Learn more about these different git repos.
Other Git URLs
As discovered in https://github.com/rpm-software-management/librepo/issues/284#issuecomment-1744801313, it seems that 3 keys from https://fedoraproject.org/fedora.gpg are rejected by the rpm-sequoia policy in rawhide. The following keys are rejected:
An error occurred importing key "https://fedoraproject.org/fedora.gpg": Failed to import public key "https://fedoraproject.org/fedora.gpg" to rpmdb: Certificate 6A2FAEA2352C64E5: Policy rejects 6A2FAEA2352C64E5: No binding signature at time 2023-10-03T11:38:27Z An error occurred importing key "https://fedoraproject.org/fedora.gpg": Failed to import public key "https://fedoraproject.org/fedora.gpg" to rpmdb: Certificate 21EA45AB2F86D6A1: Policy rejects 21EA45AB2F86D6A1: No binding signature at time 2023-10-03T11:38:27Z An error occurred importing key "https://fedoraproject.org/fedora.gpg": Failed to import public key "https://fedoraproject.org/fedora.gpg" to rpmdb: Certificate 7BB90722DBBDCF7C: Policy rejects 7BB90722DBBDCF7C: No binding signature at time 2023-10-03T11:38:27Z $ gpg --list-keys 6A2FAEA2352C64E5 pub rsa4096 2013-12-16 [SCE] 91E97D7C4A5E96F17F3E888F6A2FAEA2352C64E5 uid [ neznámá ] Fedora EPEL (7) <epel@fedoraproject.org> petr@dhcp-0-146:~ $ gpg --list-keys 21EA45AB2F86D6A1 pub rsa4096 2019-06-05 [SCE] 94E279EB8D8F25B21810ADF121EA45AB2F86D6A1 uid [ neznámá ] Fedora EPEL (8) <epel@fedoraproject.org> petr@dhcp-0-146:~ $ gpg --list-keys 7BB90722DBBDCF7C pub rsa4096 2018-11-13 [SCE] [platnost skončí: 2028-12-31] C2A3FA9DC67F68B98BB543F47BB90722DBBDCF7C uid [ neznámá ] Fedora (iot 2019) <fedora-iot-2019@fedoraproject.org>
These keys should probably be removed from the keyring?
Ideally before the F39 release.
When is this no longer needed or useful? (YYYY/MM/DD)
If we cannot complete your request, what is the impact?
Using the keyring from https://fedoraproject.org/fedora.gpg will start failing on newer Fedora releases as some keys from it will be rejected by rpm-sequoia.
Metadata Update from @phsmoura: - Issue tagged with: low-gain, low-trouble, ops
I'm unclear on the purpose of 'fedora.gpg' here.
@darknao is this used on the websites? or historical or ?
I guess we could move the epel keys to a epel.gpg ? and remove the old iot one?
But I am not sure what uses this or what it's for. Fedora installs get keys from the fedora-repos rpm.
It's historical. We provide this keyring as a convenience to verify the artifacts downloaded from the website. It's used in the verify instructions here https://fedoraproject.org/security/ (and on all edition download pages). I know there are a few tools out there that use that keyring but I don't know which ones exactly.
The keyring is generated at build time with the keys from https://src.fedoraproject.org/rpms/epel-release and https://src.fedoraproject.org/rpms/fedora-repos. Only the current keys listed on the security page are included.
This is consumed by a number of third party systems to get GPG keys to verify Fedora content. I know @daandemeyer is using it with mkosi image creation, for example.
mkosi
So, you only care about rawhide right? could we just have a seperate rawhide.gpg?
or a fedora.gpg epel.gpg and iot.gpg ?
The IoT key could be dropped or put into an archive as we have long used the standard Fedora key because the issue that required it in the first place has long been fixed in ostree
I removed the IoT key and the EPEL ones from the fedora.gpg keychain. I didn't create an epel.gpg as we don't have any use for it on the website, but I can if there is a demand for it.
Thanks! That solves the issue
Thanks!
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.