Please review the system-wide change of updating RPM to latest upstream 6.0 release: https://fedoraproject.org/wiki/Changes/RPM-6.0
6.0 is the first version to support rpm v6 package format, but adopting that is explicitly NOT in scope here, so no mass-rebuilds needed (v6 compatibility is separately tracked in ticket #4200)
Releng could be affected by the signature/key related changes: rpm 6.0 ships with enforcing signature checking by default, and will refuse to install unsigned packages in that configuration. I'm not intimately aware of how exactly signing works in the Fedora infrastructure, but it's easy to see this could affect build-systems trying to install freshly built but not yet signed packages. That can be fairly easily worked around with a macro override to the previous default (%_pkgverify_level digest) if necessary.
%_pkgverify_level digest
mock and copr appear to work fine with this default in my daily use, but that usage covers limited ground.
Metadata Update from @phsmoura: - Issue tagged with: medium-gain, medium-trouble, ops
Yeah, I think there will need to be changes then.
None of the packages in the buildroot are signed, things are only signed later when they progress into updates/composes.
Not to mention common workflows for people downloading stuff from bodhi or koji don't return signed builds by default either, so that will need to change too.
Individual people downloading and installing stuff can always add --nosignature when installing stuff from those sources, it's a kind of a reminder that this isn't an entirely safe thing to do. But that's outside the scope of this ticket IMO, this is about keeping the buildsystem engine running in the first place.
Oh and just to be clear: this change doesn't affect reading or querying packages, only installing.
So I think only mock is affected, and at least as a stop-gap measure, adding config_opts['macros']['%_pkgverify_level'] = 'digest' to the mock rawhide template should keep things rolling until we figure out something more sophisticated.
config_opts['macros']['%_pkgverify_level'] = 'digest'
Sure, but packages people are downloading from Bodhi do have signed versions, just nothing returns them for download by default.
And I guess we need to adapt this for kiwi, as we default to not requiring signatures because of the build system thing.
I've filed a task to deal with this in kiwi upstream: https://github.com/OSInside/kiwi/issues/2743
Metadata Update from @jnsamyak: - Issue tagged with: changes, f43
In addition to the buildroot changes... I wonder if there will not need to be changes in our signing pipeline... sigul (or it's re-write).
Also, might there need to be koji changes? koji currently imports signatures for packages and 'writes out' signed copies on request.
If this will allow packages signed by multiple keys, that may need a good re-think on how koji handles them.
The new multi-signature format is only used by default for v6 packages, and Fedora 43 will build v4 packages by default, so on that front there are no need for immediate changes.
Of course, to support the multi-signature format, various signing servers need work, but it's not something that needs to happen to make this change possible. The multi-signature format is supported for v4 packages too, but one needs to explicitly request it from rpmsign. We'll need them for PQC support eventually, but that is again a whole other topic for another time.
Log in to comment on this ticket.