Cannot install Thinkpad only TLP packages (reproducible in VM)


#1

Hey Everyone,

First time posting here so let me know if there are any rules I’m not following and I’ll be sure to correct myself.

Issue description:

Cannot install RPMs from TLP repository when using Fedora Silverblue 29

I have reviewed this topic but it did not help: Cannot install Launchpad COPR repo

I am following the installation instructions here (https://linrunner.de/en/tlp/docs/tlp-linux-advanced-power-management.html#installation) under the “Fedora” section.

I am using a Thinkpad so I am attempting to install the packages under the section “Thinkpads only”. When using standard Fedora 29 Workstation or even a Fedora 29 Container there is no issue with adding the repositories mentioned and installing the packages “akmod-tp_smapi” and “akmod-acpi_call”. When I attempt to install these packages on Fedora 29 Silverblue, on a real or virtual machine, I get the following error:

[user@localhost ~]$ rpm-ostree status
State: busy
AutomaticUpdates: disabled
Transaction: upgrade (download only)
Deployments:
● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.1.2 (2018-10-24 23:20:30)
                BaseCommit: f17b670fa8cf69144be5ae0c968dc2ee7eb6999a5f7a54f1ee71eec7783e434a
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
             LocalPackages: rpmfusion-free-release-29-1.noarch tlp-release-1.29.0-1.fc29.noarch

  ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.1.2 (2018-10-24 23:20:30)
                    Commit: f17b670fa8cf69144be5ae0c968dc2ee7eb6999a5f7a54f1ee71eec7783e434a
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
[user@localhost ~]$ rpm-ostree install tlp tlp-rdw akmod-tp_smapi akmod-acpi_call kernel-devel
Checking out tree f17b670... done
Enabled rpm-md repositories: updates tlp rpmfusion-free tlp-updates rpmfusion-free-updates fedora
rpm-md repo 'updates' (cached); generated: 2018-12-12 02:39:44
rpm-md repo 'tlp' (cached); generated: 2018-11-01 00:31:00
rpm-md repo 'rpmfusion-free' (cached); generated: 2018-10-23 11:05:19
rpm-md repo 'tlp-updates' (cached); generated: 2018-11-01 00:31:05
rpm-md repo 'rpmfusion-free-updates' (cached); generated: 2018-12-12 08:26:17
rpm-md repo 'fedora' (cached); generated: 2018-10-24 22:20:15
Importing metadata [=============] 100%
Resolving dependencies... done
Will download: 2 packages (14.6 MB)
  Downloading from updates: [=============] 100%
error: package akmod-acpi_call-1.1.1-4.fc29.x86_64 cannot be verified and repo tlp is GPG enabled: failed to lookup digest in keyring for /var/cache/rpm-ostree/repomd/tlp-29-x86_64/packages/akmod-acpi_call-1.1.1-4.fc29.x86_64.rpm
[user@localhost ~]$

Since the error line is stating that the failure is due to GPG I have ensured that the GPG key for this repository is in /etc/pki/rpm-gpg:

[user@localhost ~]$ ls -al /etc/pki/rpm-gpg/ | grep tlp
lrwxrwxrwx. 1 root root    33 Dec 11 09:16 RPM-GPG-KEY-tlp -> RPM-GPG-KEY-tlp-fedora-29-primary
lrwxrwxrwx. 1 root root    33 Dec 11 09:16 RPM-GPG-KEY-tlp-28 -> RPM-GPG-KEY-tlp-fedora-28-primary
lrwxrwxrwx. 1 root root    33 Dec 11 09:16 RPM-GPG-KEY-tlp-29 -> RPM-GPG-KEY-tlp-fedora-29-primary
lrwxrwxrwx. 1 root root    33 Dec 11 09:16 RPM-GPG-KEY-tlp-30 -> RPM-GPG-KEY-tlp-fedora-30-primary
-rw-r--r--. 1 root root  3090 Dec 11 09:16 RPM-GPG-KEY-tlp-fedora-28-primary
-rw-r--r--. 1 root root  3825 Dec 11 09:16 RPM-GPG-KEY-tlp-fedora-29-primary
-rw-r--r--. 1 root root  3825 Dec 11 09:16 RPM-GPG-KEY-tlp-fedora-30-primary
[user@localhost ~]$ 

The repo file looks like this:

[user@localhost ~]$ cat /etc/yum.repos.d/tlp.repo 
[tlp]
name=tlp RPM packages
#baseurl=https://repo.linrunner.de/fedora/tlp/repos/releases/29/x86_64/os/
mirrorlist=https://repo.linrunner.de/fedora/tlp/mirrors/29/x86_64/tlp.txt
enabled=1
metadata_expire=7d
skip_if_unavailable=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-tlp-29

[tlp-debuginfo]
name=tlp RPM packages - Sources
#baseurl=https://repo.linrunner.de/fedora/tlp/repos/releases/29/x86_64/debug/
mirrorlist=https://repo.linrunner.de/fedora/tlp/mirrors/29/x86_64/tlp-debuginfo.txt
enabled=0
metadata_expire=7d
skip_if_unavailable=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-tlp-29

[tlp-source]
name=tlp RPM packages - Sources
#baseurl=https://repo.linrunner.de/fedora/tlp/repos/releases/29/x86_64/sources/SRPMS/
mirrorlist=https://repo.linrunner.de/fedora/tlp/mirrors/29/x86_64/tlp-source.txt
enabled=0
metadata_expire=7d
skip_if_unavailable=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-tlp-29

[user@localhost ~]$

I can use the rpm command to check the signature and it returns with the following. This is the same output I receive on a standard Fedora 29 Workstation installation.

[user@localhost ~]$ rpm -v -K /var/cache/rpm-ostree/repomd/tlp-29-x86_64/packages/akmod-acpi_call-1.1.1-4.fc29.x86_64.rpm
/var/cache/rpm-ostree/repomd/tlp-29-x86_64/packages/akmod-acpi_call-1.1.1-4.fc29.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID cf4988c9: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, key ID cf4988c9: NOKEY
    MD5 digest: OK
[user@localhost ~]$

I do not fully understand the way that RPM handles GPG keys but it seems that the key being in /etc/pki/rpm-gpg and the repo file being configured to use it is not enough. The error fails when checking the digest, I don’t know what this is or how it is built. This seems to be the source of the issue. Maybe RPM is not pulling in these GPG keys properly.

error: package akmod-acpi_call-1.1.1-4.fc29.x86_64 cannot be verified and repo tlp is GPG enabled: failed to lookup digest in keyring for /var/cache/rpm-ostree/repomd/tlp-29-x86_64/packages/akmod-acpi_call-1.1.1-4.fc29.x86_64.rpm

NOTE: I also have tested installing from RPM fusion to make sure it is not an issue with all third party repos. Installing something like chromium-libs-media-freeworld completes without error. The issue is only with packages from this repository on Fedora Silverblue


#2

Yeah this reproduces easily. This looks like it could be a bug in rpm-ostree.

Could you open an issue with these details upstream?


#3

Thanks for taking a look, I’ll get something posted up there


#4

For anyone interested in following this I have opened an issue against rpm-ostree here: