From Fedora Project Wiki
Line 59: Line 59:
** No additional work identified at this time.
** No additional work identified at this time.


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: [https://pagure.io/releng/issue/12477 #12477]
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->


* Policies and guidelines: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Policies and guidelines: N/A (not needed for this Change)
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. Please submit a pull request with the proposed changes before submitting your Change proposal. -->


* Trademark approval: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
<!-- If your Change may require trademark approval (for example, if it is a new Spin), file a ticket ( https://pagure.io/Fedora-Council/tickets/issues ) requesting trademark approval from the Fedora Council. This approval will be done via the Council's consensus-based process. -->


== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==

Revision as of 15:07, 26 November 2024

Managing expired PGP keys in DNF5

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Implementing new logic in DNF5 to remove expired and obsolete repository keys from the system.

Owner

Current status

  • Targeted release: Fedora Linux 42
  • Last updated: 2024-11-26
  • [Announced]
  • [<will be assigned by the Wrangler> Discussion thread]
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

We aim to address customer issues when installing RPM packages from repositories while outdated repository keys are present on the system. These issues include expired keys, obsolete signing algorithms (e.g., SHA1), or other problems that could be easily detected by tools like an RPM PGP linter. Currently, GPG checks fail, and users must manually remove expired keys using commands like rpm -e gpg-pubkey-....

The proposed solution is a new LIBDNF5 plugin. This plugin will act as a hook, checking for invalid repository PGP keys on the system before executing a DNF transaction.

  • Interactive mode: The plugin will prompt the user to confirm the removal of each invalid key.
  • Non-interactive mode (e.g., with -y or --assumeno): The plugin will proceed automatically based on the specified user action, either removing the keys or retaining them.

By default, this behavior will be enabled in DNF5, with the option to disable it through configuration.

This enhancement stems from a request in upstream issue and builds upon the existing solution in DNF4. Unlike DNF4's implementation, which is not enabled by default, this change will be integral to the default DNF5 functionality, aligning with its role as the primary package manager in Fedora.

Feedback

The proposed solution has been discussed with affected users, including the Mock and Copr teams, as part of the discussions around the existing solution in DNF4.

Benefit to Fedora

This change enables the automatic management of repository keys during software installation or upgrades.

Scope

  • Proposal owners:
    • Implement a new LIBDNF5 plugin to manage repository PGP keys automatically.
  • Other developers:
    • No additional work identified at this time.
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

No compatibility or upgrade issues expected.

How To Test

A good reproducer is already described in this comment within the upstream issue.

Repository PGP keys are stored as virtual RPM packages with names like gpg-pubkey-*. Not all keys have an end of validity date defined.

You can list all the key packages with:

rpm -q gpg-pubkey-*

To query information about a key, use:

rpm -q --qf "%{DESCRIPTION}" gpg-pubkey-3e0c55c2-62bacc45 | gpg --show-keys --with-colon

To get the end date in a human-readable format, run:

rpm -q --qf "%{DESCRIPTION}" gpg-pubkey-3e0c55c2-62bacc45 | gpg --show-keys --with-colon | cut -d':' -f7 | xargs -I{} date -d @{}

You can also try running a transaction using a COPR repository with the faketime command from libfaketime:

faketime '+10years' dnf install <pkg_name_from_copr>

The above should fail without the functionality introduced by this proposal. After deploying the new plugin, it should prompt the user about the expired PGP key and ask for removal.

User Experience

For interactive users, a prompt will appear informing them about each outdated key on the system and asking for confirmation to remove it. For non-interactive users, there will be no change to the workflow.

Dependencies

No additional work is expected.

Contingency Plan

  • Contingency mechanism: Disable the new plugin from running by default.
  • Contingency deadline: Fedora 42 branching from Rawhide
  • Blocks release? No

Documentation

The new behavior will be documented in the upstream dnf5 documentation.

Release Notes