Fedora 38 rpm policy violation

[Commandcracker]

Details about the problem

# dnf config-manager --add-repo https://download.opensuse.org/repositories/hardware:razer/Fedora_$(rpm -E %fedora)/hardware:razer.repo

Adding repo from: https://download.opensuse.org/repositories/hardware:razer/Fedora_38/hardware:razer.repo

# dnf install polychromatic

Last metadata expiration check: 0:00:43 ago on Fri 19 May 2023 01:36:27 AM CEST.
Dependencies resolved.
===============================================================================================================
 Package                          Architecture      Version                    Repository                 Size
===============================================================================================================
Installing:
 polychromatic                    noarch            0.8.1-1.1                  hardware_razer            842 k
Installing dependencies:
 python-qt5-rpm-macros            noarch            5.15.9-2.fc38              updates                   8.9 k
 python3-colorama                 noarch            0.4.6-2.fc38               fedora                     73 k
 python3-colour                   noarch            0.1.5-14.fc38              fedora                     37 k
 python3-pyqt5-sip                x86_64            12.11.1-1.fc38             fedora                     87 k
 python3-qt5                      x86_64            5.15.9-2.fc38              updates                   1.2 M
 python3-qt5-base                 x86_64            5.15.9-2.fc38              updates                   3.3 M
 python3-qt5-webengine            x86_64            5.15.6-2.fc38              fedora                    133 k
 qt5-qtconnectivity               x86_64            5.15.9-1.fc38              updates                   463 k
 qt5-qtserialport                 x86_64            5.15.9-1.fc38              updates                    65 k
 qt5-qttools-libs-help            x86_64            5.15.9-1.fc38              updates                   157 k
 qt5-qtwebsockets                 x86_64            5.15.9-1.fc38              updates                    87 k

Transaction Summary
===============================================================================================================
Install  12 Packages

Total download size: 6.4 M
Installed size: 32 M
Is this ok [y/N]: y
Downloading Packages:
(1/12): python3-colour-0.1.5-14.fc38.noarch.rpm                                158 kB/s |  37 kB     00:00
(2/12): python3-colorama-0.4.6-2.fc38.noarch.rpm                               274 kB/s |  73 kB     00:00
(3/12): python3-pyqt5-sip-12.11.1-1.fc38.x86_64.rpm                            1.1 MB/s |  87 kB     00:00
(4/12): python3-qt5-webengine-5.15.6-2.fc38.x86_64.rpm                         1.5 MB/s | 133 kB     00:00
(5/12): python-qt5-rpm-macros-5.15.9-2.fc38.noarch.rpm                          40 kB/s | 8.9 kB     00:00
(6/12): polychromatic-0.8.1-1.1.noarch.rpm                                     1.3 MB/s | 842 kB     00:00
(7/12): python3-qt5-5.15.9-2.fc38.x86_64.rpm                                   2.8 MB/s | 1.2 MB     00:00
(8/12): python3-qt5-base-5.15.9-2.fc38.x86_64.rpm                              6.2 MB/s | 3.3 MB     00:00
(9/12): qt5-qtserialport-5.15.9-1.fc38.x86_64.rpm                              237 kB/s |  65 kB     00:00
(10/12): qt5-qtconnectivity-5.15.9-1.fc38.x86_64.rpm                           1.1 MB/s | 463 kB     00:00
(11/12): qt5-qttools-libs-help-5.15.9-1.fc38.x86_64.rpm                        3.5 MB/s | 157 kB     00:00
(12/12): qt5-qtwebsockets-5.15.9-1.fc38.x86_64.rpm                             1.3 MB/s |  87 kB     00:00
---------------------------------------------------------------------------------------------------------------
Total                                                                          2.6 MB/s | 6.4 MB     00:02
error: Verifying a signature using certificate E96C496E4E77C159C2FCA053062F9FD4D6D11CE4 (hardware OBS Project <hardware@build.opensuse.org>):
  Certificate 062F9FD4D6D11CE4 invalid: policy violation
      because: No binding signature at time 2023-05-01T18:27:24Z
error: Verifying a signature using certificate E96C496E4E77C159C2FCA053062F9FD4D6D11CE4 (hardware OBS Project <hardware@build.opensuse.org>):
  Certificate 062F9FD4D6D11CE4 invalid: policy violation
      because: No binding signature at time 2023-05-01T18:27:24Z
Problem opening package polychromatic-0.8.1-1.1.noarch.rpm
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Operating System / Desktop Environment / Version(s)

Fedora 38

Affected Devices

[lah7]

Polychromatic shares the OBS repository with OpenRazer. Other users had this problem too: openrazer/openrazer#2061

Apparently, Fedora 38 tightened some security policies affecting third party repos with the upgrade. One comment suggests to uninstall the openrazer and polychromatic packages; signing keys (GPG) and repository using rpm/dnf, then install them fresh again.

