Dnf system-upgrade seems to fail without real time clock

I’ve just tried up update a Raspberry PI 4 running Fedora 38, to Fedora 39 via the dnf system-upgrade method.

When the machine reboots , and starts to prepare the upgrade, the logs show messages like

Oct 25 11:00:52 ipa.animesoft.net dnf-3[747]: error: Verifying a signature using certificate E8F23996F23218640CB44CBE75CF5AC418B8E74C (Fedora (39) fedora-39-primary@fedoraproject.org):
Oct 25 11:00:52 ipa.animesoft.net dnf-3[747]: Signature 7f4e created at Thu Nov 2 12:36:46 2023 invalid: signature is not alive
Oct 25 11:00:52 ipa.animesoft.net dnf-3[747]: because: Not live until 2023-11-02T12:31:46Z

Is there some way of forcing the system to sync time via ntp during the upgrade process?


Hi Stephen, welcome to Fedora Discussion!

You can try some workarounds described here.

Thankyou :slight_smile:

The workaround that was implemented was to bump the date on a package in F38 so that the date is set after the time on the certificates when there is no RTC.

To get this workaround first dnf update --refresh your f38 then you should be able to do the system-upgrade.

Does that work for you?

In the discussion thread for the corresponding bug in bugzilla there is more information about bumping the build date for systemd and why it works - but only until another package is built and added to the Fedora repository. It turns out that when systemd starts it will use the build time stamp on it’s package if an RTC or other time source is not available. This would work reliably if and only if systemd build time was always more recent than all other packages. I learned a lot reading that bugzilla thread.

Interesting, I ran into this problem with my Virtual Box Fedora VM going from 39 to 40. The host is Win 10 on Intel hardware. This VM I have upgraded many times in the past without having this issue. The first workaround seems to be doing the trick (upgrade not yet complete but much further along).

Thanks for the help!