filips123
Not valid GPG sign at every update
Description
At every update of my system, I encounter an error related to the native part of FirefoxPWA: the GPG sign is not valid:
È stata trovata una firma GPG non valida:
/var/cache/PackageKit/41/metadata/firefoxpwa-41-x86_64/packages/firefoxpwa-2.14.0-1.x86_64.rpm could not be verified.
/var/cache/PackageKit/41/metadata/firefoxpwa-41-x86_64/packages/firefoxpwa-2.14.0-1.x86_64.rpm: digest: SIGNATURE: NON OK
This is the error from Discover in KDE Plasma. This time is for the new version (as I'm currently on 2.13.3), which lets me think my package manager finds the new versions, tries to install them but every time the GPG sign is not valid. I updated this package at least four times since I started using FirefoxPWA: every time Discover tried to update various packages, but among them there would be firefoxpwa, which would block the update.
I install the native package via packagecloud.io's RPM for Fedora, and every time I follow the same instructions: I import the GPG sign, I enable the repository, I update DNF caches and I install ("update") the firefoxpwa package. Is there something I don't get, like the GPG sign having to change at every update?
The other issue about the GPG key (https://github.com/filips123/PWAsForFirefox/issues/574) has been closed by suggesting to re-add the repository: this is what I do every time, but I suppose I should not be fixing it like this at every update.
Steps to Reproduce
- Import GPG key:
sudo rpm --import https://packagecloud.io/filips/FirefoxPWA/gpgkey - Enable repository:
echo -e "[firefoxpwa]\nname=FirefoxPWA\nmetadata_expire=300\nbaseurl=https://packagecloud.io/filips/FirefoxPWA/rpm_any/rpm_any/\$basearch\ngpgkey=https://packagecloud.io/filips/FirefoxPWA/gpgkey\nrepo_gpgcheck=1\ngpgcheck=0\nenabled=1" | sudo tee /etc/yum.repos.d/firefoxpwa.repo - Update DNF caches:
sudo dnf -q makecache -y --disablerepo="*" --enablerepo="firefoxpwa" - Install the package:
sudo dnf install firefoxpwa - Wait for an update of the package
- Try to update everything at once with Discover
Environment
- Operating system: Fedora KDE 41
- System architecture: x86
- Desktop environment:KDE Plasma 6.2.5 (KDE Frameworks 6.10.0, Qt 6.8.2)
- Installation method: Fedora RPM from packagecloud.io (https://packagecloud.io/filips/FirefoxPWA#dnf-based-distributions-fedora)
- FirefoxPWA Extension version: 2.13.3
- FirefoxPWA Native version: 2.13.3
- FirefoxPWA Runtime version: 135.0
- FirefoxPWA Firefox version: 135.0
I'm not sure why this happens. Can you please check if following these instructions fixes the issue? In those instructions, you should use rpm_any/rpm_any instead of el/6.
I'm trying to follow the instruction but I'm not sure how to add the EPEL repository to download the pygpgme and yum-utils packages: in this page there's no hint for "Fedora", and as far as I understand the EPEL repository is in fact for RHEL and CentOS; at the same time, I cannot find pygpgme and yum-utils, which could mean I need EPEL.
I think that those packages are only needed for RHEL... Try to just add the repository config file.
I followed the instructions (created the new .repo file and update yum's caches, and this is the output:
Importing OpenPGP key 0x64487E24:
UserID : "https://packagecloud.io/filips/FirefoxPWA (https://packagecloud.io/docs#gpg_signing) <[email protected]>"
Fingerprint: 1A3D51F7261CFDB3F12F7A59560C3C6E64487E24
From : https://packagecloud.io/filips/FirefoxPWA/gpgkey
The key was successfully imported.
Metadata cache created.
But the same problem appeared:
<html>È stata trovata una firma GPG non valida:<br/><br/>/var/cache/PackageKit/41/metadata/firefoxpwa-41-x86_64/packages/firefoxpwa-2.14.1-1.x86_64.rpm could not be verified.
/var/cache/PackageKit/41/metadata/firefoxpwa-41-x86_64/packages/firefoxpwa-2.14.1-1.x86_64.rpm: digest: SIGNATURE: NON OK</html>
I asked Discover to refresh the updates, and I tried removing the old firefoxpwa.repo file from the /etc/yum.repos.d folder and recreated the cache again, but it didn't work.
Now that I keep trying to update, the same problem arises for Teamviewer and the one about FirefoxPWA is not appearing, making me think that it actually got solved but Discover didn't properly refresh the updates. I still see the FirefoxPWA package among the updates:
But this could just mean that Discover does not update all those packages until the signature for each of them is checked.
I'll try again after a reboot and check if I can solve the Teamviewer issue so that it does not mess with our issue. Additionally, even if this solution works, maybe we will have to wait two updates, as my issue is that fixing the signature to do one update does not fix it for the following ones and the problem comes back.
I solved the problem with Teamviewer. The problem with FirefoxPWA still exists:
<html>È stata trovata una firma GPG non valida:<br/><br/>/var/cache/PackageKit/41/metadata/filips_FirefoxPWA-41-x86_64/packages/firefoxpwa-2.14.1-1.x86_64.rpm could not be verified.
/var/cache/PackageKit/41/metadata/filips_FirefoxPWA-41-x86_64/packages/firefoxpwa-2.14.1-1.x86_64.rpm: digest: SIGNATURE: NON OK</html>
I'm delaying the update as the solution to just reinstall the GPG key would not be definitive, as — like I said — this problem occurs at every update.
Appearently, the problem is that RPM packages are not signed. Although PWAsForFirefox's repository sets gpgcheck=0 to disable checking GPG signatures of the packages, it seems KDE Discover ignores that option, so the installation fails.
I will try to set up GPG signing for RPM packages. But maybe this should also be reported to KDE Discover if it's not already reported, as it seems to be their bug.
It seems like it has already been reported; I added a comment here: https://bugs.kde.org/show_bug.cgi?id=488388
I've added GPG signing for DEB and RPM packages. If everything works, newly released packages will be automatically signed by F17A EF1C 8C47 5B51 B5F3 03C6 912A D9BE 47FE B404 (available on Ubuntu Keyserver and Packagecloud), which is a PWAsForFirefox-specific subkey of my main GPG key. Repository metadata will still be signed by packagecloud.io.