Take a look at openrazer/openrazer#2061 and let us know the result.

[Commandcracker]

Everything I tried didn't work. I did everything on a clean fedora install.

Here is my Ansible task:

---
- name: Get main user[1000] name
  ansible.builtin.command: "id -un 1000"
  register: user_name
  changed_when: false

- name: Create plugdev group
  ansible.builtin.group:
    name: plugdev
    state: present

- name: Add main user[1000] to plugdev
  ansible.builtin.user:
    name: "{{ user_name.stdout }}"
    uid: 1000
    group: plugdev

- name: Install kernel-devel
  ansible.builtin.dnf:
    name: kernel-devel
    state: latest

- name: Add razer gpgkey
  ansible.builtin.rpm_key:
    state: present
    key: https://download.opensuse.org/repositories/hardware:/razer/Fedora_{{ ansible_distribution_major_version }}/repodata/repomd.xml.key

- name: Add Razer repository
  ansible.builtin.yum_repository:
    name: razer
    description: razer
    baseurl: https://download.opensuse.org/repositories/hardware:razer/Fedora_{{ ansible_distribution_major_version }}/hardware:razer.repo
    file: razer
    gpgkey: https://download.opensuse.org/repositories/hardware:/razer/Fedora_{{ ansible_distribution_major_version }}/repodata/repomd.xml.key
    gpgcheck: true

- name: Install openrazer-meta
  ansible.builtin.dnf:
    name: openrazer-meta
    state: latest

# https://github.com/polychromatic/polychromatic/issues/479

- name: Install polychromatic
  ansible.builtin.dnf:
    name: polychromatic
    state: latest

[lah7]

Sorry for the delay, my motherboard needed replacement ☠️

It seems the repository URL had changed. I got 404 for the old URL.

-https://download.opensuse.org/repositories/hardware:razer/Fedora_$(rpm -E %fedora)/hardware:razer.repo
+https://download.opensuse.org/repositories/hardware:/razer/Fedora_$(rpm -E %fedora)/hardware:razer.repo
                                                     ^

In a clean Fedora 38 container, I was able to successfully add the repository with this corrected URL. I've updated the instructions on the website. Does this work if you update the baseurl key in your Ansible task?

[Commandcracker]

Booth URLs returned the same repo, so nothing changed

-https://download.opensuse.org/repositories/hardware:razer/Fedora_$(rpm -E %fedora)/hardware:razer.repo
+https://download.opensuse.org/repositories/hardware:/razer/Fedora_$(rpm -E %fedora)/hardware:razer.repo
                                                     ^

[Commandcracker]

In a clean Fedora 38 container

I'm testing it in a clean Fedora 38 VM

[lah7]

Looks like openSUSE Build Service quietly fixed the old URL, so that's no problem now.

Apologies, I can reproduce the same error now. I wrongly assumed RPM behaved like Debian in that the keys would be imported at the time of adding the repository, not after downloading packages...

----------------------------------------------------------------------------------------------------
Total                                                                33 MB/s | 237 MB     00:07     
hardware:razer (Fedora_38)                                          7.5 kB/s | 1.1 kB     00:00    
Importing GPG key 0xD6D11CE4:
 Userid     : "hardware OBS Project <hardware@build.opensuse.org>"
 Fingerprint: E96C 496E 4E77 C159 C2FC A053 062F 9FD4 D6D1 1CE4
 From       : https://download.opensuse.org/repositories/hardware:/razer/Fedora_38/repodata/repomd.xml.key
Is this ok [y/N]: y
Key imported successfully
Import of key(s) didn't help, wrong key(s)?
Problem opening package polychromatic-0.8.1-1.1.noarch.rpm. Failing package is: polychromatic-0.8.1-1.1.noarch
 GPG Keys are configured as: https://download.opensuse.org/repositories/hardware:/razer/Fedora_38/repodata/repomd.xml.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Well that's really annoying.

I tried a combination of things I could find around the web: ^[1]

dnf clean packages
dnf install crypto-policies-scripts
update-crypto-policies --set LEGACY

No go. All I know is that Fedora 38 doesn't accept SHA-1 signed packages. Being completely unfamiliar with RPM, I don't know how to delete old GPG keys or how to fix it either. It could be the key itself, but this repository is managed by openSUSE Build Service.

Like, why doesn't this work!?

dnf install --nogpgcheck polychromatic

That's all I know for now. If any one knows a solution, please let us know!

[guidugli]

Like, why doesn't this work!?

dnf install --nogpgcheck polychromatic

If the key is present on the system, the --nogpgcheck will still fail. To me, I had to first delete the key (rpm -e gpg-pubkey-d6d11ce4-5418547d), then run dnf install --nogpgcheck polychromatic

[lah7]

Thanks @guidugli for the tip. This worked in a Fedora 38 Docker container:

sudo dnf install 'dnf-command(config-manager)' # might only needed for the container

sudo dnf config-manager --add-repo https://download.opensuse.org/repositories/hardware:/razer/Fedora_$(rpm -E %fedora)/hardware:razer.repo
sudo rpm -e gpg-pubkey-d6d11ce4-5418547d
sudo dnf install --nogpgcheck polychromatic

At least it's a workaround that allows the software to be installed until the managed repository key gets updated, or the security policy on the system can allow the older mechanism (SHA-1) like in Fedora 37. Kind of ironic the strictness of the new security policy ends up resulting in weak security for this third party repository, for now anyway.

That said, I have no idea how this will work for the OP's Ansible, hopefully there are config values that allow for it.

[XenHat]

This worked fine for me outside a Docker container. Thank you so much!

[j-silver]

How do you know the key to be erased? I tried that command but it still doesn't work.

[lah7]

Not a Fedora user. From what I found, this lists something related to keys:

rpm -qa gpg-pubkey

This is the current key for our repository:

#  rpm -qi gpg-pubkey-d6d11ce4-5418547d
Name        : gpg-pubkey
Version     : d6d11ce4
Release     : 5418547d
Architecture: (none)
Install Date: Tue Oct 10 17:08:38 2023
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Tue Sep 16 15:17:17 2014
Build Host  : localhost
Packager    : hardware OBS Project <hardware@build.opensuse.org>
Summary     : hardware OBS Project <hardware@build.opensuse.org> public key
Description :

-- https://www.redhat.com/sysadmin/rpm-gpg-verify-packages

I tried again with a fresh Fedora 38 container, it seems to be able to install the package normally now. Maybe the recent v0.8.2 release triggered something relating to the key. It's all managed by OpenSUSE Build Service.

This works for me, in a clean container:

sudo dnf install 'dnf-command(config-manager)' # might only needed for the container

sudo dnf config-manager --add-repo https://download.opensuse.org/repositories/hardware:/razer/Fedora_$(rpm -E %fedora)/hardware:razer.repo
sudo dnf install polychromatic

[j-silver]

@lah7 Thanks
I've followed the same steps, including the attempted removal of the offending key (as explained above)

I get this output (apologies for the verbosity):

sudo dnf install --nogpgcheck polychromatic
Last metadata expiration check: 0:02:20 ago on Tue 10 Oct 2023 18:42:56 BST.
Dependencies resolved.
====================================================================================================
 Package                  Architecture      Version                 Repository                 Size
====================================================================================================
Installing:
 polychromatic            noarch            0.8.2-1.1               hardware_razer            852 k

Transaction Summary
====================================================================================================
Install  1 Package

Total size: 852 k
Installed size: 4.3 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] polychromatic-0.8.2-1.1.noarch.rpm: Already downloaded                                   
Running transaction check
Transaction check succeeded.
Running transaction test
RPM: error: Verifying a signature using certificate E96C496E4E77C159C2FCA053062F9FD4D6D11CE4 (hardware OBS Project <hardware@build.opensuse.org>):
RPM:   1. Certificiate 062F9FD4D6D11CE4 invalid: certificate is not alive
RPM:       because: The primary key is not live
RPM:       because: Expired on 2023-05-23T13:32:57Z
RPM:   2. Key 062F9FD4D6D11CE4 invalid: key is not alive
RPM:       because: The primary key is not live
RPM:       because: Expired on 2023-05-23T13:32:57Z
RPM: error: Verifying a signature using certificate E96C496E4E77C159C2FCA053062F9FD4D6D11CE4 (hardware OBS Project <hardware@build.opensuse.org>):
RPM:   1. Certificiate 062F9FD4D6D11CE4 invalid: certificate is not alive
RPM:       because: The primary key is not live
RPM:       because: Expired on 2023-05-23T13:32:57Z
RPM:   2. Key 062F9FD4D6D11CE4 invalid: key is not alive
RPM:       because: The primary key is not live
RPM:       because: Expired on 2023-05-23T13:32:57Z
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
  package polychromatic-0.8.2-1.1.noarch does not verify: Header V3 RSA/SHA256 Signature, key ID d6d11ce4: NOTTRUSTED

same without --nogpgcheck

[lah7]

Thankfully, it's a different error to the original issue. Your system just has an old copy of the key, which has an expiry date. After deleting the key, maybe you need to re-add the repository and run sudo dnf update again before trying to install the package?

This looks like it describes the problem and should help:
https://gist.github.com/e7d/3b786c7410ca14a5ded61eec36de9874

[j-silver]

@lah7 It worked! Thanks a lot.

[lah7]

It's all good! Marking issue as completed as the "No binding signature" issue was fixed last month for Fedora 38:

• Relax "No binding signature" rpm-software-management/rpm-sequoia#46