GPG key issue with Crowdsec repository

jpalko · June 2, 2023, 10:58am

I know that this is mainly crowdsec matter and their repository but I’d like to ask what can the issue be with the following situation. They don’t either yet have an official fedora 38 repository so I’m taking the 37 packages still like follows.

# curl -s "https://packagecloud.io/install/repositories/crowdsec/crowdsec/config_file.repo?os=fedora&dist=37&source=script" > /etc/yum.repos.d/crowdsec_crowdsec.repo
# dnf -q -y makecache --disablerepo '*' --enablerepo crowdsec_crowdsec --enablerepo crowdsec_crowdsec-source
....

The last command imports a lot of gpg keys for the repository. However, fedora doesn’t seem to like one of them.

# rpm -qa gpg-pubkey
gpg-pubkey-9867c58f-601c49ca
gpg-pubkey-38ab71f4-60242b08
gpg-pubkey-5323552a-6112bcdc
error: Verifying a signature using certificate 9082D8CACBBEB0DAB218BAB04C3D386C3CDF0DB4 (Crowdsec Rpm Archive <support@crowdsec.net>):
  Certificate 4C3D386C3CDF0DB4 invalid: policy violation
      because: No binding signature at time 2023-01-19T19:48:16Z
error: rpmdbNextIterator: skipping h#    4459
Header V4 RSA/SHA256 Signature, key ID 3cdf0db4: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
error: Verifying a signature using certificate 9082D8CACBBEB0DAB218BAB04C3D386C3CDF0DB4 (Crowdsec Rpm Archive <support@crowdsec.net>):
  Certificate 4C3D386C3CDF0DB4 invalid: policy violation
      because: No binding signature at time 2023-02-09T14:44:43Z
error: rpmdbNextIterator: skipping h#    4629
Header V4 RSA/SHA256 Signature, key ID 3cdf0db4: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
gpg-pubkey-eb10b464-6202d9c6
gpg-pubkey-6e93cd0c-60c07349
gpg-pubkey-d059946b-60c08891
gpg-pubkey-ea83274e-63f386c5
gpg-pubkey-145ce2f2-645ce3dc
gpg-pubkey-3cdf0db4-605092b1

If I remove the offending gpg-pubkey-3cdf0db4-605092b1 the system is happy again with the keys:

[root@nextcloud ~]# rpm --erase gpg-pubkey-3cdf0db4-605092b1
[root@nextcloud ~]# rpm -qa gpg-pubkey
gpg-pubkey-38ab71f4-60242b08
gpg-pubkey-eb10b464-6202d9c6
gpg-pubkey-6e93cd0c-60c07349
gpg-pubkey-d059946b-60c08891
gpg-pubkey-ea83274e-63f386c5
gpg-pubkey-145ce2f2-645ce3dc

I’ve been trying to figure this out with their helpful issue tracking folks but they can’t reproduce this issue that I’m facing.

Any suggestions what could be wrong here?

vgaetera · June 2, 2023, 2:57pm

You have imported GPG keys for repo metadata verification, but you also need to import GPG keys for RPM package verification, as they should be imported separately:

sudo rpm --import $(grep -o -e "https://.*gpgkey.*" /etc/yum.repos.d/crowdsec*.repo)
rpm -q --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n" gpg-pubkey | sort -k 2

jpalko · June 2, 2023, 4:20pm

Okay, I ran those:

# rpm --import $(grep -o -e "https://.*gpgkey.*" /etc/yum.repos.d/crowdsec*.repo)
# rpm -q --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n" gpg-pubkey | sort -k 2
gpg-pubkey-3cdf0db4-605092b1	Crowdsec Rpm Archive <support@crowdsec.net> public key
gpg-pubkey-ea83274e-63f386c5	Crowdsec Rpm Archive <support@crowdsec.net> public key
gpg-pubkey-145ce2f2-645ce3dc	Crowdsec Team <debian@crowdsec.net> public key
gpg-pubkey-d059946b-60c08891	Crowdsec Team (Debian Package Signing Key) <debian@crowdsec.net> public key
gpg-pubkey-38ab71f4-60242b08	Fedora (36) <fedora-36-primary@fedoraproject.org> public key
gpg-pubkey-5323552a-6112bcdc	Fedora (37) <fedora-37-primary@fedoraproject.org> public key
gpg-pubkey-eb10b464-6202d9c6	Fedora (38) <fedora-38-primary@fedoraproject.org> public key
gpg-pubkey-6e93cd0c-60c07349	https://packagecloud.io/crowdsec/crowdsec (https://packagecloud.io/docs#gpg_signing) <support@packagecloud.io> public key

