Certificate issue with the COPR repo...

[purpleidea]

Something happened recently with the copr?

error: Verifying a signature using certificate F793DA6238C5E0BD179C1034CF74504F104B5281 (gsauthof_dracut-sshd (None) <gsauthof#[email protected]>):
  1. Certificiate CF74504F104B5281 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2024-01-25T18:32:39Z
  2. Key CF74504F104B5281 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2024-01-25T18:32:39Z
error: Verifying a signature using certificate F793DA6238C5E0BD179C1034CF74504F104B5281 (gsauthof_dracut-sshd (None) <gsauthof#[email protected]>):
  1. Certificiate CF74504F104B5281 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2024-01-25T18:32:39Z
  2. Key CF74504F104B5281 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2024-01-25T18:32:39Z
Copr repo for dracut-sshd owned by gsauthof     7.4 kB/s | 1.0 kB     00:00
GPG key at https://download.copr.fedorainfracloud.org/results/gsauthof/dracut-sshd/pubkey.gpg (0x104B5281) is already installed
The GPG keys listed for the "Copr repo for dracut-sshd owned by gsauthof" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: dracut-sshd-0.6.7-1.fc39.noarch
 GPG Keys are configured as: https://download.copr.fedorainfracloud.org/results/gsauthof/dracut-sshd/pubkey.gpg
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

[gsauthof]

Hm, this is news to me!

My usage of copr is pretty basic, i.e. I simply trigger builds manually and the repository keys are automagically generated and maintained by the copr service.

I recently triggered a new build since there wasn't a f40 native build yet and a few changes have been in the pipeline.

---

I can reproduce the issue right now:

# dnf update dracut-sshd
Last metadata expiration check: 0:23:22 ago on Wed Aug  7 00:16:34 2024.
Dependencies resolved.
==========================================================================================================================================
 Package                Architecture      Version                    Repository                                                      Size
==========================================================================================================================================
Upgrading:
 dracut-sshd            noarch            0.6.7-1.fc39               copr:copr.fedorainfracloud.org:gsauthof:dracut-sshd             20 k

Transaction Summary
==========================================================================================================================================
Upgrade  1 Package

Total size: 20 k
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] dracut-sshd-0.6.7-1.fc39.noarch.rpm: Already downloaded                                                                        
error: Verifying a signature using certificate F793DA6238C5E0BD179C1034CF74504F104B5281 (gsauthof_dracut-sshd (None) <gsauthof#[email protected]>):
  1. Certificate CF74504F104B5281 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2024-01-25T18:32:39Z
  2. Key CF74504F104B5281 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2024-01-25T18:32:39Z
error: Verifying a signature using certificate F793DA6238C5E0BD179C1034CF74504F104B5281 (gsauthof_dracut-sshd (None) <gsauthof#[email protected]>):
  1. Certificate CF74504F104B5281 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2024-01-25T18:32:39Z
  2. Key CF74504F104B5281 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2024-01-25T18:32:39Z
Copr repo for dracut-sshd owned by gsauthof                                                               4.0 kB/s | 1.0 kB     00:00    
GPG key at https://download.copr.fedorainfracloud.org/results/gsauthof/dracut-sshd/pubkey.gpg (0x104B5281) is already installed
The GPG keys listed for the "Copr repo for dracut-sshd owned by gsauthof" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: dracut-sshd-0.6.7-1.fc39.noarch
 GPG Keys are configured as: https://download.copr.fedorainfracloud.org/results/gsauthof/dracut-sshd/pubkey.gpg
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

It seems that I have to improve the error reporting of my dnf-auto-update cron job ...

---

The gpg key on my system reads:

# rpm -qi gpg-pubkey-104b5281-5c4ca7c7
Name        : gpg-pubkey
Version     : 104b5281
Release     : 5c4ca7c7
Architecture: (none)
Install Date: Sun Nov  7 15:10:14 2021
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Sat Jan 26 19:32:39 2019
Build Host  : localhost
Packager    : gsauthof_dracut-sshd (None) <gsauthof#[email protected]>
Summary     : gsauthof_dracut-sshd (None) <gsauthof#[email protected]> public key
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.17.0 (NSS-3)

mQENBFxMp8cBCAC7wUfmUqQGHkP9ECJXYZx+IOtHymnoPxrVacRkFd/Ao8YpaIAZ
CqN/EudMI4dCmHLO3bnWIKtIoQnaXTuJtka4H2dl3xlkpHRjGnvK4Hla5H4pRwNE
9sFdKBjQVODE9wZIuue2aSyd7srhU4e+WmCOQAE6P00CMvkM2D/PoFSsBRYqUezt
1grMaaeVRlBrUNZsEGXALF5VxZks40+dE173cYjfq+/gTfbxWN0GDVS31wi4A8U/
AvKBtY1WBHrsFQ6jIRZk+4v7bO6TsV1hMSPG1qzn0IrsrsCFRsgtZn37YJL7mDBW
tRiyWWH6RKr5K0sr86CopAy9iULaJVWehKjvABEBAAG0SGdzYXV0aG9mX2RyYWN1
dC1zc2hkIChOb25lKSA8Z3NhdXRob2YjZHJhY3V0LXNzaGRAY29wci5mZWRvcmFo
b3N0ZWQub3JnPokBVAQTAQgAPhYhBPeT2mI4xeC9F5wQNM90UE8QS1KBBQJcTKfH
AhsvBQkJZgGABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEM90UE8QS1KBpoIH
/2iwoCMzEwNxutJ0gu2i7oE3UTXOiiuD6OQyCZdb4lXAJpcFhFnOn0xH32BIIqRK
682iJ9vpRdeh4dbcoosQ90dEEQHhPCNJHNhbT+czgQNq6eUME0HGz8P8k2E9J/5P
yWDpa/J0KJOUxNEX+Wvoz2EAoMxljgl5RTCDbZeOUyOhjdR9NqqOqtDTngpZtI6V
s4b6bQmVXloTAKym5RPZBfFNCtrCBD8KGPUUTmJU/9olqLRkXXbNLrhkjrWht9Os
DttFl0eDRfp/HUcjCHUwdu0LND/j0YTV4Yv2AwPvALWElC9HvWQiJTktWL+ucWjn
8qqfoaHQVz96XCyKf+yT+5g=
=+5Pb
-----END PGP PUBLIC KEY BLOCK-----

---

That system was upgraded the last few fedora releases via dnf system-upgrade.

So it looks like the copr client integration for some reason doesn't take care of importing follow-up public keys that are generated on the copr server side, i.e. in time before the original one expires.

Thus, it appears that this still the key that was imported when I added that copr repository via dnf copr enable , a few years ago.

---

Ok, there is an open upstream copr bug report about this:

Prolonged GPG keys are not updated on the system (2894)

[gsauthof]

FWIW, a work-around:

rpm -e gpg-pubkey-104b5281-5c4ca7c7
dnf update dracut-sshd

This pulls in the latest/greatest public key like this:

[..]
Downloading Packages:
[SKIPPED] dracut-sshd-0.6.7-1.fc39.noarch.rpm: Already downloaded                                                                        
Copr repo for dracut-sshd owned by gsauthof                                                               4.0 kB/s | 1.0 kB     00:00    
Importing GPG key 0x104B5281:
 Userid     : "gsauthof_dracut-sshd (None) <gsauthof#[email protected]>"
 Fingerprint: F793 DA62 38C5 E0BD 179C 1034 CF74 504F 104B 5281
 From       : https://download.copr.fedorainfracloud.org/results/gsauthof/dracut-sshd/pubkey.gpg
Is this ok [y/N]: y
Key imported successfully
[..]