ondemand icon indicating copy to clipboard operation
ondemand copied to clipboard
verified publisher icon OSC

ondemand-release-web-3.0-1.noarch.rpm not signed.

Open bviviano opened this issue 2 years ago • 5 comments

It appears that the ondemand-release-web-3.0-1.noarch.rpm is not signed, at least when installing under RHEL8:

# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.8 (Ootpa)

# yum install https://yum.osc.edu/ondemand/3.0/ondemand-release-web-3.0-1.noarch.rpm
Updating Subscription Management repositories.
Last metadata expiration check: 0:07:41 ago on Thu 15 Jun 2023 12:30:14 PM EDT.
ondemand-release-web-3.0-1.noarch.rpm                                       3.8 kB/s |  13 kB     00:03    
Dependencies resolved.
============================================================================================================
 Package                           Architecture        Version              Repository                 Size
============================================================================================================
Reinstalling:
 ondemand-release-web              noarch              3.0-1                @commandline               13 k

Transaction Summary
============================================================================================================

Total size: 13 k
Installed size: 5.9 k
Is this ok [y/N]: y
Downloading Packages:
Package ondemand-release-web-3.0-1.noarch.rpm is not signed
Error: GPG check FAILED

I tried importing both

  1. https://yum.osc.edu/ondemand/RPM-GPG-KEY-ondemand-SHA512
  2. https://yum.osc.edu/ondemand/RPM-GPG-KEY-ondemand

With the same results. If there is another GPG key I need to import, please let me know (and maybe update the documentation), otherwise please provide a signed version of ondemand-release-web-3.0-1.noarch.rpm in the official repo.

bviviano avatar Jun 15 '23 16:06 bviviano

@treydock please advise.

johrstrom avatar Jun 15 '23 18:06 johrstrom

We can't GPG sign ondemand-release-web RPM because that RPM is the one that deploys the GPG key. That RPM is purposely not signed to avoid circular dependencies.

treydock avatar Jun 15 '23 20:06 treydock

There must be a config on your system forcing GPG checks when it's not needed. I can't reproduce on fresh instance:

$ docker run --rm -it --platform linux/amd64 rockylinux:8.8 /bin/bash
<snip>
[root@d359e457dc6a /]# yum install https://yum.osc.edu/ondemand/3.0/ondemand-release-web-3.0-1.noarch.rpm
<snip>
Installed:
  ondemand-release-web-3.0-1.noarch

Complete!

treydock avatar Jun 15 '23 20:06 treydock

Ok, interesting.

If I

# /bin/dnf reinstall https://yum.osc.edu/ondemand/3.0/ondemand-release-web-3.0-1.noarch.rpm --nogpgcheck
Updating Subscription Management repositories.
Last metadata expiration check: 0:08:36 ago on Tue 20 Jun 2023 06:13:21 AM EDT.
ondemand-release-web-3.0-1.noarch.rpm                                                                         3.9 kB/s |  13 kB     00:03    
Dependencies resolved.
==============================================================================================================================================
 Package                                    Architecture                 Version                     Repository                          Size
==============================================================================================================================================
Reinstalling:
 ondemand-release-web                       noarch                       3.0-1                       @commandline                        13 k

Transaction Summary
==============================================================================================================================================

Total size: 13 k
Installed size: 5.9 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                      1/1 
  Reinstalling     : ondemand-release-web-3.0-1.noarch                                                                                    1/2 
  Running scriptlet: ondemand-release-web-3.0-1.noarch                                                                                    1/2 
  Cleanup          : ondemand-release-web-3.0-1.noarch                                                                                    2/2 
  Verifying        : ondemand-release-web-3.0-1.noarch                                                                                    1/2 
  Verifying        : ondemand-release-web-3.0-1.noarch                                                                                    2/2 
Installed products updated.

Reinstalled:
  ondemand-release-web-3.0-1.noarch                                                                                                           

Complete!

After I force install it once via

/bin/dnf install https://yum.osc.edu/ondemand/3.0/ondemand-release-web-3.0-1.noarch.rpm --nogpgcheck

Then it works. Maybe there is something about doing the install https instead of from an existing repo, but I don't have that problem with EPEL.

bviviano avatar Jun 20 '23 10:06 bviviano 

We can't GPG sign ondemand-release-web RPM because that RPM is the one that deploys the GPG key. That RPM is purposely not signed to avoid circular dependencies.

You can still sign it, it shouldn't hurt sites if its signed, but for sites like mine that are either updating from 2.0 and so already have the keys installed or wish to manually import the PGP keys from your website first via:

/bin/rpm --import https://yum.osc.edu/ondemand/RPM-GPG-KEY-ondemand-SHA512
/bin/rpm --import https://yum.osc.edu/ondemand/RPM-GPG-KEY-ondemand

having the ondemand-release-web-3.0-1.noarch.rpm release already signed would be useful.

bviviano avatar Jun 20 '23 10:06 bviviano