On 4/9/23 16:05, Ian McInerney via devel wrote:
> I decided to put F38 onto my new machine from the start (so a clean
> install), and now it seems to have some errors with DNF/RPM that I
> haven't seen before on F37 when I tried the same thing.
>
> Specifically, I am trying to install packages from a 3rd-party
> repository (the Intel oneAPI repo), and it is throwing errors like:
>
> package intel-basekit-2023.1.0-46401.x86_64 does not verify: RSA
> signature: BAD (package tag 1002: invalid OpenPGP signature)
> package intel-hpckit-2023.1.0-46346.x86_64 does not verify: RSA
> signature: BAD (package tag 1002: invalid OpenPGP signature)
>
> There are two things I don't understand here.
>
> The first is, why does DNF/RPM in F38 fail to parse this GPG signature,
> while DNF/RPM on F37 does parse it?
https://fedoraproject.org/wiki/Changes/RpmSequoia
See the upgrade impact and user experience sections.
You should contact Intel about fixing their packages.
So we have pushed a change in Fedora where there is no nice way for a user to workaround it except by complaining to a company that probably doesn't care what normal users (e.g. non-paying customers) care about?
Basically the problem is that several checksums and types of keys are considered highly insecure and will cause problems for large numbers of users who have systems which need to meet general security rules in various industries. These include the SHA1 and DSA encryption keys and there are requirements that operating systems no longer ship these as enabled for the operating system to be used in universities, health care, etc. Where in the past these sorts of things have been 'given' a long time for removal (aka the 10+ years for MD5), my understanding is that these are being pushed much faster and harder than before. [Mainly in that continued funding from both public and private organizations is tied to audits etc.] The push is going to come in several 'waves' with SHA1 and DSA marked as bad now and in 1-2 years, SHA256 and RSA keys below 4096. Like most rapid changes, there is always going to be a lot of grit in the gears for everyone trying to continue working outside of the change :/