Talk: Popular third-party RPMs fail to install/update/remove due to security policies verification

This is a discussion topic for the following Common Issue:

You can discuss the problem and its solutions here, but please note that debugging and technical feedback should primarily go to the issue trackers (e.g. Bugzilla) linked in the Common Issue, because that’s the place that developers watch, not here.

If there are any updates/changes/amendments for the Common Issue description, which you believe should be performed, please post it here.

1 Like

I was pointed to this post from someone on the test mailing list.

To make a long story short, how do I go about getting Microsoft (Edge) and Google (Chrome) to update?

This could take months.

Do does the workaround presented in the text above not work for you? Can you provide some details?

The above mentioned workaround does not work for me. With SHA1 allowed with the above mentioned command, the google-chrome-stable package will not update with the following output:

Problem opening package google-chrome-stable-110.0.5481.100-1.x86_64.rpm
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

With @lruzicka, we’ve found that in some cases, switching the system crypto policy to DEFAULT:SHA1 is not sufficient, and LEGACY needs to be used instead. I’ve updated the workaround to include it as the last-option hammer and also made the system security warning stronger.

I wrote that before I tried the workaround. That wasn’t my specific issue mentioned in the post.

If you have a different issue, please post that in #english — thanks!

I guess I wasn’t clear. How do I get the folks at Microsoft and Google to update their cryptography so that it won’t cause problems when installing their software in Fedora?

This could take months.

Hmmmm
Since it has been obvious for many years that both those organizations dislike the existence of linux and its freedom, I am not sure how they could be encouraged to do so more rapidly. After all, the biggest gorilla in the room likes dictating events.

We have workarounds as already noted, but I am aware of no certain way to try and influence their policies. I am sure that in time they will update things as older security methods are deprecated.

We probably know people who know people. I’ll ask around to see what’s being pursued.

2 Likes

Obvious to who? I have Fedora running right now in WSL and Google runs on Linux (even has its own custom Linux distro).

Thanks. I’m particularly interested in Edge.

Haven’t upgraded to F38 yet, how do we verify this will be an issue or not?

I tried rpm -qi [package] on code and brave-browser, but both say they use SHA/256 or SHA/512 for signature.

Code:

Signature   : RSA/SHA256, Mon 09 Jan 2023 01:23:39 PM, Key ID eb3e94adbe1229cf

Brave:

Signature   : RSA/SHA512, Wed 25 Jan 2023 05:59:17 PM, Key ID a8580bdc82d3dc6c

That’s a good question and I have no answer. So far, only Google Chrome seems to have a weak RPM package signature (DSA/SHA1). This would print packages having SHA1:

for PKG in $(rpm -qa); do rpm -qi $PKG | grep Signature | grep -q SHA1 && echo "Outdated SHA1 signature: $PKG"; done

However, the policy forbids many more things than just SHA1. I don’t know how to check it fully in advance.

Also, all other listed apps (Edge, VSCode, etc) seem to have a strong RPM package signature, but a weak repo key signature. RPM then refuses to import that key:

$ sudo rpm --import 'https://packages.microsoft.com/keys/microsoft.asc'
error: Certificate EB3E94ADBE1229CF:
  Policy rejects EB3E94ADBE1229CF: No binding signature at time 2023-02-20T09:08:46Z
error: https://packages.microsoft.com/keys/microsoft.asc: key 1 import failed.

You can see your current repos in /etc/yum.repos.d/*.repo, their repo keys are defined in a gpgkey= field. Again, I’m not sure how to check this against a future (F38) RPM, apart from installing F38 in a virtual machine or a container and just trying.

2 Likes

I’m seeing this while trying to update AnyDesk using the CentOS repo (workaround because the Fedora package doesn’t have the right deps)

$ sudo dnf update -y
[sudo] password for asinha: 
Last metadata expiration check: 0:36:01 ago on Mon 20 Mar 2023 13:53:21 IST.
Dependencies resolved.

 Problem: package vlc-core-1:3.0.18-4.fc38.x86_64 requires libmpcdec.so.5()(64bit), but none of the providers can be installed
  - cannot install both libmpcdec-1.3.0-0.1.20110810svn475.fc38.x86_64 and libmpcdec-1.2.6-31.fc38.x86_64
  - cannot install the best update candidate for package vlc-core-1:3.0.18-4.fc38.x86_64
  - cannot install the best update candidate for package libmpcdec-1.2.6-31.fc38.x86_64
================================================================================
 Package     Arch     Version                           Repository         Size
================================================================================
Upgrading:
 anydesk     x86_64   6.2.1-1.el7                       anydesk           5.0 M
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
 libmpcdec   x86_64   1.3.0-0.1.20110810svn475.fc38     updates-testing    42 k

Transaction Summary
================================================================================
Upgrade  1 Package
Skip     1 Package

Total size: 5.0 M
Downloading Packages:
[SKIPPED] anydesk-6.2.1-1.el7.x86_64.rpm: Already downloaded                   
Running transaction check
error: rpmdbNextIterator: skipping h#      30 
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#      30 
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: An rpm exception occurred: package not installed

I’ve set the security policy to LEGACY, and I have the latest crypto policies too, the one that is meant to fix this common issue. Is there anything else I need to do?

 rpm -q crypto-policies
crypto-policies-20230301-1.gita12f7b2.fc38.noarch
 sudo update-crypto-policies --show
LEGACY

Thanks,

@ankursinha Please provide the output of this:

rpm -q crypto-policies rpm-sequoia

Also, please set the policy to the default:

sudo update-crypto-policies --set DEFAULT

Now, do you still see rpmdbNextIterator: skipping errors in:

rpm -qa > /dev/null

?

