Dnf system-upgrade can fail on Raspberry Pi

Problem

Upgrading from Fedora 38 or any later version on Raspberry Pi 4 machines (and possibly Pi 3) using the DNF System Upgrade method can fail. When the machine restarts, the original system is still running.

Cause

Raspberry Pi 4 and earlier models do not have a real time clock as part of the hardware. As a result the machine has a circa 1970 date until date and time are set during the boot process. With a normal Fedora (re)boot, chrony is started and will synchronize and update the time and date on machine. However, in the DNF system-upgrade environment, chrony is not started, and the GPG signature security checks fails.

This can be verified by logging on to the Raspberry device and inspecting the latest system upgrade output:

sudo dnf system-upgrade log --number=-1

If you see output like:

Signature 10d5 created at Wed Sep 27 16:33:34 2023 invalid: signature is not alive

for each RPM in the upgrade set, then it’s this bug.

Related Issues

Bugzilla report: #2242759

Workarounds

Option A) Set early boot time with clock-epoch

The simplest workaround should be just to run:

sudo touch /usr/lib/clock-epoch

That will set the clock to your current time (when you performed the command) during early boot. Now perform the DNF system upgrade again, it should work.

Option B) Use systemd-timesyncd

If workaround A) didn’t work for you, another solution is to use systemd-timesyncd to set machine time in early boot instead of chrony.

Disable and stop chrony (if present):

sudo systemctl disable --now chronyd

Enable and start systemd-timesyncd (by default the fedora ntp pool is used as a time source):

sudo systemctl enable --now systemd-timesyncd

After a few moments check status with:

timedatectl timesync-status

That should print current time synchronization info, it shouldn’t report an error.

Now perform the upgrade again. The systemd-timesyncd service will be started in the upgrade environment and will provide a near real time date and time so that the GPG signature check will succeed.

Note: systemd-timesyncd is a suitable network time protocol (NTP) client, but not as a full featured replacement for all of the capabilities of chrony. If the Raspberry Pi machine is used as an NTP server then chrony will need to be re-enabled after the successful upgrade to the next Fedora version.


You can discuss this issue here.

9 Likes