Bugzilla – Bug 8531
gpg check fails with yum on CentOS 4
Last modified: 2009-10-29 09:15:02 UTC
As reported on the forums, trying to install the 7.0.1 RPM with yum using the key in the -repo RPM yields: ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: squeezecenter noarch 7.0.1-1 squeezecenter-release 18 M Transaction Summary ============================================================================= Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 18 M Is this ok [y/N]: y Downloading Packages: warning: rpmts_HdrFromFdno: V3 RSA/MD5 signature: NOKEY, key ID c3cdadd1 Public key for squeezecenter-7.0.1-1.noarch.rpm is not installed Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-SqueezeCenter Importing GPG key 0xC3CDADD1 "Logitech <gpg@slimdevices.com>" Is this ok [y/N]: y Key imported successfully Import of key(s) didn't help, wrong key(s)? Public key for squeezecenter-7.0.1-1.noarch.rpm is not installed AFAICT, this only happens on CentOS 4, but not any of the newer CentOS or Fedora releases. I have no idea what would cause this. Maybe the key is somehow incompatible with the older versions of gnupg or yum included in CentOS 4?
Matt to continue looking at this for 7.2
QA, please verify this with a newer package of SC and lemme know if we need to cahnge something for Centos 4...
Moving to 7.3 ....
I see this on SUSE 10.3 with 7.2. I get Trying to import the key f444850cc3cdadd1 from subkeys.pgp.net... error: gpg failed to import keyid f444850cc3cdadd1, please make sure that gpg is installed, that the keyserver subkeys.pgp.net is working and that the package /var/lib/smart/packages/squeezecenter-7.2-1.noarch.rpm has a valid signature. error: squeezecenter-7.2-1.noarch.rpm: public key not available Where is your public key?
The public key is located here: http://repos.slimdevices.com/yum/squeezecenter/RPM-GPG-KEY-SqueezeCenter It is normally installed when you install the Yum Repo Package available here http://repos.slimdevices.com/yum/squeezecenter/squeezecenter-repo-1-4.noarch.rpm.
I don't have time to test this now, but can someone share what the problem was and how it was fixed?
Please put your key on several PGP key servers-- like pgp.mit.edu That will solve it for the package managers. Do the subkey site too.
I just tested this with the yum release repo (7.2-1) on a clean CentOS 4.7 system. It fails as described in my original report and I still don't know why. What was fixed?
Our new key has been added to both sites... can you verify that it works now? Ross, Can you install an OS and try this with our latest package?
I get the warning with SC 7.2.1 on CentOS 5.1 but no subsequent failure. warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 signature: NOKEY, key ID c3cdadd1 Importing GPG key 0xC3CDADD1 "Logitech <gpg@slimdevices.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-SqueezeCenter Is this ok [y/N]: y Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Need anything else from me Matt?
That looks like the expected behavior to me... I think we can close this. If any further issues, please feel free to reopen.
Matt - doesn't work for me. Installing on CentOS 4.7: - installed the repo package - run "yum install squeezecenter" - I get the following messages: Key imported successfully Import of key(s) didn't help, wrong key(s) Public key for squeezecenter-7.2.1-1.noarch.rpm is not installed
Michael, If you installed the Repo package, that definitely shouldn't happen. Exactly what package did you install? Can you post the link?
Ross: Can you work with Michael (while he's in the office) to repro this issue. Then show Matt your results.
Created attachment 4375 [details] screenshot- shows todays nightly 7.3 http://downloads.slimdevices.com/nightly/latest/7.3/squeezecenter-7.3-0.1.24179.noarch.rpm Download, double click.
Matt, if you'd like I'll keep this virtual image ready to show you. Just let me know when you'd like to check it out.
Ping Matt...
Matt please fix this today...
Not entirely sure this is an issue ... but installing a Centos 4.7 image now to try it out. I believe what's happening is that CentOS 4.7 probably does not check with public GPG key sites to verify the validity of our key. If the user has not installed our Yum Repo Package (which forcefully installs this key locally on the users system), they'll get this warning. Will have a CentOS image up shortly to verify though...
