On 4/9/23 16:05, Ian McInerney via devel wrote:
> I decided to put F38 onto my new machine from the start (so a clean
> install), and now it seems to have some errors with DNF/RPM that I
> haven't seen before on F37 when I tried the same thing.
>
> Specifically, I am trying to install packages from a 3rd-party
> repository (the Intel oneAPI repo), and it is throwing errors like:
>
> package intel-basekit-2023.1.0-46401.x86_64 does not verify: RSA
> signature: BAD (package tag 1002: invalid OpenPGP signature)
> package intel-hpckit-2023.1.0-46346.x86_64 does not verify: RSA
> signature: BAD (package tag 1002: invalid OpenPGP signature)
>
> There are two things I don't understand here.
>
> The first is, why does DNF/RPM in F38 fail to parse this GPG signature,
> while DNF/RPM on F37 does parse it?
https://fedoraproject.org/wiki/Changes/RpmSequoia
See the upgrade impact and user experience sections.
You should contact Intel about fixing their packages.
So we have pushed a change in Fedora where there is no nice way for a user to workaround it except by complaining to a company that probably doesn't care what normal users (e.g. non-paying customers) care about?
After further experimentation, I finally did find a way to do what I want (install these packages) - disable all package verification via the RPM macro. I initially found the option `tsflags=nocrypto` for DNF, but after putting that in the config file, it still didn't work (the man page for dnf.conf seems to suggest this should disable the checks that were failing here, but it didn't disable those). Falling back all the way to RPM with the --nosignature argument isn't an option here, because installing ~60 RPM packages manually is not going to fly. I eventually forced DNF to make RPM do it by setting `%_pkgverify_level none` inside `macros.verify`. I really don't want to use this large a hammer to fix this though, and would much rather the nocrypto option actually worked with DNF, so I could then disable it just for the one repo.