Can you update AnyDesk now?

What is the output of this?

rpm -q --nosignature --querybynumber 30

Installing and running AnyDesk in a live session of Fedora 38 beta works for me.
Assuming you have upgraded, make sure your configs are up to date.
If the issue persists, try rebuilding the RPM database.

Here are the outputs:

$ rpm -q crypto-policies rpm-sequoia
crypto-policies-20230301-1.gita12f7b2.fc38.noarch
rpm-sequoia-1.3.0-1.fc38.x86_64

$ sudo update-crypto-policies --set DEFAULT 
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

$ rpm -qa > /dev/null
error: rpmdbNextIterator: skipping h#      30 
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK

$ rpm -q --nosignature --querybynumber 30
anydesk-6.1.1-1.x86_64

and here is the attempt to upgrade:

$ sudo dnf list --upgrades
Fedora 38 - x86_64                                                                                                                            29 kB/s |  23 kB     00:00
Fedora 38 - x86_64                                                                                                                           285 kB/s | 2.8 MB     00:10
Fedora 38 - x86_64 - Updates                                                                                                                  11 kB/s | 4.4 kB     00:00
Fedora 38 - x86_64 - Test Updates                                                                                                             12 kB/s | 5.1 kB     00:00
Fedora 38 - x86_64 - Test Updates                                                                                                            112 kB/s | 484 kB     00:04
Available Upgrades
anydesk.x86_64                                                          6.2.1-1.el7                                                                           anydesk
libmpcdec.x86_64                                                        1.3.0-0.1.20110810svn475.fc38                                                         updates-testing


$ sudo dnf update -y
Last metadata expiration check: 0:00:40 ago on Tue 21 Mar 2023 12:46:18 IST.
Dependencies resolved.

 Problem: package vlc-core-1:3.0.18-4.fc38.x86_64 requires libmpcdec.so.5()(64bit), but none of the providers can be installed
  - cannot install both libmpcdec-1.3.0-0.1.20110810svn475.fc38.x86_64 and libmpcdec-1.2.6-31.fc38.x86_64
  - cannot install the best update candidate for package vlc-core-1:3.0.18-4.fc38.x86_64
  - cannot install the best update candidate for package libmpcdec-1.2.6-31.fc38.x86_64
=============================================================================================================================================================================
 Package                            Architecture                    Version                                                   Repository                                Size
=============================================================================================================================================================================
Upgrading:
 anydesk                            x86_64                          6.2.1-1.el7                                               anydesk                                  5.0 M
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
 libmpcdec                          x86_64                          1.3.0-0.1.20110810svn475.fc38                             updates-testing                           42 k

Transaction Summary
=============================================================================================================================================================================
Upgrade  1 Package
Skip     1 Package

Total download size: 5.0 M
Downloading Packages:
anydesk-6.2.1-1.el7.x86_64.rpm                                                                                                               1.7 MB/s | 5.0 MB     00:02
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                        1.7 MB/s | 5.0 MB     00:02
Running transaction check
error: rpmdbNextIterator: skipping h#      30
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#      30
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: An rpm exception occurred: package not installed

This is an upgrade from F37, and I’ve already run the post-installation cleanup steps:

$ sudo rpmconf -a
# nothing

Attempting to uninstall anydesk also errors:

$ sudo dnf remove anydesk
Dependencies resolved.
=============================================================================================================================================================================
 Package                                      Architecture                         Version                                      Repository                              Size
=============================================================================================================================================================================
Removing:
 anydesk                                      x86_64                               6.1.1-1                                      @anydesk                                13 M
Removing unused dependencies:
 gtkglext-libs                                x86_64                               1.2.0-44.fc38                                @fedora                                573 k
 minizip-compat                               x86_64                               1.2.13-3.fc38                                @fedora                                 55 k

Transaction Summary
=============================================================================================================================================================================
Remove  3 Packages

Freed space: 14 M
Is this ok [y/N]: y
Running transaction check
error: rpmdbNextIterator: skipping h#      30 
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
Error: An rpm exception occurred: package not installed

I haven’t tried rebuilding the rpmdb, but I want to hold off doing that until we’ve diagnosed the issue here—since folks upgrading shouldn’t be expected to rebuild their rpmdbs.

I reopened https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c107 and described your issue there. The problem is with your currently installed package anydesk-6.1.1-1.x86_64, and not 6.2.1 you’re trying to install from the Centos repo. I assume you installed 6.1.1 from the official AnyDesk source. It’s interesting that you managed to install exactly this version, because on my F37, it fails with:

nothing provides libpangox-1.0.so.0()(64bit) needed by anydesk-6.1.1-1.x86_64

But it doesn’t matter, because the el7 and el8 versions also exhibit the same problem, as described in the bug report. The devs will hopefully look at it and let us know.

2 Likes

Thanks very much @kparal .

I think I installed it quite a while ago, and I’ve just been upgrading since so that package hasn’t changed. The Fedora repo Anydesk provides also has a broken anydesk package, which is why folks suggested we use the el7/el8 package/repo instead.

The pango dep required us to dig up an ancient compat package:

$ sudo dnf whatprovides 'libpangox-1.0.so.0()(64bit)'
Last metadata expiration check: 2:44:11 ago on Tue 21 Mar 2023 12:47:26 IST.
pangox-compat-0.0.2-15.fc31.x86_64 : Compatibility library for pangox
Repo        : @System
Matched from:
Provide    : libpangox-1.0.so.0()(64bit)

Looks like it’s still available on koji here:

https://koji.fedoraproject.org/koji/buildinfo?buildID=1332559

1 Like