Problem
Upgrading from Fedora 38 or any later version on Raspberry Pi 4 machines (and possibly Pi 3) using the DNF System Upgrade method can fail. When the machine restarts, the original system is still running.
Cause
Raspberry Pi 4 and earlier models do not have a real time clock as part of the hardware. As a result the machine has a circa 1970 date until date and time are set during the boot process. With a normal Fedora (re)boot, chrony
is started and will synchronize and update the time and date on machine. However, in the DNF system-upgrade environment, chrony
is not started, and the GPG signature security checks fails.
This can be verified by logging on to the Raspberry device and inspecting the latest system upgrade output:
sudo dnf system-upgrade log --number=-1
If you see output like:
Signature 10d5 created at Wed Sep 27 16:33:34 2023 invalid: signature is not alive
for each RPM in the upgrade set, then it’s this bug.
Related Issues
Bugzilla report: #2242759
Workarounds
Option A) Set early boot time with clock-epoch
The simplest workaround should be just to run:
sudo touch /usr/lib/clock-epoch
That will set the clock to your current time (when you performed the command) during early boot. Now perform the DNF system upgrade again, it should work.
Option B) Use systemd-timesyncd
If workaround A) didn’t work for you, another solution is to use systemd-timesyncd
to set machine time in early boot instead of chrony
.
Disable and stop chrony (if present):
sudo systemctl disable --now chronyd
Enable and start systemd-timesyncd (by default the fedora ntp pool is used as a time source):
sudo systemctl enable --now systemd-timesyncd
After a few moments check status with:
timedatectl timesync-status
That should print current time synchronization info, it shouldn’t report an error.
Now perform the upgrade again. The systemd-timesyncd
service will be started in the upgrade environment and will provide a near real time date and time so that the GPG signature check will succeed.
Note: systemd-timesyncd
is a suitable network time protocol (NTP) client, but not as a full featured replacement for all of the capabilities of chrony
. If the Raspberry Pi machine is used as an NTP server then chrony
will need to be re-enabled after the successful upgrade to the next Fedora version.
You can discuss this issue here.