It's this time of the year again: Running transaction Importing PGP key 0xA15B79CC: Userid : "Fedora (40) <fedora-40-prim...@fedoraproject.org>" Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC From : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary The key was successfully imported. Importing PGP key 0xA15B79CC: Userid : "Fedora (40) <fedora-40-prim...@fedoraproject.org>" Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC From : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary The key was successfully imported. Importing PGP key 0x18B8E74C: Userid : "Fedora (39) <fedora-39-prim...@fedoraproject.org>" Fingerprint: E8F23996F23218640CB44CBE75CF5AC418B8E74C From : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-39-primary The key was successfully imported.
Transaction failed: Signature verification failed. PGP check for package "curl-8.6.0-6.fc40.x86_64" (/var/lib/mock/fedora-rawhide-x86_64/root/var/cache/dnf/fedora-2d95c80a1fa0a67d/packages/curl-8.6.0-6.fc40.x86_64.rpm) from repo "fedora" has failed: Import of the key didn't help, wrong key? This message is from mock. It's one issue if mock fails, when you call it from the command line, but this failure also causes CI fails. And as everybody knows, flaky CI gets ignroed. I very much want people to use Fedora for their CI, and in particular rawhide, because it's great for testing with upstream software. But it looks silly if we get such a major "security failure" twice a year [1]. Could we please do something so that this doesn't happen? Dunno, generate and distribute the keys earlier so that mock and https://fedoraproject.org/fedora.gpg get updated _before_ we need it? I know this subject comes up approx. twice a year (or once once for F21 ;) ), e.g. [2]. I know this can be "fixed" with some manual steps, but I posit that this should never occur in the first place. Zbyszek [1] From https://github.com/systemd/systemd/actions/runs/7919159325/job/21619276641?pr=31338: Running transaction Importing PGP key 0xA15B79CC: Userid : "Fedora (40) <fedora-40-prim...@fedoraproject.org>" Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC From : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-rawhide-primary The key was successfully imported. Transaction failed: Signature verification failed. PGP check for package "filesystem-3.18-8.fc40.x86_64" (/var/cache/libdnf5/fedora-306b6523e9c8dc02/packages/filesystem-3.18-8.fc40.x86_64.rpm) from repo "fedora" has failed: Import of the key didn't help, wrong key? Note that this is a test VM that was created specifically for this test run, so there's no question of stale data or anything like that. [2] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/MFX2JDVANNEW7LWWIBBLYCN6DEPWHSXF/. -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