I installed a brand new, fresh copy of CentOS 4.7. I immediately went to downloads.slimdevices.com and downloaded the latest 7.3 nightly. The GUI installer for RPM packages came up, installed SC (as well as the MySQL dependencies), and SC started up just fine. No problems what so ever. I'm downloading CentOS 5.2 now to try the same process.
Matt, I wouldn't waste your time testing with CentOS 5. Whatever the problem is or was, was specific to CentOS 4. There have never been any reports of this problem on CentOS 5 or any recent Fedora. Unfortunately, I don't have a running CentOS 4 right now to help test.
Fletch, my screen shot in comment #15 is CentOS 5.1
Ah, sorry - missed that.
Ross, Can you boot up that CentOS 5 image again and send me the info for it? I tried to get one built last night and had some issues...
OK ... I'm stuck. Fletch, I think I could use your help here. I think that CentOS 4's YUM is not actually checking GPG keys -- or at least, is not warning you when you DON'T have the key installed, only if it doesnt match. I believe that CentOS 5 yum is warning you about these issues to be more 'correct' -- but is not checking against public key servers. I'm not sure I see a fix here.. unless I'm missing something?
Matt, I wish I could help more, but I'm stumped by this one too. I haven't tested this in a while, but let me re-summarize what I think I've observed and maybe it will spark some ideas. This originally was reported on the forums. I reproduced it by installing a fresh CentOS 4, installing the SC repo RPM and then trying to yum install the SC RPM. AFAIK, yum never accesses public key servers so I don't think that's relevant. This seems to be about how yum/rpm/gnupg access the local key installed by the repo RPM. I have always used the command line yum rather than the GUI version, but I doubt that makes a difference. Also, I have never been able to reproduce this on either CentOS 5 or any recent Fedora. As I mentioned in the original bug report, my only guess was that it had something to do with the fact that CentOS 4 has older versions of yum/rpm/gnupg that might not be compatible with something in your key. When I first observed this, I did quite a bit of googling and could find anything helpful. Sorry I'm not more help at this time, but I'll keep thinking about it...
If this is working in the latest CentOS, I'm going to say that it's good enough for 7.3.
Dean, Unfortunately the issue IS reproducible with a fresh install of CentOS 5.2. Ross has done it, as well as I. I do not think there's a fix though -- CentOS does not check public key servers for the keys, so theres no way to pre-load a key on a users system. I think we just have to live with this warning.
So, does every external package do this with 5.2? Or is our package special in some way?
I'll try to reproduce this again on CentOS 5 when I have some time. Matt, I still don't understand your point about public key servers. Yum does not use public key servers - it simply looks at the key referred to by the "gpgkey=" line in the repo file.
Sorry, Debian boxes (apt-get) will actually check remote key servers (afaik) for public keys... so you can effectively bypass the warning by putting your key up on known servers. With Yum, I believe you're correct. Dean, Yes, external packages run into this problem ... as long as the packages do not come from a known repository, you see this warning quite often. Its a pretty standard behavior in the RedHat world, and I do not think we have any way to fix it other than recommending to our users that they download our Repo package (which includes the key).
OK, I just reread this bug and I think we've been discussing 2 different things. The issue reported by Ross is what is expected to happen if the user fails to install the repo RPM first. IMO, this is not a bug and it is perfectly normal for any 3rd party yum repo to require the user to install a repo RPM to get the necessary key. The original bug reported by me, and observed by Michael, occurs when the repo RPM actually IS installed. This is the real bug and I still think it is CentOS 4 only.
*Sigh*... so this problem definitely still occurs with CentOS 4.7 -- but I have no idea how to fix it. I'm fairly sure that the issue has to do with an incompatibility of GPG 1.2.6 (centos4) and GPG 1.4.5 (centos5). I don't think its fixable. At this point, I suggest we close this as WONTFIX. I think the only 'fix' is to remove the GPG key, or start building our packages on an older version of CentOS. If we do that, it may just cause more problems with newer distributions.
