I’ve just tried up update a Raspberry PI 4 running Fedora 38, to Fedora 39 via the dnf system-upgrade method.
When the machine reboots , and starts to prepare the upgrade, the logs show messages like
Oct 25 11:00:52 ipa.animesoft.net dnf-3[747]: error: Verifying a signature using certificate E8F23996F23218640CB44CBE75CF5AC418B8E74C (Fedora (39) fedora-39-primary@fedoraproject.org):
Oct 25 11:00:52 ipa.animesoft.net dnf-3[747]: Signature 7f4e created at Thu Nov 2 12:36:46 2023 invalid: signature is not alive
Oct 25 11:00:52 ipa.animesoft.net dnf-3[747]: because: Not live until 2023-11-02T12:31:46Z
Is there some way of forcing the system to sync time via ntp during the upgrade process?
The workaround that was implemented was to bump the date on a package in F38 so that the date is set after the time on the certificates when there is no RTC.
To get this workaround first dnf update --refresh your f38 then you should be able to do the system-upgrade.
In the discussion thread for the corresponding bug in bugzilla there is more information about bumping the build date for systemd and why it works - but only until another package is built and added to the Fedora repository. It turns out that when systemd starts it will use the build time stamp on it’s package if an RTC or other time source is not available. This would work reliably if and only if systemd build time was always more recent than all other packages. I learned a lot reading that bugzilla thread.
