Popular third-party RPMs fail to install/update/remove due to security policies verification

Problem

In Fedora 38 development version, certain third-party RPMs fail to install, update or get removed, often with an error “Package does not verify”, “Signature does not verify” or “Key import failed”. The most visible examples of affected packages include:

  • Google Chrome (RPM signature rejected, repo key rejected)
  • Microsoft Edge (repo key rejected)
  • Dropbox (repo key rejected)
  • Skype (repo key rejected)
  • Visual Studio Code (repo key rejected)
  • Sublime Text (repo key rejected)
  • Microsoft Teams (repo key rejected)
  • TeamViewer (repo key rejected)

But in general any third-party software can be affected. Those affected packages can’t be installed/updated/removed. If they’re a part of a bigger transaction (like a system update), the whole transaction will fail to start. This means you won’t be able to perform a general system update, unless you manually exclude the problematic packages (which can be done in a terminal using dnf, but can’t be done graphically e.g. in GNOME Software).

The problem can occur from two different reasons - either an RPM package signature gets rejected, or a repository key of your third-party repository gets rejected.

Error messages examples:

When an RPM signature is rejected during installation, the DNF output can look like this:

Error: Transaction test error:
package google-chrome-stable-110.0.5481.77-1.x86_64 does not verify: Header V4 DSA/SHA1 Signature, key ID 7fac5991: BAD

GNOME Software outputs an error like this:

signature does not verify for google-chrome-stable_current_x86_64.rpm

When a repository key is rejected, it can look like this:

error: Certificate EB3E94ADBE1229CF:
  Policy rejects EB3E94ADBE1229CF: No binding signature at time 2023-02-20T09:08:20Z
Key import failed (code 2). Failing package is: microsoft-edge-stable-110.0.1587.50-1.x86_64

If you already have some affected third-party RPM packages installed (from Fedora 37 or earlier) and try to update them, you might see the following error instead:

Running transaction check
error: rpmdbNextIterator: skipping h# 1744
Header V4 DSA/SHA1 Signature, key ID 7fac5991: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
Error: An rpm exception occurred: package not installed

Or this error:

Problem opening package google-chrome-stable-110.0.5481.100-1.x86_64.rpm
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing ‘dnf clean packages’.
Error: GPG check FAILED

Cause

This is caused by certain third-party RPM packages using weak security algorithms (e.g. SHA-1, DSA etc). RPM in Fedora 38 honors cryptographic policies configured in Fedora and refuses to process such packages. Kevin Fenzi provided a short explanation here.

Related Issues

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2170878
Bugzilla: 2170839 – workstation repos contain Google Chrome repo, but Chrome can't be installed

A similar problem with a different cause: Third-party RPMs with an invalid signing key might cause errors during package operations

Solution

Please see this post for an update that fixes this problem.

If you’ve previously used a temporary workaround which was previously described in this topic, be sure to revert your system to the default behavior using this command:

sudo update-crypto-policies --set DEFAULT

Please note: If your problem is still not fixed (even after a reboot), you might be affected by a similar issue described in Third-party RPMs with an invalid signing key might cause errors during package operations.


You can discuss this topic here.

6 Likes

An update has been released to fix this issue.

After you update your system in your usual way (and possibly reboot), you should no longer be affected by this problem. If the problem persists, please start a new discussion topic and we’ll help figure out what’s still wrong.