Fedora Atomic Desktops, Kinoite F37 --> F40 rebase error, public key not found

I get the same error as the first post, but need to import different keys.

Is there a feature in rpm-ostree either to…

  • ignore keys / accept the keys that get downloaded
  • import the correct keys

Workaround

wget https://src.fedoraproject.org/rpms/fedora-repos/blob/f40/f/RPM-GPG-KEY-fedora-40-primary
sudo mv RPM-GPG-KEY-fedora-40-primary /etc/pki/rpm-gpg/
sudo ln -s /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-40-primary /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-40-x86_64

rpm-ostree refresh-md

This doesnt work, something is missing

Workaround 2

Rebase to an unverified OCI variant of the system, like the fedora-ostree-desktops images in quay.io

rpm-ostree rebase --experimental ostree-unverified-registry:quay.io/fedora-ostree-desktops/kinoite:41 --reboot

Alternatively, with additional trust and package changes, you can rebase to uBlue kinoite-main.

rpm-ostree rebase --experimental ostree-unverified-registry:ghcr.io/ublue-os/kinoite-main:latest --reboot

Afterwards you can rebase to the ostree variant again, which still has some advantages

rpm-ostree rebase fedora:fedora/41/x86_64/kinoite

This workaround doesnt work if you are on arm64, afaik.

1 Like

Which part of this have you not tested?

I added the key and did a refresh, which didnt work

Did not test if symlinking it to the x86_64 key fixed it, instead I rebased to uBlue Aurora (which was a bad idea) and will see what I rebase to now

I can try again in a VM

Update: still doesnt work.

Signature made with public RSA key 0727707EA15B79CC on 8.10.2024 , which cannot be found

1 Like

It is not supported to skip major releases when upgrading: Updates, Upgrades & Rollbacks :: Fedora Docs

You have to update 37 → 38 → 39 → 40

1 Like

But really, you should try to figure out why the newer ISOs do not work for you as this is really weird.

Yes it is. I already tried to troubleshoot it and was at least able to get a full log.

That boot stuff is way above me, so I hope the right people get it.

To the upgrades, thanks I forgot about that. But a different fix should still work, shouldnt it? This would not work if I for example have an F35 system and there are no F36 repos online anymore to get the images from.

meanwhile, rebasing to latest unsigned Aurora worked. Right! I could also just rebase to your Gitlab OCI images, that would also be scaleable (as in: can survive very big version differences) and without unofficial trust.

And a point for me is that I never have to reinstall again.

1 Like