(Feedback) |
(announcing the change) |
||
(18 intermediate revisions by 2 users not shown) | |||
Line 4: | Line 4: | ||
== Summary == | == Summary == | ||
Implementing new logic in DNF5 to remove expired and obsolete | Implementing new logic in DNF5 to remove expired and obsolete repository keys from the system. | ||
== Owner == | == Owner == | ||
Line 11: | Line 11: | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAnnounced]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Line 28: | Line 28: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* [Announced] | * [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/SYL6WOCZZBDC6UE4GZOPVD2NXM5P6LIV/ Announced] | ||
* [ | * [https://discussion.fedoraproject.org/t/f42-change-proposal-dnf5-expired-keys-system-wide/138978 Discussion thread] | ||
* FESCo issue: <will be assigned by the Wrangler> | * FESCo issue: <will be assigned by the Wrangler> | ||
* Tracker bug: <will be assigned by the Wrangler> | * Tracker bug: <will be assigned by the Wrangler> | ||
Line 35: | Line 35: | ||
== Detailed Description == | == Detailed Description == | ||
We aim to address customer issues when installing RPM packages from repositories while outdated repository keys are present on the system. These issues include expired keys, obsolete signing algorithms (e.g., SHA1), or other problems that could be easily detected by tools like an RPM PGP linter. Currently, | We aim to address customer issues when installing RPM packages from repositories while outdated repository keys are present on the system. These issues include expired keys, obsolete signing algorithms (e.g., SHA1), or other problems that could be easily detected by tools like an RPM PGP linter. Currently, PGP checks fail, and users must manually remove expired keys using commands like `rpmkeys --delete`. | ||
The proposed solution is a new LIBDNF5 plugin. This plugin will act as a hook, checking for invalid repository PGP keys on the system before executing a DNF transaction. | The proposed solution is a new LIBDNF5 plugin. This plugin will act as a hook, checking for invalid repository PGP keys on the system before executing a DNF transaction. | ||
Line 44: | Line 44: | ||
By default, this behavior will be enabled in DNF5, with the option to disable it through configuration. | By default, this behavior will be enabled in DNF5, with the option to disable it through configuration. | ||
This enhancement stems from a request in [https://github.com/rpm-software-management/dnf5/issues/1192 upstream issue] and builds upon | This enhancement stems from a request in [https://github.com/rpm-software-management/dnf5/issues/1192 upstream issue] and builds upon [https://github.com/rpm-software-management/dnf-plugins-core/pull/533 the existing solution in DNF4]. Unlike DNF4's implementation, which is not enabled by default, this change will be integral to the default DNF5 functionality, aligning with its role as the primary package manager in Fedora. | ||
== Feedback == | == Feedback == | ||
The proposed solution has been discussed with affected users, including the Mock and Copr teams, as part of the discussions around [https://github.com/rpm-software-management/dnf-plugins-core/pull/533 the existing solution in DNF4]. | The proposed solution has been discussed with affected users, including the Mock and Copr teams, as part of the discussions around [https://github.com/rpm-software-management/dnf-plugins-core/pull/533 the existing solution in DNF4]. | ||
== Benefit to Fedora == | == Benefit to Fedora == | ||
This change enables the automatic management of repository keys during software installation or upgrades. | |||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: | ||
** Implement a new LIBDNF5 plugin to manage repository PGP keys automatically. | |||
* Other developers: | * Other developers: | ||
** No additional work identified at this time. | |||
* Release engineering: [https://pagure.io/releng/ | * Release engineering: [https://pagure.io/releng/issue/12477 #12477] | ||
* Policies and guidelines: N/A (not needed for this Change) | * Policies and guidelines: N/A (not needed for this Change) | ||
* Trademark approval: N/A (not needed for this Change) | * Trademark approval: N/A (not needed for this Change) | ||
== Upgrade/compatibility impact == | |||
No compatibility or upgrade issues expected. | |||
== | == How To Test == | ||
A good reproducer is already described in [https://github.com/rpm-software-management/dnf5/issues/1192#issuecomment-2018483474 this comment] within the upstream issue. | |||
You can list all installed key hashes along with their names using: | |||
`rpmkeys --list` | |||
To query the key block info, use: | |||
`rpm -q --qf "%{DESCRIPTION}" gpg-pubkey-<KEYHASH>` (note: `rpmkeys --export <KEYHASH>` on newer RPM releases) | |||
< | |||
To get the end date in a human-readable format, run: | |||
