Unable to upgrade to Silverblue 40

When I try to rebase to Fedora 40, I get the following error:

$ rpm-ostree rebase  fedora:fedora/40/x86_64/silverblue
error: While pulling fedora/40/x86_64/silverblue: Commit c204c6971c4298e4a5c8452208691617b25c69b9f606c7b8775f89a319b44e64: Signature made Fri 10 May 2024 08:43:42 PM EDT using RSA key ID 0727707EA15B79CC
Can't check signature: public key not found

But I do have the key!

$ gpg --with-fingerprint --show-keys --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-40-primary
pub   rsa4096/0727707EA15B79CC 2023-01-24 [SCE]
      Key fingerprint = 115D F9AE F857 853E E844  5D0A 0727 707E A15B 79CC
uid                            Fedora (40) <fedora-40-primary@fedoraproject.org>

Any ideas? Upgrading from the GUI doesn’t work, either.

1 Like

We would need the output of rpm-ostree status as a starting point and maybe some more logs from rpm-ostreed.

State: idle
Deployments:
â—Ź fedora:fedora/39/x86_64/silverblue
                  Version: 39.20240512.0 (2024-05-12T00:58:25Z)
               BaseCommit: e1c712b41fe72578107d5a94ab8b19be8cfa36b8fd6bb1e6bd16336542f05713
             GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C
      RemovedBasePackages: libpostproc-free libswscale-free libavformat-free libavcodec-free libswresample-free libavfilter-free libavutil-free 6.1.1-3.fc39
          LayeredPackages: ffmpeg gnome-shell-extension-appindicator gnome-shell-extension-system-monitor-applet gstreamer1-plugins-bad-free-extras gstreamer1-plugins-bad-freeworld gstreamer1-plugins-ugly
                           gstreamer1-vaapi intel-media-driver virt-manager
            LocalPackages: rpmfusion-free-release-39-1.noarch rpmfusion-nonfree-release-39-1.noarch

  fedora:fedora/39/x86_64/silverblue
                  Version: 39.20240511.0 (2024-05-11T01:00:00Z)
               BaseCommit: a2960d603554c8858d018c018daffb3a45667d2d48c579729920b5ddb85e0d30
             GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C
      RemovedBasePackages: libpostproc-free libswscale-free libavformat-free libavcodec-free libswresample-free libavfilter-free libavutil-free 6.1.1-3.fc39
          LayeredPackages: ffmpeg gnome-shell-extension-appindicator gnome-shell-extension-system-monitor-applet gstreamer1-plugins-bad-free-extras gstreamer1-plugins-bad-freeworld gstreamer1-plugins-ugly
                           gstreamer1-vaapi intel-media-driver virt-manager
            LocalPackages: rpmfusion-free-release-39-1.noarch rpmfusion-nonfree-release-39-1.noarch
May 13 10:16:13 fedora rpm-ostree[3361]: Handling GetPackages for caller :1.109
May 13 10:16:13 fedora rpm-ostree[3361]: Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora rpmfusion-free-updates rpmfusion-free rpmfusion-nonfree-updates rpmfusion-nonfree copr:copr.fedorainfrac>
May 13 10:16:16 fedora rpm-ostree[3361]: Importing rpm-md...done
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2023-12-12T17:22:46Z solvables: 4
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'updates' (cached); generated: 2024-05-13T01:57:45Z solvables: 27302
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'fedora' (cached); generated: 2023-11-01T00:12:39Z solvables: 70825
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'rpmfusion-free-updates' (cached); generated: 2024-05-08T11:56:17Z solvables: 179
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'rpmfusion-free' (cached); generated: 2023-11-04T16:49:08Z solvables: 445
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'rpmfusion-nonfree-updates' (cached); generated: 2024-05-08T12:16:26Z solvables: 86
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'rpmfusion-nonfree' (cached); generated: 2023-11-04T17:26:32Z solvables: 208
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'copr:copr.fedorainfracloud.org:phracek:PyCharm' (cached); generated: 2024-03-18T11:54:48Z solvables: 14
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'rpmfusion-nonfree-steam' (cached); generated: 2024-04-20T13:10:44Z solvables: 2
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'rpmfusion-nonfree-nvidia-driver' (cached); generated: 2024-05-02T14:37:09Z solvables: 29
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'google-chrome' (cached); generated: 2024-05-09T21:06:21Z solvables: 3
May 13 10:16:16 fedora rpm-ostree[3361]: rpm-md repo 'updates-archive' (cached); generated: 2024-05-13T02:44:37Z solvables: 47997
May 13 10:16:18 fedora rpm-ostree[3361]: Allowing active client :1.135 (uid 1000)
May 13 10:16:18 fedora rpm-ostree[3361]: client(id:cli dbus:1.135 unit:flatpak-session-helper.service uid:1000) added; new total=2
May 13 10:16:18 fedora rpm-ostree[3361]: Loaded sysroot
May 13 10:16:18 fedora rpm-ostree[3361]: Locked sysroot
May 13 10:16:18 fedora rpm-ostree[3361]: Initiated txn Rebase for client(id:cli dbus:1.135 unit:flatpak-session-helper.service uid:1000): /org/projectatomic/rpmostree1/fedora
May 13 10:16:18 fedora rpm-ostree[3361]: Process [pid: 3906 uid: 1000 unit: user@1000.service] connected to transaction progress
May 13 10:16:20 fedora rpm-ostree[3361]: Txn Rebase on /org/projectatomic/rpmostree1/fedora failed: While pulling fedora/40/x86_64/silverblue: Commit 592cb81621e139b10251c09e45ccac33468132f7ab0c2bd695923c3cef816>
                                         Can't check signature: public key not found
May 13 10:16:20 fedora rpm-ostree[3361]: Unlocked sysroot
May 13 10:16:20 fedora rpm-ostree[3361]: Process [pid: 3906 uid: 1000 unit: user@1000.service] disconnected from transaction progress
May 13 10:16:20 fedora rpm-ostree[3361]: client(id:cli dbus:1.135 unit:flatpak-session-helper.service uid:1000) vanished; remaining=1

