Unable to install package from signed repository in rawhide image

Ask Fedora
1

Hi All,

I am from the Artifactory Team, and we usually validate Fedora images to ensure compliance with the latest changes. Recently, I observed an issue during our validation.

Test Case

The test case involves enabling the repo_gpgcheck flag and installing a package from Artifactory. The steps are as follows:

  1. yum update -y && yum install -y curl info && dnf install -y --skip-broken dnf-utils libxcrypt-compat gzip
  2. yum update -y dnf-data && rm -rf /etc/yum.repos.d/ fedora*
  3. Create a local repo & upload the package
  4. Assign the GPG key to the Artifactory local repo
  5. Create the directory: mkdir -p /etc/yum.repos.d
  6. Configure the Artifactory local repo using vi /etc/yum.repos.d/artifactory.repo
  7. Install the package: yum install -y vche

Contents of artifactory.repo File

[Artifactory]
name=Artifactory
baseurl=https://admin:<access token>@jfrtpit7x325595.jfrogdev.org/artifactory/local-yum-6887-1
enabled=1
gpgcheck=0
gpgkey=https://admin:<access token>@jfrtpit7x325595.jfrogdev.org/artifactory/local-yum-6887-1/repodata/repomd.xml.key
repo_gpgcheck=1

In fedora:latest Image i.e. fedora 42, It is throwing a warning but working fine

[root@55ed4332a011 /]# yum install -y vche
Updating and loading repositories:
Artifactory 100% | 3.4 KiB/s | 1.8 KiB | 00m01s
>>> Librepo error: repomd.xml GPG signature verification error: Signing key not found
https://admin:<access token>@jfrtpit7x325595.jfrogdev.org/artifactory/local-yum-6887-1/repodata/repomd.xml.key 100% | 9.5 KiB/s | 3.1 KiB | 00m00s
Importing OpenPGP key 0x6DAB06A8:
UserID : "<User ID> "
Fingerprint: 70686988C60593A83B5FF099C410CAAE6DAB06A8
From : https://admin:<access token>@jfrtpit7x325595.jfrogdev.org/artifactory/local-yum-6887-1/repodata/repomd.xml.key
The key was successfully imported.
Artifactory 100% | 2.9 KiB/s | 2.7 KiB | 00m01s
Repositories loaded.
Package Arch Version Repository Size
Installing:
vche x86_64 1.7.2-1.el5.rf Artifactory 159.7 KiB
Transaction Summary:
Installing: 1 package
Total size of inbound packages is 63 KiB. Need to download 63 KiB.
After this operation, 160 KiB extra will be used (install 160 KiB, remove 0 B).
[1/1] vche-0:1.7.2-1.el5.rf.x86_64 100% | 154.7 KiB/s | 63.4 KiB | 00m00s
[1/1] Total 100% | 153.6 KiB/s | 63.4 KiB | 00m00s
Running transaction
[1/3] Verify package files 100% | 0.0 B/s | 1.0 B | 00m00s
[2/3] Prepare transaction 100% | 76.0 B/s | 1.0 B | 00m00s
[3/3] Installing vche-0:1.7.2-1.el5.rf.x86_64 100% | 3.2 MiB/s | 162.0 KiB | 00m00s
Warning: skipped OpenPGP checks for 1 package from repository: Artifactory
Complete!

but in rawhide image from “registry.fedoraproject.org/fedora:rawhide” , It is failing with this error

bash-5.2# yum install -y vche
Updating and loading repositories:
 Artifactory-Local                                                                                                                                                                                                                      100% |   3.7 KiB/s |   1.8 KiB |  00m00s
>>> repomd.xml GPG signature verification error: Signing key not found
Repositories loaded.
Failed to resolve the transaction:
No match for argument: vche
You can try to add to command line:
  --skip-unavailable to skip unavailable packages

Please note that I used the same artifactory.repo configuration in Rawhide, and it is not working. This scenario passed in the Rawhide image yesterday morning (25th June), but we observed this issue in today’s nightly run.

Please let me know how to resolve this issue

2

Could someone please respond to the above query? Thanks in advance!

4

Could you include the output from the actual failing case?

I suspect it’s probibly because rawhide has a rpm 6.0 prerelease and something changed?

( RPM 6.0.0 BETA1 )

But hard to say without seeing more errors.

5

@kevin Thanks for pointing out. I have modified the post along with the failed logs. Please let me know if you need more info

6

This issue is still happening, in fedora:latest image, I have observed dnf version is 5.2.13.1and RPM version is 4.20.1

RPM version 4.20.1
[root@3850736c8528 /]# dnf --version
dnf5 version 5.2.13.1
dnf5 plugin API version 2.0
libdnf5 version 5.2.13.1
libdnf5 plugin API version 2.2

Loaded dnf5 plugins:
  name: builddep
  version: 1.0.0
  API version: 2.0

  name: changelog
  version: 1.0.0
  API version: 2.0

  name: config-manager
  version: 0.1.0
  API version: 2.0

  name: copr
  version: 0.1.0
  API version: 2.0

  name: needs_restarting
  version: 1.0.0
  API version: 2.0

  name: repoclosure
  version: 1.0.0
  API version: 2.0

  name: reposync
  version: 1.0.0
  API version: 2.0

but, in rawhide image dnf5 version is 5.2.14.0 and RPM version is 5.99.91

(base) krishnastk-mac@krishnastk-mac-mac ~ % docker run --platform=linux/amd64 -it registry.fedoraproject.org/fedora:rawhide /bin/bash
Unable to find image 'registry.fedoraproject.org/fedora:rawhide' locally
rawhide: Pulling from fedora
aa35bdb6eb0e: Download complete
Digest: sha256:9ba8f7825cf1992a20b4b2b1a19317f9f8081e23ac9351ab211e193d8ca49ee0
Status: Downloaded newer image for registry.fedoraproject.org/fedora:rawhide
bash-5.2# dnf --version
dnf5 version 5.2.14.0
dnf5 plugin API version 2.0
libdnf5 version 5.2.14.0
libdnf5 plugin API version 2.2

Loaded dnf5 plugins:
  name: builddep
  version: 1.0.0
  API version: 2.0

  name: changelog
  version: 1.0.0
  API version: 2.0

  name: config-manager
  version: 0.1.0
  API version: 2.0

  name: copr
  version: 0.1.0
  API version: 2.0

  name: needs_restarting
  version: 1.0.0
  API version: 2.0

  name: repoclosure
  version: 1.0.0
  API version: 2.0

  name: reposync
  version: 1.0.0
  API version: 2.0
bash-5.2# rpm --version
RPM version 5.99.91

if this is happening due to RPM 6.0.0 BETA1 , can someone please help me understand what steps I can take to fix this