`rpm -q --qf "%{DESCRIPTION}" gpg-pubkey-<KEYHASH> | gpg --show-keys --with-colon | cut -d':' -f7 | xargs -I{} date -d @{} | |||
` | |||
Note that not all keys have a defined end of validity date. | |||
You can also try running a transaction using a COPR repository with the `faketime` command from `libfaketime`: | |||
`faketime '+10years' dnf install <pkg_name_from_copr>` | |||
< | |||
The above should fail without the functionality introduced by this proposal. After deploying the new plugin, it should prompt the user about the expired PGP key and ask for removal. | |||
== User Experience == | |||
For interactive users, a prompt will appear informing them about each outdated key on the system and asking for confirmation to remove it. For non-interactive users, there will be no change to the workflow. | |||
== Dependencies == | == Dependencies == | ||
No additional work is expected. | |||
== Contingency Plan == | == Contingency Plan == | ||
* Contingency mechanism: Disable the new plugin from running by default. | |||
* Contingency deadline: Fedora 42 branching from Rawhide | |||
* Contingency mechanism: | * Blocks release? No | ||
* Contingency deadline: | |||
* Blocks release? | |||
== Documentation == | == Documentation == | ||
The new behavior will be documented in the upstream DNF5 documentation. | |||
== Release Notes == | == Release Notes == |
Latest revision as of 17:19, 3 December 2024
Managing expired PGP keys in DNF5
Summary
Implementing new logic in DNF5 to remove expired and obsolete repository keys from the system.
Owner
- Name: Jan Kolarik
- Email: jkolarik@redhat.com
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2024-12-03
- Announced
- Discussion thread
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
We aim to address customer issues when installing RPM packages from repositories while outdated repository keys are present on the system. These issues include expired keys, obsolete signing algorithms (e.g., SHA1), or other problems that could be easily detected by tools like an RPM PGP linter. Currently, PGP checks fail, and users must manually remove expired keys using commands like rpmkeys --delete
.
The proposed solution is a new LIBDNF5 plugin. This plugin will act as a hook, checking for invalid repository PGP keys on the system before executing a DNF transaction.
- Interactive mode: The plugin will prompt the user to confirm the removal of each invalid key.
- Non-interactive mode (e.g., with
-y
or--assumeno
): The plugin will proceed automatically based on the specified user action, either removing the keys or retaining them.
By default, this behavior will be enabled in DNF5, with the option to disable it through configuration.
This enhancement stems from a request in upstream issue and builds upon the existing solution in DNF4. Unlike DNF4's implementation, which is not enabled by default, this change will be integral to the default DNF5 functionality, aligning with its role as the primary package manager in Fedora.
Feedback
The proposed solution has been discussed with affected users, including the Mock and Copr teams, as part of the discussions around the existing solution in DNF4.
Benefit to Fedora
This change enables the automatic management of repository keys during software installation or upgrades.
Scope
- Proposal owners:
- Implement a new LIBDNF5 plugin to manage repository PGP keys automatically.
- Other developers:
- No additional work identified at this time.
- Release engineering: #12477
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
No compatibility or upgrade issues expected.
How To Test
A good reproducer is already described in this comment within the upstream issue.
You can list all installed key hashes along with their names using:
rpmkeys --list
To query the key block info, use:
rpm -q --qf "%{DESCRIPTION}" gpg-pubkey-<KEYHASH>
(note: rpmkeys --export <KEYHASH>
on newer RPM releases)
To get the end date in a human-readable format, run:
rpm -q --qf "%{DESCRIPTION}" gpg-pubkey-<KEYHASH> | gpg --show-keys --with-colon | cut -d':' -f7 | xargs -I{} date -d @{}
Note that not all keys have a defined end of validity date.
You can also try running a transaction using a COPR repository with the faketime
command from libfaketime
:
faketime '+10years' dnf install <pkg_name_from_copr>
The above should fail without the functionality introduced by this proposal. After deploying the new plugin, it should prompt the user about the expired PGP key and ask for removal.
User Experience
For interactive users, a prompt will appear informing them about each outdated key on the system and asking for confirmation to remove it. For non-interactive users, there will be no change to the workflow.
Dependencies
No additional work is expected.
Contingency Plan
- Contingency mechanism: Disable the new plugin from running by default.
- Contingency deadline: Fedora 42 branching from Rawhide
- Blocks release? No
Documentation
The new behavior will be documented in the upstream DNF5 documentation.