Description of problem:Cauldron will not update. Expired key. Version-Release number of selected component (if applicable): How reproducible: try to update Steps to Reproduce: 1.try to update with rpmdrake 2. 3. 00EDB89585B012A8916F0DF8B742FA8B80420F66 (Mageia Packages <packages@mageia.org>): 1. Certificate B742FA8B80420F66 invalid: certificate is not alive because: The primary key is not live because: Expired on 2025-12-31T20:58:32Z 2. Key B742FA8B80420F66 invalid: key is not alive because: The primary key is not live because: Expired on 2025-12-31T20:58:32Z)
1 installation transactions failed There was a problem during the installation: package lib64vlccore9-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package lib64vlc5-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package kernel-stable-testing-desktop-6.18.2-5.stabletesting.mga10-1-1.mga10.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package python3-botocore-1.42.19-1.mga10.noarch does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package lib64dav1d7-1.5.3-1.mga10.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package vlc-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package vlc-plugin-common-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package kernel-desktop-6.12.63-1.mga10-1-1.mga10.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package kernel-desktop-latest-6.12.63-1.mga10.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package vlc-plugin-gnutls-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package vlc-plugin-theora-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package vlc-plugin-pulse-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package vlc-plugin-opengl-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package vlc-plugin-vdpau-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package vlc-plugin-lua-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package vlc-plugin-samba-3.0.23-1.mga10.tainted.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package python3-boto3-1.42.19-1.mga10.noarch does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package kernel-stable-testing-desktop-latest-6.18.2-5.stabletesting.mga10.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package lib64bpf1-6.12.63-1.mga10.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package kernel-userspace-headers-6.12.63-1.mga10.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package rpmlint-mageia-policy-0.2.31-6.mga10.noarch does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package cpupower-6.12.63-1.mga10.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED package x11-driver-video-intel-2.99.917-74.mga10.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID 80420f66: NOTTRUSTED
Created attachment 15280 [details] update output
Seems fixed with: [root@localhost ~]# rpm -e gpg-pubkey-80420f66-4d4fe123 [root@localhost ~]# urpmi --auto-update --auto --force See attachment
Modern way to remove keys is to use rpmkeys. # rpmkeys --delete 80420f66-4d4fe123 Anyway, does rpmkeys show Mageia Packages public key? # rpmkeys --list If not, you should (re)import it. # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Mageia
CC: (none) => jani.valimaa
[root@localhost ~]# rpmkeys --list 80420f66-4d4fe123: Mageia Packages <packages@mageia.org> public key I'll investigate more.
Thank you Stephen for the report. Thank you Jani for your comment. Ah: on M9 at least, $ sudo rpmkeys --list rpmkeys: --list: unknown option and there is no sign of --list in man or --help.
CC: (none) => lewyssmith
(In reply to Lewis Smith from comment #6) > Ah: on M9 at least, $ sudo rpmkeys --list > rpmkeys: --list: unknown option > and there is no sign of --list in man or --help. The bug is about Cauldron. rpmkeys --list and --delete was added in RPM 4.20.0. Mageia 9 has 4.18.2. rpmkeys should or can be used also when importing keys. # rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Mageia
(In reply to Stephen Germany from comment #5) > [root@localhost ~]# rpmkeys --list > 80420f66-4d4fe123: Mageia Packages <packages@mageia.org> public key > > I'll investigate more. I was wondering how the key could be imported as attachment 15280 [details] shows only key removal and forced urpmi update. That's why I wanted to be sure that the new key is also imported. Without any key urpmi package installs fails and works only with --force option unless rpm verification is fully disabled, which is not recommended at all.
I re-imported the key and all seems good today. I just updated with no error messages. But why the manual update/import of the key? Shouldn't that be automatic?
(In reply to Jani Välimaa from comment #8) > (In reply to Stephen Germany from comment #5) > > [root@localhost ~]# rpmkeys --list > > 80420f66-4d4fe123: Mageia Packages <packages@mageia.org> public key > > > > I'll investigate more. > I was wondering how the key could be imported as attachment 15280 [details] > shows only key removal and forced urpmi update. > > That's why I wanted to be sure that the new key is also imported. Without > any key urpmi package installs fails and works only with --force option > unless rpm verification is fully disabled, which is not recommended at all. I borrowed that from the Cauldron wiki page on updating to Cauldron. Figured that would import the key. I later used your method and it worked.
This problem is affecting some installation processes. Unsure whether it can be fixed or needs documenting in lieu.
CC: lewyssmith => (none)Assignee: bugsquad => pkg-bugs
CC: (none) => mrmazda
ATM there's nothing we can do in pkg'ing side as the key is already expired. Manual intervention and action is needed in any case. In hindsight, I can say that we should have applied the fix from bug 34920 way earlier, and also to Cauldron. Perhaps we should write a blog post how to check and update key, if needed, in Mageia 9 and Cauldron. Fresh Cauldron installs made after 2024-10-10 should already have updated key anyway.
CC: (none) => fri
fwiw i had to reinstall mageia-repos-keys # urpmi --replacepkgs mageia-repos-keys
CC: (none) => boulshet
(In reply to Jani Välimaa from comment #12) > ATM there's nothing we can do in pkg'ing side as the key is already expired. > Manual intervention and action is needed in any case. In hindsight, I can > say that we should have applied the fix from bug 34920 way earlier, and also > to Cauldron. > > Perhaps we should write a blog post how to check and update key, if needed, > in Mageia 9 and Cauldron. Fresh Cauldron installs made after 2024-10-10 > should already have updated key anyway. CC’ing Atelier Team for that.
CC: (none) => atelier-bugs, marja11
I can do a blog post but I would like to know the proper procedure. There are several mentioned here. Some they seem safe and proper: # rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Mageia # urpmi --replacepkgs mageia-repos-keys
CC: (none) => filip.komar
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=34918