issue with new fedora 37 GPG key

[dustymabe]

I believe the new GPG introduced in https://src.fedoraproject.org/rpms/fedora-repos/c/688de4b2d4bf3411433d7e0978030b3a2cb37795?branch=rawhide is causing issues for microdnf and rpm-ostree (consumers of libdnf):

bash-5.1# microdnf install bird 
Downloading metadata...
Downloading metadata...
Package                                                                                           Repository                             Size
Installing:                                                                                                                                  
 bird-2.0.8-2.fc35.x86_64                                                                         rawhide                     437.5\xc2\xa0kB
 libsemanage-3.2-4.fc35.x86_64                                                                    rawhide                     118.3\xc2\xa0kB
 shadow-utils-2:4.9-2.fc36.x86_64                                                                 rawhide                       1.2\xc2\xa0MB
Transaction Summary:
 Installing:        3 packages
 Reinstalling:      0 packages
 Upgrading:         0 packages
 Obsoleting:        0 packages
 Removing:          0 packages
 Downgrading:       0 packages
Is this ok [y/N]: y
Downloading packages...

(microdnf:3): libdnf-WARNING **: 19:56:51.924: PKI file /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-primary is not a public key
error: PKI file /var/cache/yum/metadata/rawhide-rawhide-x86_64/RPM-GPG-KEY-fedora-37-$basearch is not a public key

[core@cosa-devsh ~]$ sudo rpm-ostree install bird
Checking out tree 0777f1c... done
Enabled rpm-md repositories: fedora-cisco-openh264 rawhide
Updating metadata for 'fedora-cisco-openh264'... done
Updating metadata for 'rawhide'... done
Importing rpm-md... done
rpm-md repo 'fedora-cisco-openh264'; generated: 2021-02-23T00:47:28Z solvables: 4
rpm-md repo 'rawhide'; generated: 2021-08-14T08:29:12Z solvables: 65430
Resolving dependencies... done
Will download: 1 package (437.5?kB)
Downloading from 'rawhide'... done
error: PKI file /var/cache/rpm-ostree/repomd/rawhide-rawhide-x86_64/RPM-GPG-KEY-fedora-37-$basearch is not a public key

bash-5.1# rpm -q libdnf
libdnf-0.63.1-3.fc35.x86_64

While dnf itself seems fine with the new key. Can someone look into what the issue is with the new key?

Originally reported over in https://github.com/coreos/fedora-coreos-tracker/issues/925

[cgwalters]

Copying over this bit https://github.com/coreos/fedora-coreos-tracker/issues/925#issuecomment-899785161 - it looks like the real issue may be in librpm. A big difference between dnf and libdnf is that the former uses gpg to parse the key, whereas libdnf uses rpm's bespoke PGP code.

I get the same error message from trying

$ rpm --import f37.pgp
error: f37.pgp: key 1 not an armored public key.
$

[cgwalters]

https://src.fedoraproject.org/rpms/fedora-repos/pull-request/112

[dustymabe]

ok https://src.fedoraproject.org/rpms/fedora-repos/pull-request/112 merged, but...

should we try to get the underlying libraries fixed so we don't have this problem in the future?

should this issue be transferred to be against rpm?

[AdamWill]

aha, thank you for figuring this out, colin! I got around to it today and was banging my head against it. It affects anything PackageKit-based, for the record - pkcon refresh prompts for 'untrusted packages' because of it, and both Cockpit and GNOME Software show this "is not a GPG key" error.

[dustymabe]

Can we still drive down on this issue and fix the underlying library so we don't hit this again?

[MateusRodCosta]

Hi, any progress on this?

I have to run a specific application for work (Keybase) on Fedora Silverblue and its repo is affected by this. So, instead of having it be updated along with the system, I have to disable the repo and every once in a while I have to manually install the rpm so it replaces the old one.

Apparently this will have to be fixed for Fedora 37 anyway, but any chance it could be fixed earlier? Maybe at least in time for Fedora 36?

[jebotz]

Still a problem; Kubernetes gpg package key and/or repo key don't parse: https://packages.cloud.google.com/yum/doc/yum-key.gpg (this under latest Fedora CoreOS 36).

[AdamWill]

If folks want RPM's GPG key parsing to be more tolerant of whitespace issues, then someone needs to file an issue against RPM. It can't be fixed in libdnf.