Forum Discussion

Former Member's avatar
Former Member
4 years ago

RPM GPG key is not accepted by new RPM versions

The https://support.1password.com/install-linux/ instruct you to run the command:


sudo rpm --import https://downloads.1password.com/linux/keys/1password.asc

However this no longer works on Fedora 35, with the following error:


error: https://downloads.1password.com/linux/keys/1password.asc: key 1 import failed.

After going through rpm's git history to bisect the cause, it turned out to be https://github.com/rpm-software-management/rpm/commit/f22499a05d0a01e35dd10d7644f8d74391ba4222:

```
commit f22499a05d0a01e35dd10d7644f8d74391ba4222 (HEAD, refs/bisect/bad)
Author: Panu Matilainen
Date: Tue Jun 15 14:18:23 2021 +0300

Reject unimplemented critical PGP packets as per RFC-4880

    Bit 7 of the subpacket type is the "critical" bit.  If set, it
    denotes that the subpacket is one that is critical for the evaluator
    of the signature to recognize.  If a subpacket is encountered that is
    marked critical but is unknown to the evaluating software, the
    evaluator SHOULD consider the signature to be in error.

We only implement creation time and issuer keyid, everything else is
unimplemented and should be flagged as an error if critical as per above.

Initial patch by Demi Marie Obenour.

```

In other words, RPM has become more strict in how it interprets GPG keys, and thus 1password's GPG key is now invalid.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Fedora Silverblue 35

linux

6 Replies

  • Former Member's avatar
    Former Member
    4 years ago

    Hi, @sb56637.

    This critical bit was new to me. I was able to find them with gpg --list-packets 1password.asc. Since all of them were associated with signatures which had expiration dates on them, we stripped those signatures from the key and re-published the key.

    I never figured out how to strip individual signatures. I ran my tests just by stripping all of them. Our ops team dug in deeper and found the commands to strip only those signatures that had expiration times.

    And, of course, signatures don't impact the key itself.

  • Former Member's avatar
    Former Member
    4 years ago

    Hi there @Savanni , users of the Packman repository for openSUSE are running into the same issue with rpm rejecting a key that worked for years before. Could you please explain the process you used for removing the "critical" bit from the key, thus allowing the same key to be used with newer version of rpm? Thanks in advance!

  • Former Member's avatar
    Former Member
    4 years ago

    Great to hear it was helpful! I've tested it locally, and the GPG key definitely seems to work.

  • Former Member's avatar
    Former Member
    4 years ago

    @refi64 Again, thank you. Yesterday we published a fixed version of the PGP key that now works with the newer version of RPM. It's the same key, but we were able to remove the packets that RPM no longer supports.

  • Former Member's avatar
    Former Member
    4 years ago

    @refi64 Oh, wow, thank you for this. I've been banging my head against this problem where my only clues were that our key and one other company's keys aren't working. You've given me the hint that may let me get this fixed.

  • 1P_PeterG's avatar
    1P_PeterG
    Icon for Community Manager rankCommunity Manager
    4 years ago

    Hi @refi64, many thanks for the heads-up on this. I understand that we've reproduced and confirmed the issue on our end, and it's on our developers' list to fix. We do appreciate you highlighting this for us, and for the wonderful specificity you've provided here. Thanks from our team! 😀

    ref: dev/core/core#9858