This is a discussion topic for the following Common Issue:
You can discuss the problem and its solutions here, but please note that debugging and technical feedback should primarily go to the issue trackers (e.g. Bugzilla) linked in the Common Issue, because that’s the place that developers watch, not here.
If there are any updates/changes/amendments for the Common Issue description, which you believe should be performed, please post it here.
I was pointed to this post from someone on the test mailing list.
To make a long story short, how do I go about getting Microsoft (Edge) and Google (Chrome) to update?
This could take months.
Do does the workaround presented in the text above not work for you? Can you provide some details?
The above mentioned workaround does not work for me. With SHA1 allowed with the above mentioned command, the google-chrome-stable package will not update with the following output:
Problem opening package google-chrome-stable-110.0.5481.100-1.x86_64.rpm
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
With @lruzicka, we’ve found that in some cases, switching the system crypto policy to DEFAULT:SHA1 is not sufficient, and LEGACY needs to be used instead. I’ve updated the workaround to include it as the last-option hammer and also made the system security warning stronger.
I wrote that before I tried the workaround. That wasn’t my specific issue mentioned in the post.
If you have a different issue, please post that in #english — thanks!
I guess I wasn’t clear. How do I get the folks at Microsoft and Google to update their cryptography so that it won’t cause problems when installing their software in Fedora?
This could take months.
Hmmmm
Since it has been obvious for many years that both those organizations dislike the existence of linux and its freedom, I am not sure how they could be encouraged to do so more rapidly. After all, the biggest gorilla in the room likes dictating events.
We have workarounds as already noted, but I am aware of no certain way to try and influence their policies. I am sure that in time they will update things as older security methods are deprecated.
We probably know people who know people. I’ll ask around to see what’s being pursued.
Obvious to who? I have Fedora running right now in WSL and Google runs on Linux (even has its own custom Linux distro).
Thanks. I’m particularly interested in Edge.
Haven’t upgraded to F38 yet, how do we verify this will be an issue or not?
I tried rpm -qi [package] on code and brave-browser, but both say they use SHA/256 or SHA/512 for signature.
Code:
Signature : RSA/SHA256, Mon 09 Jan 2023 01:23:39 PM, Key ID eb3e94adbe1229cf
Brave:
Signature : RSA/SHA512, Wed 25 Jan 2023 05:59:17 PM, Key ID a8580bdc82d3dc6c
That’s a good question and I have no answer. So far, only Google Chrome seems to have a weak RPM package signature (DSA/SHA1). This would print packages having SHA1:
for PKG in $(rpm -qa); do rpm -qi $PKG | grep Signature | grep -q SHA1 && echo "Outdated SHA1 signature: $PKG"; done
However, the policy forbids many more things than just SHA1. I don’t know how to check it fully in advance.
Also, all other listed apps (Edge, VSCode, etc) seem to have a strong RPM package signature, but a weak repo key signature. RPM then refuses to import that key:
$ sudo rpm --import 'https://packages.microsoft.com/keys/microsoft.asc'
error: Certificate EB3E94ADBE1229CF:
Policy rejects EB3E94ADBE1229CF: No binding signature at time 2023-02-20T09:08:46Z
error: https://packages.microsoft.com/keys/microsoft.asc: key 1 import failed.
You can see your current repos in /etc/yum.repos.d/*.repo, their repo keys are defined in a gpgkey= field. Again, I’m not sure how to check this against a future (F38) RPM, apart from installing F38 in a virtual machine or a container and just trying.
I’m seeing this while trying to update AnyDesk using the CentOS repo (workaround because the Fedora package doesn’t have the right deps)
$ sudo dnf update -y
[sudo] password for asinha:
Last metadata expiration check: 0:36:01 ago on Mon 20 Mar 2023 13:53:21 IST.
Dependencies resolved.
Problem: package vlc-core-1:3.0.18-4.fc38.x86_64 requires libmpcdec.so.5()(64bit), but none of the providers can be installed
- cannot install both libmpcdec-1.3.0-0.1.20110810svn475.fc38.x86_64 and libmpcdec-1.2.6-31.fc38.x86_64
- cannot install the best update candidate for package vlc-core-1:3.0.18-4.fc38.x86_64
- cannot install the best update candidate for package libmpcdec-1.2.6-31.fc38.x86_64
================================================================================
Package Arch Version Repository Size
================================================================================
Upgrading:
anydesk x86_64 6.2.1-1.el7 anydesk 5.0 M
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
libmpcdec x86_64 1.3.0-0.1.20110810svn475.fc38 updates-testing 42 k
Transaction Summary
================================================================================
Upgrade 1 Package
Skip 1 Package
Total size: 5.0 M
Downloading Packages:
[SKIPPED] anydesk-6.2.1-1.el7.x86_64.rpm: Already downloaded
Running transaction check
error: rpmdbNextIterator: skipping h# 30
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h# 30
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: An rpm exception occurred: package not installed
I’ve set the security policy to LEGACY, and I have the latest crypto policies too, the one that is meant to fix this common issue. Is there anything else I need to do?
rpm -q crypto-policies
crypto-policies-20230301-1.gita12f7b2.fc38.noarch
sudo update-crypto-policies --show
LEGACY
Thanks,
@ankursinha Please provide the output of this:
rpm -q crypto-policies rpm-sequoia
Also, please set the policy to the default:
sudo update-crypto-policies --set DEFAULT
Now, do you still see rpmdbNextIterator: skipping errors in:
rpm -qa > /dev/null
?
