Import gpg key for rpm-ostree repositories

sariluca · April 4, 2022, 3:35am

Hi, I’m adding the 1password repository for fedora on my silverblue (see here) but I had to disable the gpg check as I am unable to import the key.
when I run the rpm command to import it I get the following error.
error: can’t create transaction lock on /usr/share/rpm/.rpm.lock (Read-only file system)
error: https://downloads.1password.com/linux/keys/1password.asc: key 1 import failed.

is there any way to layer these gpg keys?

thanks
Luca

siosm · April 11, 2022, 8:41am

You can copy the key directly to the /etc/pki/rpm-gpg directory.

sariluca · April 12, 2022, 3:31pm

Hi @siosm , I tried to copy the asc key as suggested, but the error is the same

Updating metadata for '1password'... done
error: Updating rpm-md repo '1password': cannot update repo '1password': repomd.xml GPG signature verification error: Bad GPG signature

goshansp · July 9, 2022, 12:05pm

I have the seemingly identical issue with tailscale from https://pkgs.tailscale.com/stable/fedora/36/tailscale.repo

When I do rpm-ostree install tailscale or rpm-ostree compose tree they fail with:

error: importing RPMs: package tailscale-1.26.2-1.x86_64 cannot be verified and repo tailscale-stable is GPG enabled: /proc/self/fd/15/cache/repomd/tailscale-stable-rpmostree-unset-releasever-x86_64/packages/tailscale_1.26.2_x86_64.rpm could not be verified.
/proc/self/fd/15/cache/repomd/tailscale-stable-rpmostree-unset-releasever-x86_64/packages/tailscale_1.26.2_x86_64.rpm:  digest:  SIGNATURE:  NOT OK

I have imported https://pkgs.tailscale.com/stable/fedora/repo.gpg and it is existing as /etc/pki/rpm-gpg/RPM-GPG-KEY-tailscale-stable

goshansp · July 9, 2022, 1:27pm

Nevermind, my case is unrelated: Tailscale has not signed the package, which I seen in the .repo with gpgcheck=0 as well as in the rpm itself which lead me to this Sign Fedora packages in addition to repo metadata · Issue #1882 · tailscale/tailscale · GitHub

rscmcl · July 21, 2022, 6:08pm

that doesn’t happen to me, check you repo file. mine looks like this

[tailscale-stable]
name=Tailscale stable
baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch
enabled=1
type=rpm
repo_gpgcheck=1
gpgcheck=0
gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg

mihalyr · January 7, 2023, 5:36pm

Just ran into the same issue with 1password on Silverblue, copying the key under /etc/pki/rpm-gpg alone didn’t work, I got the same error about Bad GPG signature as @sariluca

Here is what worked:

➜  ~ cat /etc/yum.repos.d/1password.repo 
[1password]
name=1Password Stable Channel
baseurl=https://downloads.1password.com/linux/rpm/stable/$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
#gpgkey="https://downloads.1password.com/linux/keys/1password.asc"
gpgkey=file:///etc/pki/rpm-gpg/1password.asc

➜  ~ ll /etc/pki/rpm-gpg/1password.asc 
-rw-r--r--. 1 root root 2.9K Jan  7 18:14 /etc/pki/rpm-gpg/1password.asc

I had to comment out the remote gpgkey reference and point it to the key I copied to /etc/pki/rpm-gpg. This is how the Fedora repos are configured too, so I thought it might work. Not sure why the HTTP version didn’t work or if it was supposed to work that way.

rosskarchner · February 21, 2023, 11:32pm

This sounds ridiculous-- but I was able to get the 1password repo file to work by just removing the quotes around the gpgfile value