Now if I try to upgrade crowdsec:

# dnf upgrade
Last metadata expiration check: 0:01:18 ago on Fri 02 Jun 2023 19:17:12 EEST.
Dependencies resolved.
====================================================================================================================================================================
 Package                                                Architecture               Version                              Repository                             Size
====================================================================================================================================================================
Upgrading:
 crowdsec                                               x86_64                     1.5.2-1.fc37                         crowdsec_crowdsec                      38 M
 crowdsec-firewall-bouncer-nftables                     x86_64                     0.0.27-1.fc37                        crowdsec_crowdsec                     3.8 M

Transaction Summary
====================================================================================================================================================================
Upgrade  2 Packages

Total download size: 42 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): crowdsec-firewall-bouncer-nftables-0.0.27-1.fc37.x86_64.rpm                                                                  3.4 MB/s | 3.8 MB     00:01
(2/2): crowdsec-1.5.2-1.fc37.x86_64.rpm                                                                                              18 MB/s |  38 MB     00:02
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                20 MB/s |  42 MB     00:02
Running transaction check
error: Verifying a signature using certificate 9082D8CACBBEB0DAB218BAB04C3D386C3CDF0DB4 (Crowdsec Rpm Archive <support@crowdsec.net>):
  Certificate 4C3D386C3CDF0DB4 invalid: policy violation
      because: No binding signature at time 2023-02-09T14:44:43Z
error: rpmdbNextIterator: skipping h#      11
Header V4 RSA/SHA256 Signature, key ID 3cdf0db4: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
error: Verifying a signature using certificate 9082D8CACBBEB0DAB218BAB04C3D386C3CDF0DB4 (Crowdsec Rpm Archive <support@crowdsec.net>):
  Certificate 4C3D386C3CDF0DB4 invalid: policy violation
      because: No binding signature at time 2023-02-09T14:44:43Z
error: rpmdbNextIterator: skipping h#      11
Header V4 RSA/SHA256 Signature, key ID 3cdf0db4: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: An rpm exception occurred: package not installed

vgaetera · June 2, 2023, 4:32pm

Try using the default crypto policy and clean all DNF caches:

sudo update-crypto-policies --set DEFAULT
sudo update-crypto-policies --show
sudo update-crypto-policies --is-applied
sudo update-crypto-policies --check
sudo dnf clean all

If the issue persists, try disabling metadata verification for this repo:

sudo dnf config-manager --save --setopt crowdsec\*.repo_gpgcheck=0

jpalko · June 2, 2023, 5:40pm

Nope, still refuses to upgrade the package after doing the first one and repo_gpgcheck=0 didn’t help either. Still complaining:

error: Verifying a signature using certificate 9082D8CACBBEB0DAB218BAB04C3D386C3CDF0DB4 (Crowdsec Rpm Archive <support@crowdsec.net>):
  Certificate 4C3D386C3CDF0DB4 invalid: policy violation
      because: No binding signature at time 2023-02-09T14:44:43Z
error: rpmdbNextIterator: skipping h#      11
Header V4 RSA/SHA256 Signature, key ID 3cdf0db4: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK

vekruse · June 2, 2023, 5:57pm

Maybe you need sudo update-crypto-policies --set LEGACY

Some repositories uses gpg signatures which do not satisfy the new DEFAULT policy.

vgaetera · June 2, 2023, 6:04pm

Maybe, but keep in mind that it has some drawbacks.
I discovered that akmods signed with certs generated with LEGACY policy, cannot be loaded when Secure Boot is enabled.

jpalko · June 3, 2023, 6:57am

As the machine is a KVM system, it should not be affected with any Secure Boot issues, so I tried the LEGACY policy as well. Still the same issue of getting;

error: Verifying a signature using certificate 9082D8CACBBEB0DAB218BAB04C3D386C3CDF0DB4 (Crowdsec Rpm Archive <support@crowdsec.net>):
  Certificate 4C3D386C3CDF0DB4 invalid: policy violation
      because: No binding signature at time 2023-02-09T14:44:43Z
error: rpmdbNextIterator: skipping h#      11
Header V4 RSA/SHA256 Signature, key ID 3cdf0db4: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
error: Verifying a signature using certificate 9082D8CACBBEB0DAB218BAB04C3D386C3CDF0DB4 (Crowdsec Rpm Archive <support@crowdsec.net>):
  Certificate 4C3D386C3CDF0DB4 invalid: policy violation
      because: No binding signature at time 2023-02-09T14:44:43Z

jpalko · June 3, 2023, 7:53am

This fixed it, just removed the old version and installed the new one afterwards…
Third-party RPMs with an invalid signing key might cause errors during package operations