F41 Kinoite Native Container - DNF5 PGP key import error

I’m playing around with the new native containers for Kinoite 41 and I’m getting an PGP key error when trying to overlay a package using the new DNF5 functionality. Unsure if this expected behavior due to it still being in beta or if I’m missing some configuration.

$ sudo dnf install opendoas
[sudo] password for yosuke:
Updating and loading repositories:
 Fedora 41 - x86_64 - Updates Archive                                                                                                   100% |  20.4 KiB/s |   3.3 KiB |  00m00s
 Fedora 41 - x86_64 - Test Updates                                                                                                      100% |  28.9 KiB/s |  13.3 KiB |  00m00s
 Fedora 41 - x86_64                                                                                                                     100% |  15.0 KiB/s |   4.3 KiB |  00m00s
 Fedora 41 - x86_64 - Updates                                                                                                           100% | 140.7 KiB/s |  29.1 KiB |  00m00s
 Fedora 41 openh264 (From Cisco) - x86_64                                                                                               100% |   3.2 KiB/s | 989.0   B |  00m00s
 Fedora 41 - x86_64 - Test Updates                                                                                                      100% | 528.9 KiB/s |   1.1 MiB |  00m02s
 Fedora 41 - x86_64                                                                                                                     100% |   2.2 MiB/s |   3.1 MiB |  00m01s
Repositories loaded.
Package                                                    Arch           Version                                                     Repository                            Size
Installing:
 opendoas                                                  x86_64         6.8.2-7.fc41                                                fedora                            58.3 KiB

Transaction Summary:
 Installing:        1 packages

Total size of inbound packages is 33 KiB. Need to download 0 B.
After this operation 58 KiB will be used (install 58 KiB, remove 0 B).
Is this ok [y/N]: y
[1/1] opendoas-0:6.8.2-7.fc41.x86_64                                                                                                    100% |   0.0   B/s |   0.0   B |  00m00s
>>> Already downloaded
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[1/1] Total                                                                                                                             100% |   0.0   B/s |   0.0   B |  00m00s
Running transaction
Importing PGP key 0xE99D6AD1:
 Userid     : "Fedora (41) <fedora-41-primary@fedoraproject.org>"
 Fingerprint: 466CF2D8B60BC3057AA9453ED0622462E99D6AD1
 From       : file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-41-x86_64
Is this ok [y/N]: y

Transaction failed: Signature verification failed.
An error occurred importing key "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-41-x86_64": Failed to import public key "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-41-x86_64" to rpmdb: can't create transaction lock on /usr/share/rpm/.rpm.lock (Read-only file system)
PGP check for package "opendoas-6.8.2-7.fc41.x86_64" (/var/cache/libdnf5/fedora-7efbab3c1dbcd0d4/packages/opendoas-6.8.2-7.fc41.x86_64.rpm) from repo "fedora" has failed: Public key import failed.
Output of rpm-ostree status:
State: idle
Deployments:
● ostree-unverified-registry:quay.io/fedora-ostree-desktops/kinoite:41
                   Digest: sha256:2149d328f5e21b6b52ff46e8f5047c608104eb9c21bf882846e8add914e49c51
                  Version: 41.20240922.0 (2024-09-22T02:35:02Z)

  ostree-unverified-image:docker://quay.io/fedora-ostree-desktops/kinoite:41
                   Digest: sha256:f63331e2d0957d2cfaec5117ba9ddc74c1e2884ca54245f4e33304e41bb57081
                  Version: 41.20240920.0 (2024-09-20T17:51:42Z)
Output of bootc status:
apiVersion: org.containers.bootc/v1
kind: BootcHost
metadata:
  name: host
spec:
  image:
    image: quay.io/fedora-ostree-desktops/kinoite:41
    transport: registry
  bootOrder: default
status:
  staged: null
  booted:
    image:
      image:
        image: quay.io/fedora-ostree-desktops/kinoite:41
        transport: registry
      version: 41.20240922.0
      timestamp: null
      imageDigest: sha256:2149d328f5e21b6b52ff46e8f5047c608104eb9c21bf882846e8add914e49c51
    cachedUpdate: null
    incompatible: false
    pinned: false
    store: ostreeContainer
    ostree:
      checksum: a05556452ddda5518ea8e54337570d9e7a1011fcae61a35b94e1bc2b2be83d85
      deploySerial: 0
  rollback:
    image:
      image:
        image: quay.io/fedora-ostree-desktops/kinoite:41
        transport: registry
      version: 41.20240920.0
      timestamp: null
      imageDigest: sha256:f63331e2d0957d2cfaec5117ba9ddc74c1e2884ca54245f4e33304e41bb57081
    cachedUpdate:
      image:
        image: quay.io/fedora-ostree-desktops/kinoite:41
        transport: registry
      version: 41.20240922.0
      timestamp: null
      imageDigest: sha256:2149d328f5e21b6b52ff46e8f5047c608104eb9c21bf882846e8add914e49c51
    incompatible: false
    pinned: false
    store: ostreeContainer
    ostree:
      checksum: 620100024bd66a058d79dacc3c8429e5f84b601bcaa09146bf6c156efe41de6f
      deploySerial: 0
  rollbackQueued: false
  type: bootcHost

Added atomic-desktops, bootc

Dnf is included to install packages in container builds or to install packages temporarily on unlocked systems. The replacement for overlaying packages locally like rpm-ostree install does is not developed yet.

2 Likes

Personally, following the container native (bootc) approach, I don’t layer any packages locally. When I need to add, remove, or test a package update, I edit the Containerfile, rebuild the derived container image, and update the system.