On Fri, Feb 16, 2024 at 11:12:07AM +0000, Zbigniew Jędrzejewski-Szmek wrote: > On Thu, Feb 15, 2024 at 06:03:59PM -0800, Kevin Fenzi wrote: > > That won't do it. We need mock to update it's config at exactly the same > > moment a successfull rawhide compose completes and mirrors to whatever > > mirror you are hitting. ;( > > > > We make keys a year ahead now. The f42 key is in fedora-release already. > > Oh, I didn't know that. I see that I have > /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary > /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-41-primary > on both my F39 and ~rawhide systems. > > This means that both keys are on the system, it's just a matter of > pointing dnf/other tools at them. > > But let's not talk about mock, let's talk about mkosi. > > In my earlier message I quoted this case: > > > [1] From > > https://github.com/systemd/systemd/actions/runs/7919159325/job/21619276641?pr=31338: > > > > Running transaction > > Importing PGP key 0xA15B79CC: > > Userid : "Fedora (40) <fedora-40-prim...@fedoraproject.org>" > > Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC > > From : > > file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary > > The key was successfully imported. > > > > Transaction failed: Signature verification failed. > > PGP check for package "filesystem-3.18-8.fc40.x86_64" > > (/var/cache/libdnf5/fedora-306b6523e9c8dc02/packages/filesystem-3.18-8.fc40.x86_64.rpm) > > from > > repo "fedora" has failed: Import of the key didn't help, wrong key? > > /usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary > points to RPM-GPG-KEY-fedora-40-primary. > So everythould be fine, no? filesystem-3.18-8.fc40.x86_64 is clearly an F40 > package, so it should be signed with the RPM-GPG-KEY-fedora-40-primary key. > > But it has > "Signature : RSA/SHA256, Fri 09 Feb 2024 01:30:23 PM CET, Key ID > d0622462e99d6ad1" > which is RPM-GPG-KEY-fedora-41-primary. > > This actually raises a bunch of questions: > 1. Why is the .f40 package signed with the F41 key? > 2. How does this even work later on? Wouldn't F40 installations refuse > packages signed with the F41 key? > 3. If F42 key has already been generated, why isn't it distributed in > distribution-gpg-keys already, to make it well known and make the > transition easier in the future? > > and also: > > 4. https://fedoraproject.org/fedora.gpg contains keys for F35, F36, F37, F38, > F38, F40. > Why not F41 and F42? > > For mkosi specifically, I guess could try to import also the "next" key > when configuring rawhide installs, but I'd like to first understand why > the packages are signed with the F41 key.
For now, I prepared the following PR: https://github.com/systemd/mkosi/pull/2398. It makes the build work by importing both RPM-GPG-KEY-fedora-40-primary and RPM-GPG-KEY-fedora-41-primary when the version string is "rawhide". As I wrote above, I don't understand some things here, so comments are very much welcome. Zbyszek -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