You should start with the RPM Fusion dance: Simplifying updates for RPM Fusion packages (and other packages shipping their own RPM repos)

This is now my status, but I still get “public key not found” when I rebase.

State: idle
Deployments:
â—Ź fedora:fedora/39/x86_64/silverblue
                  Version: 39.20240512.0 (2024-05-12T00:58:25Z)
               BaseCommit: e1c712b41fe72578107d5a94ab8b19be8cfa36b8fd6bb1e6bd16336542f05713
             GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C
      RemovedBasePackages: libpostproc-free libswscale-free libavformat-free libavcodec-free libswresample-free libavfilter-free libavutil-free 6.1.1-3.fc39
          LayeredPackages: ffmpeg gnome-shell-extension-appindicator gnome-shell-extension-system-monitor-applet gstreamer1-plugins-bad-free-extras gstreamer1-plugins-bad-freeworld gstreamer1-plugins-ugly
                           gstreamer1-vaapi intel-media-driver rpmfusion-free-release rpmfusion-nonfree-release virt-manager

  fedora:fedora/39/x86_64/silverblue
                  Version: 39.20240512.0 (2024-05-12T00:58:25Z)
               BaseCommit: e1c712b41fe72578107d5a94ab8b19be8cfa36b8fd6bb1e6bd16336542f05713
             GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C
      RemovedBasePackages: libpostproc-free libswscale-free libavformat-free libavcodec-free libswresample-free libavfilter-free libavutil-free 6.1.1-3.fc39
          LayeredPackages: ffmpeg gnome-shell-extension-appindicator gnome-shell-extension-system-monitor-applet gstreamer1-plugins-bad-free-extras gstreamer1-plugins-bad-freeworld gstreamer1-plugins-ugly
                           gstreamer1-vaapi intel-media-driver virt-manager
            LocalPackages: rpmfusion-free-release-39-1.noarch rpmfusion-nonfree-release-39-1.noarch

That error also didnt look like an rpmfusion issue, but a missing pubkey of Fedora?

OK, can you make sure that you have the right keys in /etc:

$ diff -r /etc/pki/rpm-gpg /usr/etc/pki/rpm-gpg
1 Like
$ diff -r /etc/pki/rpm-gpg/ /usr/etc/pki/rpm-gpg/

$ echo $?
0

I also ran strace -f on the rebase command, and while I saw it access that directory, I didn’t see it attempt to open any key files.

Can you verify:

$ cat /etc/ostree/remotes.d/fedora.conf
[remote "fedora"]
url=https://ostree.fedoraproject.org
gpg-verify=true
gpgkeypath=/etc/pki/rpm-gpg/
contenturl=mirrorlist=https://ostree.fedoraproject.org/mirrorlist

That’s it! Thank you! Mine had gpgkeypath set to /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-39-x86_64. I don’t know how that happened.

2 Likes

Hm, when did you install it? Did you every manually change it?

Also the diff is 0, which means the upstream image has to have an issue, doesnt it?