Issue with GPG Signature Verification and Package Installation in Fedora Rawhide Image

Hi All,

I have performed the following steps:

1. Pulled the fedora:rawhide image from registry.fedoraproject.org/fedora:rawhide
2. Executed yum update -y to update the packages.
3. Ran yum install -y curl info
4. Got below error

```[root@01ac39eebce6 /]# yum install -y curl info
Updating and loading repositories:
Repositories loaded.
Package "curl-8.11.1-4.fc42.aarch64" is already installed.

Package                                                                                       Arch                 Version                                                                                       Repository                                                 Size
Installing:
 info                                                                                         aarch64              7.2-3.fc42                                                                                    rawhide                                               421.6 KiB

Transaction Summary:
 Installing:         1 package

Total size of inbound packages is 180 KiB. Need to download 0 B.
After this operation, 422 KiB extra will be used (install 422 KiB, remove 0 B).
[1/1] info-0:7.2-3.fc42.aarch64                                                                                                                                                                                                         100% |   0.0   B/s |   0.0   B |  00m00s
>>> Already downloaded
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[1/1] Total                                                                                                                                                                                                                             100% |   0.0   B/s |   0.0   B |  00m00s
Running transaction
Importing OpenPGP key 0x6D9F90A6:
 UserID     : "Fedora (44) <fedora-44-primary@fedoraproject.org>"
 Fingerprint: 36F612DCF27F7D1A48A835E4DBFCF71C6D9F90A6
 From       : file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-44-aarch64
The key was successfully imported.
Transaction failed: Signature verification failed.
Public key "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-rawhide-aarch64" is already present, not importing.
OpenPGP check for package "info-7.2-3.fc42.aarch64" (/var/cache/libdnf5/rawhide-135a69fc59e3201d/packages/info-7.2-3.fc42.aarch64.rpm) from repo "rawhide" has failed: Import of the key didn't help, wrong key? ```

This started happening from today only and in x86_64, we are getting this error when tried with --nogpgcheck flag

Step 2/7 : RUN yum update -y --nogpgcheck && yum install -y --nogpgcheck curl info && dnf install -y --nogpgcheck --skip-broken dnf-utils libxcrypt-compat gzip


 ---> Running in 1df52aae3c8d

?[91mUpdating and loading repositories:
?[0m
?[91m Fedora rawhide openh264 (From Cisco) - 100% |   6.7 KiB/s |   6.0 KiB |  00m01s
?[0m
?[91m Fedora - Rawhide - Developmental packa 100% |  10.9 MiB/s |  21.5 MiB |  00m02s
?[0m
?[91mRepositories loaded.
?[0m
Nothing to do.

?[91mUpdating and loading repositories:
?[0m
?[91mRepositories loaded.
?[0m
?[91mPackage "curl-8.11.1-4.fc42.x86_64" is already installed.

?[0m
?[91mTotal size of inbound packages is 184 KiB. Need to download 184 KiB.
After this operation, 358 KiB extra will be used (install 358 KiB, remove 0 B).
?[0m
Package Arch   Version    Repository      Size
Installing:
 info   x86_64 7.2-3.fc42 rawhide    357.9 KiB

Transaction Summary:
 Installing:         1 package


?[91m[1/1] info-0:7.2-3.fc42.x86_64          100% |  13.5 KiB/s | 183.8 KiB |  00m14s
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> Downloading successful, but checksum doesn't match. Calculated: 1d0d1e26517a
>>> No more mirrors to try - All mirrors were already tried without success
--------------------------------------------------------------------------------
[1/1] Total                             100% |  13.1 KiB/s | 183.8 KiB |  00m14s
?[0m
?[91mFailed to download packages
 Librepo error: Cannot download Packages/i/info-7.2-3.fc42.x86_64.rpm: All mirrors were tried
?[0m
{code=1, message=The command '/bin/sh -c yum update -y --nogpgcheck && yum install -y --nogpgcheck curl info && dnf install -y --nogpgcheck --skip-broken dnf-utils libxcrypt-compat gzip' returned a non-zero code: 1}
The command '/bin/sh -c yum update -y --nogpgcheck && yum install -y --nogpgcheck curl info && dnf install -y --nogpgcheck --skip-broken dnf-utils libxcrypt-compat gzip' returned a non-zero code: 1

Please let me know how to resolve this

It looks like the downloaded rpm was corrupt. Can you try a different mirror? Nevermind, I see that the command already tried several mirrors. Maybe you can retrieve the original from dl.fedoraproject.org (https://dl.fedoraproject.org/pub/fedora/linux/development/42/Everything/x86_64/os/Packages/i/info-7.2-3.fc42.x86_64.rpm) and verify that it is good with rpm -ivh ./info-*?

So, this was likely issues around branching.
We branched f42 off rawhide on tuesday and there’s a lot of parts around that.

Rawhide is completely resigned with the f43 key, branched is composed with the f42 key, mirrormanager has to adjust the ‘rawhide’ label, containers need to be updated in a new compose.

Can you try again now and confim it works?

It seems to be working fine today. the issue appears to be resolved.

If you have been running rawhide and want to continue on versions 42 you need to run dnf update --releasever=42 once and before versions 42 deviates too much from rawhide.

I’m from Artifactory Team, we are running our pipeline against rawhide to determine if we need to accommodate any new changes for our customers

I received a similar error after installing Rawhide, but it was on the openh264 package. Bug report previously filed: 2344545 – openh264 - public key is not installed preventing Rawhide from being updated

The only way to update/upgrade Rawhide because of this, is to disable the fedora-cisco-openh264 repo.