Third-party RPMs with an invalid signing key might cause errors during package operations

Problem

If you upgrade an older system to Fedora 38, it might not be possible to list/update/remove certain third-party RPMs which have an invalid signature key. Usually the output contains error: rpmdbNextIterator: skipping or package not installed errors.

Here’s an example output when trying to update such RPM using dnf:

error: rpmdbNextIterator: skipping h#      30 
Header V4 RSA/SHA512 Signature, key ID cdffde29: BAD
Header SHA1 digest: OK
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: An rpm exception occurred: package not installed

It is known to affect AnyDesk 6.1 (or older) package, but it can likely affect more third-party packages.

This only affects upgraded systems, which had affected RPMs installed before the upgrade. Clean Fedora 38 installs won’t allow installation of these RPMs in the first place.

Cause

RPM now performs more rigorous checks of RPM signature validity. Certain RPMs could be installed on Fedora 37 or older, even when they weren’t signed correctly. That problem is fixed in Fedora 38. But it also means that if you upgrade your system to Fedora 38 with such RPMs installed, the system will refuse to work with them and they need to be removed manually. The error messages are unfortunately not clear, that’s why this issue is documented here.

Related Issues

Bugzilla report: https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c107 (comment 107 onwards)

Please note: There was a problem with very similar symptoms, but a different cause, documented in Popular third-party RPMs fail to install/update/remove due to security policies verification. That problem is now resolved and is related to this only by the same error messages produced.

Workarounds

First, please make sure you have the latest system updates installed, especially the update that fixes this problem. (If you can’t update your system because of those errors, read on).

If you see an error like the one in the problem description, scan all your packages like this:

rpm -qa >/dev/null

If it finishes without any output, all your packages are OK. If you see lines like these:

error: rpmdbNextIterator: skipping h# 30

then some of your packages are affected. Go through all such errors, note down the number at the end, and then run a command like this for each number (in this case 30), to learn which package it represents:

$ rpm -q --nosignature --querybynumber 30
anydesk-6.1.1-1.x86_64

And then remove it like this (replace the package name):

sudo rpm -e --nosignature anydesk-6.1.1-1.x86_64

You can then look for updated packages at your vendor’s website, or contact the vendor and ask them to fix their RPM signatures.


You can discuss this topic here.

3 Likes