Nightly builds have been updated and are now using GPG from Fedora Core 9... lets see if this fixes the issue with tomorrows nightlies.
(In reply to comment #34) > Nightly builds have been updated and are now using GPG from Fedora Core 9... > lets see if this fixes the issue with tomorrows nightlies. Matt, I've been out of town for over a week, but I'm now seeing the problem described in http://forums.slimdevices.com/showthread.php?p=402417 in my cron logs and I am also unable to install any newer SC RPM. It seems to have started on 2/26 so I'm guessing it's due to this change but I'll take a closer look later today when I have time. Since I was out of town then, I'm certain that I didn't change anything on my system. I'm using CentOS 5.
I'm seeing this too with Fedora 10. Nothing coming form the squeezecenter-testing repo will install, nor will a manually downloaded 7.3.3 nightly rpm install. I've had to switch over to running from svn code to keep up.
(In reply to comment #36) > I'm seeing this too with Fedora 10. Same here, using vortexbox 0.5 (based on FC 10). Can only manually keep up, like with rpm -Uvh --nosignature http://repos.slimdevices.com/yum/squeezecenter/unstable/squeezecenter-7.4-0.1.25724.noarch.rpm
Any reason to wait on this?
Since there's now a planned 7.3.3 release, bugs which won't make the cut-off are being moved to the next target out. If you feel that this bug needs to be addressed more (or less) urgently than the 7.4 release, please cc chris@slimdevices.com and leave a comment in the bug to that effect so we can review it. Thanks.
Well, one obvious objection to leaving this bug for a 7.4 release is that folks who have installed 7.x via yum won't be able to use yum to update to the 7.3.3 release. The entire "install via yum" infrastructure is basically broken at this point, isn't it?
Why is it so hard to fix this? It is needed for 7.3.3.
For some reason Bugzilla did not change the target when I did this yesterday. Or maybe it was me. In either case, I'm trying it again.
Near as I can tell our GPG key is corrupted ... the most basic checks (--check-sig) act like its fine, but when you get into more detailed verifications it fails. I've tried to "resign" the key but there doesn't appear to be that functionality. I'm generating a new keypair now to see how that works ... but implementing it will make everyone definitely get a warning message the next time they do a yum update. I guess thats already happening, so perhaps thats not too bad. I'll upload a hand-signed pair of RPMs though in a bit and ask that some manual testing on these is done before we implement it.
I've uploaded three files and would like to get some eyes on them... they are located here: http://downloads.slimdevices.com/test-gpg/ The SqueezeCenter RPM has been re-signed with a new GPG key. You should be able to manually install that RPM as the root user on your system without having installed the GPG key it should look like this: [root@x86-fc9-build rpms]# rpm -ivh squeezecenter-7.3.3-0.1.25723.noarch.rpm warning: squeezecenter-7.3.3-0.1.25723.noarch.rpm: Header V4 DSA signature: NOKEY, key ID 4123722a Preparing... ########################################### [100%] 1:squeezecenter ########################################### [100%] Additionally if you --checksig it, there should be a warning that you have not imported the key: [parabuild@x86-fc9-build rpms]$ rpm --checksig squeezecenter-7.3.3-0.1.25723.noarch.rpm squeezecenter-7.3.3-0.1.25723.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#4123722a) If you have installed the key (either manually by running 'rpm --import <key' or installing the -repo package), then it should look like this: [root@x86-fc9-build rpms]# rpm -ivh squeezecenter-repo-1-5.noarch.rpm Preparing... ########################################### [100%] 1:squeezecenter-repo ########################################### [100%] [parabuild@x86-fc9-build rpms]$ rpm --checksig squeezecenter-7.3.3-0.1.25723.noarch.rpm squeezecenter-7.3.3-0.1.25723.noarch.rpm: (sha1) dsa sha1 md5 gpg OK [root@x86-fc9-build rpms]# rpm -ivh squeezecenter-7.3.3-0.1.25723.noarch.rpm Preparing... ########################################### [100%] 1:squeezecenter ########################################### [100%] Point your web browser to http://x86-fc9-build:9000/ to configure SqueezeCenter. [root@x86-fc9-build rpms]# I obviously have not updated the Yum repo. I have also not signed the squeezecenter-repo-1-5 rpm file... Please try these files out and let me know how they work...