Can you update AnyDesk now?
What is the output of this?
rpm -q --nosignature --querybynumber 30
Installing and running AnyDesk in a live session of Fedora 38 beta works for me.
Assuming you have upgraded, make sure your configs are up to date.
If the issue persists, try rebuilding the RPM database.
Here are the outputs:
$ rpm -q crypto-policies rpm-sequoia
crypto-policies-20230301-1.gita12f7b2.fc38.noarch
rpm-sequoia-1.3.0-1.fc38.x86_64
$ sudo update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
$ rpm -qa > /dev/null
error: rpmdbNextIterator: skipping h# 30
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
$ rpm -q --nosignature --querybynumber 30
anydesk-6.1.1-1.x86_64
and here is the attempt to upgrade:
$ sudo dnf list --upgrades
Fedora 38 - x86_64 29 kB/s | 23 kB 00:00
Fedora 38 - x86_64 285 kB/s | 2.8 MB 00:10
Fedora 38 - x86_64 - Updates 11 kB/s | 4.4 kB 00:00
Fedora 38 - x86_64 - Test Updates 12 kB/s | 5.1 kB 00:00
Fedora 38 - x86_64 - Test Updates 112 kB/s | 484 kB 00:04
Available Upgrades
anydesk.x86_64 6.2.1-1.el7 anydesk
libmpcdec.x86_64 1.3.0-0.1.20110810svn475.fc38 updates-testing
$ sudo dnf update -y
Last metadata expiration check: 0:00:40 ago on Tue 21 Mar 2023 12:46:18 IST.
Dependencies resolved.
Problem: package vlc-core-1:3.0.18-4.fc38.x86_64 requires libmpcdec.so.5()(64bit), but none of the providers can be installed
- cannot install both libmpcdec-1.3.0-0.1.20110810svn475.fc38.x86_64 and libmpcdec-1.2.6-31.fc38.x86_64
- cannot install the best update candidate for package vlc-core-1:3.0.18-4.fc38.x86_64
- cannot install the best update candidate for package libmpcdec-1.2.6-31.fc38.x86_64
=============================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================
Upgrading:
anydesk x86_64 6.2.1-1.el7 anydesk 5.0 M
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
libmpcdec x86_64 1.3.0-0.1.20110810svn475.fc38 updates-testing 42 k
Transaction Summary
=============================================================================================================================================================================
Upgrade 1 Package
Skip 1 Package
Total download size: 5.0 M
Downloading Packages:
anydesk-6.2.1-1.el7.x86_64.rpm 1.7 MB/s | 5.0 MB 00:02
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 1.7 MB/s | 5.0 MB 00:02
Running transaction check
error: rpmdbNextIterator: skipping h# 30
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h# 30
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: An rpm exception occurred: package not installed
This is an upgrade from F37, and I’ve already run the post-installation cleanup steps:
$ sudo rpmconf -a
# nothing
Attempting to uninstall anydesk also errors:
$ sudo dnf remove anydesk
Dependencies resolved.
=============================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================
Removing:
anydesk x86_64 6.1.1-1 @anydesk 13 M
Removing unused dependencies:
gtkglext-libs x86_64 1.2.0-44.fc38 @fedora 573 k
minizip-compat x86_64 1.2.13-3.fc38 @fedora 55 k
Transaction Summary
=============================================================================================================================================================================
Remove 3 Packages
Freed space: 14 M
Is this ok [y/N]: y
Running transaction check
error: rpmdbNextIterator: skipping h# 30
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
Error: An rpm exception occurred: package not installed
I haven’t tried rebuilding the rpmdb, but I want to hold off doing that until we’ve diagnosed the issue here—since folks upgrading shouldn’t be expected to rebuild their rpmdbs.
I reopened https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c107 and described your issue there. The problem is with your currently installed package anydesk-6.1.1-1.x86_64, and not 6.2.1 you’re trying to install from the Centos repo. I assume you installed 6.1.1 from the official AnyDesk source. It’s interesting that you managed to install exactly this version, because on my F37, it fails with:
nothing provides libpangox-1.0.so.0()(64bit) needed by anydesk-6.1.1-1.x86_64
But it doesn’t matter, because the el7 and el8 versions also exhibit the same problem, as described in the bug report. The devs will hopefully look at it and let us know.
Thanks very much @kparal .
I think I installed it quite a while ago, and I’ve just been upgrading since so that package hasn’t changed. The Fedora repo Anydesk provides also has a broken anydesk package, which is why folks suggested we use the el7/el8 package/repo instead.
The pango dep required us to dig up an ancient compat package:
$ sudo dnf whatprovides 'libpangox-1.0.so.0()(64bit)'
Last metadata expiration check: 2:44:11 ago on Tue 21 Mar 2023 12:47:26 IST.
pangox-compat-0.0.2-15.fc31.x86_64 : Compatibility library for pangox
Repo : @System
Matched from:
Provide : libpangox-1.0.so.0()(64bit)
Looks like it’s still available on koji here:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1332559