#52 Trusted keyring error trying f29 rebase
Closed 9 months ago Opened 10 months ago by mdhill.

I get a trusted keyring error trying to upgrade from f28 to f29:

$ rpm-ostree rebase fedora/29/x86_64/silverblue
error: Commit fb3618dd8dd5f3e40ccca7d3c5464e05c12afdcb2636401a54a4a69552074606:
GPG signatures found, but none are in trusted keyring

$ sudo ostree remote gpg-import fedora-workstation -k /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-29-primary
Imported 0 GPG keys to remote "fedora-workstation"

miabbott suggested trying to remove and re-add...

$ sudo ostree remote delete fedora-workstation
$ sudo ostree remote add fedora-workstation https://dl.fedoraproject.org/atomic/repo/
$ sudo ostree remote gpg-import fedora-workstation -k /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-29-primary
Imported 1 GPG key to remote "fedora-workstation"
$ rpm-ostree rebase fedora/29/x86_64/silverblue
error: Commit fb3618dd8dd5f3e40ccca7d3c5464e05c12afdcb2636401a54a4a69552074606:
GPG signatures found, but none are in trusted keyring
$ sudo rpm-ostree rebase fedora/29/x86_64/silverblue
error: Commit fb3618dd8dd5f3e40ccca7d3c5464e05c12afdcb2636401a54a4a69552074606:
GPG signatures found, but none are in trusted keyring

f28 still updates. After the first time I tried, I moved the hard drive to a new laptop for unrelated reasons.


I wasn't able to reproduce this on a test VM, so I'm at a loss for what's happening here.

I even suggested @mdhill remove the GPG key + remote, then re-add everything. (i.e rm /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-29-primary and curl -L -o /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-29-primary https://getfedora.org/static/429476B4.txt) But that didn't help either.

Is it possible the trusted keyring as a whole is corrupt?

@mdhill can you run rpm-ostree status and paste the output here?

and also the contents of the files in your /etc/ostree/remotes.d directory?

Somehow I sense something is missing.

$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
‚óŹ ostree://atomic:fedora/28/x86_64/workstation
Version: 28.20181027.0 (2018-10-27 16:02:21)
BaseCommit: 1692d98fe75635c855f619ecb5a6915b31d58cdc98de056714e346a17d0dbd23
GPGSignature: Valid signature by 128CF232A9371991C8A65695E08E7E629DB62FB1
LayeredPackages: flatpak-builder freecad

ostree://atomic:fedora/28/x86_64/workstation
Version: 28.20181023.0 (2018-10-23 20:51:48)
BaseCommit: 18195ddcd86a34da2a0871ca2d5cb95daa5345fcc302d9cf1b3138effa488880
GPGSignature: Valid signature by 128CF232A9371991C8A65695E08E7E629DB62FB1
LayeredPackages: flatpak-builder freecad

atomic.conf:
[remote "atomic"]
url=https://kojipkgs.fedoraproject.org/atomic/repo
gpgkeypath=/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-28-primary

fedora-workstation.conf:
[remote "fedora-workstation"]
url=https://dl.fedoraproject.org/atomic/repo/

fedora-ws-27.conf:
[remote "fedora-ws-27"]
url=https://dl.fedoraproject.org/ostree/27/
gpgkeypath=/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-primary

fedora-ws-rawhide.conf:
[remote "fedora-ws-rawhide"]
url=https://kojipkgs.fedoraproject.org/compose/ostree/rawhide/
gpg-verify=false

so if you edit the /etc/ostree/remotes.d/atomic.conf file and replace 28 with 29 in the gpgkeypath filename then rpm-ostree rebase fedora/29/x86_64/silverblue should work just fine.

Thanks Dusty, Micah. It's working.

There were multiple remotes (atomic and fedora-workstation). This was mostly a case applying the gpg import to the wrong remote so it wasn't working properly.

Going to close this one out.

Metadata Update from @dustymabe:
- Issue status updated to: Closed (was: Open)

9 months ago

There were multiple remotes (atomic and fedora-workstation). This was mostly a case applying the gpg import to the wrong remote so it wasn't working properly.
Going to close this one out.

ohhhhh...I didn't even think to check that. You da man @dustymabe !

Login to comment on this ticket.

Metadata