On Thu, Feb 15, 2024 at 06:03:59PM -0800, Kevin Fenzi wrote: > That won't do it. We need mock to update it's config at exactly the same > moment a successfull rawhide compose completes and mirrors to whatever > mirror you are hitting. ;( > > We make keys a year ahead now. The f42 key is in fedora-release already.
Oh, I didn't know that. I see that I have /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-41-primary on both my F39 and ~rawhide systems. This means that both keys are on the system, it's just a matter of pointing dnf/other tools at them. But let's not talk about mock, let's talk about mkosi. In my earlier message I quoted this case: > [1] From > https://github.com/systemd/systemd/actions/runs/7919159325/job/21619276641?pr=31338: > > Running transaction > Importing PGP key 0xA15B79CC: > Userid : "Fedora (40) <fedora-40-prim...@fedoraproject.org>" > Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC > From : > file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary > The key was successfully imported. > > Transaction failed: Signature verification failed. > PGP check for package "filesystem-3.18-8.fc40.x86_64" > (/var/cache/libdnf5/fedora-306b6523e9c8dc02/packages/filesystem-3.18-8.fc40.x86_64.rpm) > from > repo "fedora" has failed: Import of the key didn't help, wrong key? /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary points to RPM-GPG-KEY-fedora-40-primary. So everythould be fine, no? filesystem-3.18-8.fc40.x86_64 is clearly an F40 package, so it should be signed with the RPM-GPG-KEY-fedora-40-primary key. But it has "Signature : RSA/SHA256, Fri 09 Feb 2024 01:30:23 PM CET, Key ID d0622462e99d6ad1" which is RPM-GPG-KEY-fedora-41-primary. This actually raises a bunch of questions: 1. Why is the .f40 package signed with the F41 key? 2. How does this even work later on? Wouldn't F40 installations refuse packages signed with the F41 key? 3. If F42 key has already been generated, why isn't it distributed in distribution-gpg-keys already, to make it well known and make the transition easier in the future? and also: 4. https://fedoraproject.org/fedora.gpg contains keys for F35, F36, F37, F38, F38, F40. Why not F41 and F42? For mkosi specifically, I guess could try to import also the "next" key when configuring rawhide installs, but I'd like to first understand why the packages are signed with the F41 key. Zbyszek -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
