F42 Change Proposal: DNF5 Expired Keys (System-Wide)

Managing expired PGP keys in DNF5

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

wiki
Announced

:link: Summary

Implementing new logic in DNF5 to remove expired and obsolete repository keys from the system.

:link: Owner

:link: Detailed Description

We aim to address customer issues when installing RPM packages from repositories while outdated repository keys are present on the system. These issues include expired keys, obsolete signing algorithms (e.g., SHA1), or other problems that could be easily detected by tools like an RPM PGP linter. Currently, PGP checks fail, and users must manually remove expired keys using commands like rpmkeys --delete.

The proposed solution is a new LIBDNF5 plugin. This plugin will act as a hook, checking for invalid repository PGP keys on the system before executing a DNF transaction.

  • Interactive mode: The plugin will prompt the user to confirm the removal of each invalid key.
  • Non-interactive mode (e.g., with -y or --assumeno): The plugin will proceed automatically based on the specified user action, either removing the keys or retaining them.

By default, this behavior will be enabled in DNF5, with the option to disable it through configuration.

This enhancement stems from a request in upstream issue and builds upon the existing solution in DNF4. Unlike DNF4’s implementation, which is not enabled by default, this change will be integral to the default DNF5 functionality, aligning with its role as the primary package manager in Fedora.

:link: Feedback

The proposed solution has been discussed with affected users, including the Mock and Copr teams, as part of the discussions around the existing solution in DNF4.

:link: Benefit to Fedora

This change enables the automatic management of repository keys during software installation or upgrades.

:link: Scope

  • Proposal owners:

    • Implement a new LIBDNF5 plugin to manage repository PGP keys automatically.
  • Other developers:

    • No additional work identified at this time.
  • Release engineering: #12477

  • Policies and guidelines: N/A (not needed for this Change)

  • Trademark approval: N/A (not needed for this Change)

:link: Upgrade/compatibility impact

No compatibility or upgrade issues expected.

:link: How To Test

A good reproducer is already described in this comment within the upstream issue.

You can list all installed key hashes along with their names using:

rpmkeys --list

To query the key block info, use:

rpm -q --qf "%{DESCRIPTION}" gpg-pubkey-<KEYHASH> (note: rpmkeys --export <KEYHASH> on newer RPM releases)

To get the end date in a human-readable format, run:

rpm -q --qf "%{DESCRIPTION}" gpg-pubkey-<KEYHASH> | gpg --show-keys --with-colon | cut -d':' -f7 | xargs -I{} date -d @{}

Note that not all keys have a defined end of validity date.

You can also try running a transaction using a COPR repository with the faketime command from libfaketime:

faketime '+10years' dnf install <pkg_name_from_copr>

The above should fail without the functionality introduced by this proposal. After deploying the new plugin, it should prompt the user about the expired PGP key and ask for removal.

:link: User Experience

For interactive users, a prompt will appear informing them about each outdated key on the system and asking for confirmation to remove it. For non-interactive users, there will be no change to the workflow.

:link: Dependencies

No additional work is expected.

:link: Contingency Plan

  • Contingency mechanism: Disable the new plugin from running by default.
  • Contingency deadline: Fedora 42 branching from Rawhide
  • Blocks release? No

:link: Documentation

The new behavior will be documented in the upstream DNF5 documentation.

:link: Release Notes

Last edited by @amoloney 2024-12-03T17:19:45Z

Last edited by @amoloney 2024-12-03T17:19:45Z

How do you feel about the proposal as written?

  • Strongly in favor
  • In favor, with reservations
  • Neutral
  • Opposed, but could be convinced
  • Strongly opposed
0 voters

If you are in favor but have reservations, or are opposed but something could change your mind, please explain in a reply.

We want everyone to be heard, but many posts repeating the same thing actually makes that harder. If you have something new to say, please say it. If, instead, you find someone has already covered what you’d like to express, please simply give that post a :heart: instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.

Please note that this is an advisory “straw poll” meant to gauge sentiment. It isn’t a vote or a scientific survey. See About the Change Proposals category for more about the Change Process and moderation policy.

I think it would be better to implement this as a separate command. There should be no need to run it every single time I use dnf since once it has been dealt with it’s unlikely to need further action. At the most I’d be ok with printing a warning pointing me to the command to run to clean things up. I would find it irritating to be doing one thing (installing a package, etc.) and have my workflow unexpectedly interrupted by something completely different.

Shouldn’t we start with removing the keys for EOL releases in Fedora? Right now we ship all the keys for all the previous Fedora releases: Tree - rpms/fedora-repos - src.fedoraproject.org

We had indirectly asked for this in PR#114: Move GPG keys for EOL releases into another folder - rpms/fedora-repos - src.fedoraproject.org.

well, those are not in the rpmdb, just files on disk, but yeah…

Yeah, it does seem a bit wastefull to run this on every command, but a seperate command would just… never get run.

Hi guys,

Thanks for your feedback there.

The intent is definitely not to run this on every DNF command. We want to introduce a hook that executes only after transaction resolution. This hook will check if any new packages or upgrades are slated for installation, and in such cases, it will trigger the logic. I don’t expect this to noticeably affect user experience.

If we were to introduce a separate command for handling this, users relying on repositories that extend key validity would likely encounter an error first (as reported in Refresh PGP keys, e.g. when prolonging an expiration time · Issue #1192 · rpm-software-management/dnf5 · GitHub). They’d then be prompted to run this additional command, followed by repeating the transaction. That seems a bit annoying to me.

As for handling EOL Fedora keys, I’ve already mentioned in the Fedora devel thread that we currently lack a clear, generic approach for addressing that scenario.

Can you link to the thread?

Sure, I meant the devel mailing-list thread: F42 Change Proposal: DNF5 Expired Keys (System-Wide) - devel - Fedora mailing-lists.

1 Like

This change proposal has now been submitted to FESCo with ticket #3322 for voting.

To find out more, please visit our Changes Policy documentation.

This change has been accepted by FESCo for Fedora Linux 42. A full list of approved changes to date can be found on the Change Set Page.

To find out more about how our changes policy works, please visit our docs site.