the signature's creation time, but is valid now. The certificate has probably been stripped or minimized.
Import of key(s) didn't help, wrong key(s)?
Public key for openhab-3.4.4-2.noarch.rpm is not trusted. Failing package is: openhab-3.4.4-2.noarch
GPG Keys are configured as: https://openhab.jfrog.io/artifactory/api/gpg/key/public
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
# echo $?
1
# rpm -qv rpm dnf
rpm-4.18.1-3.fc38.aarch64
dnf-4.16.1-1.fc38.noarch
Thanks again @dwrobel, I can now replicate using the same steps. This isn't happening with the latest milestone or any of the current snapshots for openHAB 4.
@kaikreuzer fyi.
I think the best thing to do is to try and release a 3.4.4-3 (assuming it will work as the other new packages are) so that a working openHAB 3 package exists. I can then find what maybe causing it.
I think the best thing to do is to try and release a 3.4.4-3
@BClark09 Here you go: https://ci.openhab.org/view/Release%20Jobs/job/openhab-linuxpkg-release/24/
I built https://ci.openhab.org/view/Release%20Jobs/job/openhab-linuxpkg-patch-release/4/console instead because I think that one tracks the main branch rather than the 3.x branch therefore requiring Java 17.
I think I'll rename this now that openHAB 4 is out.
openhab-linuxpkg-patch-release -> openhab-linuxpkg-3-release
Ah, you're right, I used the wrong build plan... 🙄
I'm trying to install
openhab-3.4.4-2.noarch.rpm
onFedora38
Server
aarch64
platform.I have the
.repo
file:Installation fails as follows:
Output from
rpmkeys
:Key info:
FYI, I have two other machines where I have exactly the same package installed without any problems. The only difference is that I don't remember when the RPM keys got installed on those machines.
Here is the key info on machine on which I have the package already installed:
Comparing the content (within BEGIN and END lines) returns the following (where the old-key is from the machine which already has the package installed):
If I copy the key from machine where the package is installed (using rpm -qi gpg-pubkey-a224060a-55b3f8e6) then erase and import it on the new machine then I can successfully install the package: