search

rpm-software-management / mock

Mock is a tool for a reproducible build of RPM packages.
GNU General Public License v2.0
381 stars 226 forks source link

centos-stream+epel-next-9-x86_64 doesn't work with bootstrap #1051

Open praiskup opened 1 year ago

praiskup commented 1 year ago

Without bootstrap it just works (with DNF from F37). Otherwise, bootstrap is installed just fine (importing C9S chroot keys), then installing chroot from the bootstrap chroot fails because only EPEL 9 keys are imported:

...
Copr repository                                 1.9 kB/s | 257  B     00:00    
CentOS Stream 9 - BaseOS                         24 MB/s | 6.1 MB     00:00    
CentOS Stream 9 - AppStream                      27 MB/s |  16 MB     00:00    
CentOS Stream 9 - CRB                           1.1 MB/s | 5.3 MB     00:05    
CentOS Stream 9 - Extras packages               9.9 kB/s |  11 kB     00:01    
Extra Packages for Enterprise Linux 9 - x86_64   31 MB/s |  15 MB     00:00    
Extra Packages for Enterprise Linux 9 - Next -  629 kB/s | 1.5 MB     00:02    
Dependencies resolved.
================================================================================
 Package                      Arch   Version                    Repo       Size
================================================================================
Installing:
 bash                         x86_64 5.1.8-6.el9                baseos    1.7 M
 bzip2                        x86_64 1.0.8-8.el9                baseos     56 k
 centos-stream-release        noarch 9.0-20.el9                 baseos     26 k
 coreutils                    x86_64 8.32-34.el9                baseos    1.2 M
 cpio                         x86_64 2.13-16.el9                baseos    275 k
 diffutils                    x86_64 3.7-12.el9                 baseos    397 k
 epel-rpm-macros              noarch 9-11.el9.next              epel-next  16 k
... snip ... see both baseos and epel-next is used ...
Total                                            20 MB/s |  89 MB     00:04     
CentOS Stream 9 - BaseOS                        1.6 MB/s | 1.6 kB     00:00    
CentOS Stream 9 - AppStream                     1.6 MB/s | 1.6 kB     00:00    
Extra Packages for Enterprise Linux 9 - x86_64  1.6 MB/s | 1.6 kB     00:00    
Importing GPG key 0x3228467C:
 Userid     : "Fedora (epel9) <epel@fedoraproject.org>"
 Fingerprint: FF8A D134 4597 106E CE81 3B91 8A38 72BF 3228 467C
 From       : /usr/share/distribution-gpg-keys/epel/RPM-GPG-KEY-EPEL-9
Key imported successfully
The GPG keys listed for the "CentOS Stream 9 - BaseOS" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: alternatives-1.20-2.el9.x86_64

See that only 0x3228467C is being imported.

praiskup commented 1 year ago

Forwarded to C9S: https://bugzilla.redhat.com/show_bug.cgi?id=2184951

xsuchy commented 1 year ago

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial is the workaround

From internal mail by Fabian A.

I found that there was a gnupg2 rebase, which now deprecates fully sha-1 algo : https://gitlab.com/redhat/centos-stream/rpms/gnupg2/-/commit/82c38c29114f0bdb64b7d9f8c0d89afffc7b560d

Problem is that the centos stream key itself is still signed (from RH HSM) with sha-1 :

This should be fixed now (since 10:31 CET).

praiskup commented 1 year ago

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial is the workaround

This can't easily be done (by user) in the bootstrap chroot, though. Work-around for mock is to use --no-bootstrap-chroot.

Vlad1mir-D commented 1 year ago

@xsuchy Still not working. Tested with latest versions versions available:

mock-centos-sig-configs-0.5.2-1.el9.noarch
mock-filesystem-4.0-1.el9.noarch
mock-core-configs-38.5-1.el9.noarch
mock-4.0-1.el9.noarch

Output of

Current workaround is to add the following lines into ~/.config/mock.cfg:

config_opts['use_bootstrap_image'] = True
config_opts['bootstrap_image'] = 'centos:stream9'
praiskup commented 1 year ago

Hm, doesn't happen to me now:

Importing GPG key 0x8483C65D:
 Userid     : "CentOS (CentOS Official Signing Key) <security@centos.org>"
 Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D
 From       : /usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official
Key imported successfully
Extra Packages for Enterprise Linux 9 - x86_64                                                                                                                                     1.6 MB/s | 1.6 kB     00:00    
Importing GPG key 0x3228467C:
 Userid     : "Fedora (epel9) <epel@fedoraproject.org>"
 Fingerprint: FF8A D134 4597 106E CE81 3B91 8A38 72BF 3228 467C
 From       : /usr/share/distribution-gpg-keys/epel/RPM-GPG-KEY-EPEL-9
Key imported successfully

Both CentOS and EPEL keys are imported correctly.

praiskup commented 1 year ago

Even in Fedora Copr: https://copr.fedorainfracloud.org/coprs/praiskup/test-centos-stream-9/build/5983305/ Do I miss some important step-to-reproduce?

Vlad1mir-D commented 1 year ago

I'll try to spin-up a fresh VM with CentOS 9 and then try again.