RPM GPG key is not accepted by new RPM versions

refi64
refi64
Community Member
in Linux

The directions for getting started on Linux instruct you to run the command:

sudo rpm --import https://downloads.1password.com/linux/keys/1password.asc

However this no longer works on Fedora 35, with the following error:

error: https://downloads.1password.com/linux/keys/1password.asc: key 1 import failed.

After going through rpm's git history to bisect the cause, it turned out to be this commit:

commit f22499a05d0a01e35dd10d7644f8d74391ba4222 (HEAD, refs/bisect/bad)
Author: Panu Matilainen <REDACTED>
Date:   Tue Jun 15 14:18:23 2021 +0300

    Reject unimplemented critical PGP packets as per RFC-4880

        Bit 7 of the subpacket type is the "critical" bit.  If set, it
        denotes that the subpacket is one that is critical for the evaluator
        of the signature to recognize.  If a subpacket is encountered that is
        marked critical but is unknown to the evaluating software, the
        evaluator SHOULD consider the signature to be in error.

    We only implement creation time and issuer keyid, everything else is
    unimplemented and should be flagged as an error if critical as per above.

    Initial patch by Demi Marie Obenour.

In other words, RPM has become more strict in how it interprets GPG keys, and thus 1password's GPG key is now invalid.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Fedora Silverblue 35

Comments

  • PeterG_1P
    PeterG_1P

    Hi @refi64, many thanks for the heads-up on this. I understand that we've reproduced and confirmed the issue on our end, and it's on our developers' list to fix. We do appreciate you highlighting this for us, and for the wonderful specificity you've provided here. Thanks from our team! 😀

    ref: dev/core/core#9858

  • Savanni
    Savanni

    @refi64 Oh, wow, thank you for this. I've been banging my head against this problem where my only clues were that our key and one other company's keys aren't working. You've given me the hint that may let me get this fixed.

  • Savanni
    Savanni

    @refi64 Again, thank you. Yesterday we published a fixed version of the PGP key that now works with the newer version of RPM. It's the same key, but we were able to remove the packets that RPM no longer supports.

  • refi64
    refi64
    Community Member

    Great to hear it was helpful! I've tested it locally, and the GPG key definitely seems to work.

  • sb56637
    sb56637
    Community Member

    Hi there @Savanni , users of the Packman repository for openSUSE are running into the same issue with rpm rejecting a key that worked for years before. Could you please explain the process you used for removing the "critical" bit from the key, thus allowing the same key to be used with newer version of rpm? Thanks in advance!

  • Savanni
    Savanni

    Hi, @sb56637.

    This critical bit was new to me. I was able to find them with gpg --list-packets 1password.asc. Since all of them were associated with signatures which had expiration dates on them, we stripped those signatures from the key and re-published the key.

    I never figured out how to strip individual signatures. I ran my tests just by stripping all of them. Our ops team dug in deeper and found the commands to strip only those signatures that had expiration times.

    And, of course, signatures don't impact the key itself.

This discussion has been closed.