Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

gnome-software failing to prepare updates due to google-chrome signing error #2080

Open
allanday opened this issue Mar 28, 2024 · 2 comments

Comments

@allanday
Copy link

I'm using Fedora 39 with:

  • dnf-4.18.1-1.fc39.src.rpm
  • gnome-software-45.1-1.fc39.src.rpm

In GNOME Software I have a list of outstanding software updates. If I press the Download button, it tries to prepare the update but then shows an error:

package google-chrome-stable-123.0.6312.86-1.x86_64 cannot be verified and repo google-chrome is GPG enabled: /var/cache/PackageKit/39/metadata/google-chrome-39-x86_64/packages/google-chrome-stable-123.0.6312.86-1.x86_64.rpm could not be verified.
/var/cache/PackageKit/39/metadata/google-chrome-39-x86_64/packages/google-chrome-stable-123.0.6312.86-1.x86_64.rpm:  digest:  SIGNATURE:  NOT OK

I was given advice that libdnf is the right place to report this issue. There's some downstream discussion here: https://pagure.io/fedora-workstation/issue/409

@jan-kolarik
Copy link
Member

Hi, thanks for the report. I see it also on Bugzilla, so let's keep just one instance of this issue and close this one. We'll try to triage the problem during the following week.

@ppisar ppisar transferred this issue from rpm-software-management/libdnf Apr 15, 2024
@ppisar
Copy link
Contributor

ppisar commented Apr 15, 2024

This is a bug in _get_key_for_package() of dnf/base.py:

If a repository keyring contains multiple primary keys and a key cannot be imported (e.g. librpm rejects), an exception is raised on the first failed key. This is suboptimal because importing other key from the keyring could be sufficient to verify RPM packages as in this case of google-chrome keyring https://dl.google.com/linux/linux_signing_key.pub.

I proposed raising an exception only if none of keys was not successfully imported. That logic makes DNF more resilient against keyrings with old, weak, expired, or unused keys.

# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
Status: Backlog
Development

No branches or pull requests

3 participants