I executed the following commands on my Fedora 10 system... cd /setup wget http://downloads.slimdevices.com/test-gpg/squeezecenter-repo-1-5.noarch.rpm rpm -e squeezecenter-repo rpm -ihv squeezecenter-repo-1-5.noarch.rpm yum update --disablerepo=* --enablerepo=squeezecenter-testing -y This resulted in a successful yum update to: squeezecenter noarch 7.3.3-0.1.25911 ..with no complaints from yum. So Matt's new key pair fixed things for me. Is the next step to copy squeezecenter-repo-1-5.noarch.rpm from /test-gpg to repos.slimdevices.com/yum/squeezecenter/?
I've gone ahead and updated the repositories with new squeezecenter-repo packages, resigned our 'release' repository packages and made sure that new packages being signed are getting the new signature. Closing for now. I'm somehow sure this will get reopened.
This bug has been fixed in the 7.3.3 release version of SqueezeCenter! If you haven't already. please download the new version from http://www.logitechsqueezebox.com/support/download-squeezecenter.html If you are still experiencing this problem, feel free to reopen the bug with your new comments and we'll have another look.
No, it has not been fixed. That is the release I tried to get. It is signed, but the key is not on the keyserver. Unless I can get the key, smart refuses to install the package. Reopeen this! I see no way to do that myself.
What is 'smart'? Can you post a screenshot? Additionally, have you updated your squeezecenter-repo package as well?
(In reply to comment #48) > No, it has not been fixed. That is the release I tried to get. > It is signed, but the key is not on the keyserver. Unless I can get the key, > smart refuses to install the package. > Reopeen this! > I see no way to do that myself. James, Why does the key need to be on a public keyserver? The intention is to set up the SC yum repo like most other 3rd party yum repos: The key is included in the squeezecenter-repo RPM package. You install that first, and the key will be available locally.
http://labix.org/smart http://susewiki.org/index.php?title=Smart I had to manually download and install the RPM using rpm. Not sure what the squeezecenter-repo package is. But yum, smart, etc, all need to be able to import the pgp keys before they will install a package. You MUST publish the keys. The reason is that putting them in the rpm apparently does not give me a chance to accept them. What is wrong with publishing the keys? This is on SUSE 10.3 for me.
The keys are published here: http://repos.slimdevices.com/yum/squeezecenter/RPM-GPG-KEY-SqueezeCenter Additionally, per our wiki (http://wiki.slimdevices.com/index.php/SqueezeCenter_RPM ), you need to install the SqueezeCenter-repo package and that will include the latest key as well as the appropriate Yum repo files.
Your new Web site makes it really hard to find software. I sure could not find this Web page. http://wiki.slimdevices.com/index.php/SqueezeCenter_RPM Logitech seems to be more interested in the hardware than the software. I just installed squeezecenter-repo. But will have to wait for a new server update to see if this helped. But, the fact still remains that you should publish the key. With a proper key server. Why not?
What exactly do you mean by 'publish it'? It's available on our download server, its also been added to several public key servers.
is not on pgp.mit.edu
It's not on every single GPG site out there... but its on a few. We arent going to keep track of all those sites and make sure our key is everywhere, its simply not necessary. Please keep this ticket closed as the root of the issue is indeed solved. If users follow the guidelines in the Wiki, then they will not see error messages.
This is STILL a problem. Why can't you publish your keys to the major key servers. pgp.mit.edu in particular. Every time there is an update, this kills updating all the other programs on my SUSE machine, using the smart package manager. As soon as it finds an rpm with a key it does not know, it stops the install of all the other security patches. THIS IS A BIG PROBLEM FOR ME!