-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.1
-
None
-
None
-
Moderate
-
image-builder
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
Trying to build a RHEL9 image on a RHEL10 system running osbuild, I get an issue with rpmkeys --checksig:
# composer-cli compose log 444cc936-ea70-4f14-b691-90b1ff7bc5b7 Pipeline: build Stage: org.osbuild.rpm Output: /usr/lib/tmpfiles.d/libstoragemgmt.conf:1: Failed to resolve group 'libstoragemgmt': No such process /usr/lib/tmpfiles.d/libstoragemgmt.conf:2: Failed to resolve group 'libstoragemgmt': No such process Failed to open file "/sys/fs/selinux/checkreqprot": Read-only file system imported gpg key Signature check failed on sha256:e87f53dcded2682c18f939e9f310505ca8e1da8a24543a44912af430a1658935, lookup package name in manifest. Traceback (most recent call last): File "/run/osbuild/bin/org.osbuild.rpm", line 260, in <module> r = main(args["tree"], args["inputs"], args["options"]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/run/osbuild/bin/org.osbuild.rpm", line 162, in main subprocess.run([ File "/usr/lib64/python3.12/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '['rpmkeys', '--root', '/run/osbuild/tree', '--checksig', 'sha256:e87f53dcded2682c18f939e9f310505ca8e1da8a24543a44912af430a1658935']' returned non-zero exit status 1.
The system is fully updated to latest bits:
# rpm -qa | grep osbuild
python3-osbuild-158-1.el10.noarch
osbuild-selinux-158-1.el10.noarch
osbuild-158-1.el10.noarch
osbuild-luks2-158-1.el10.noarch
osbuild-lvm2-158-1.el10.noarch
osbuild-ostree-158-1.el10.noarch
osbuild-depsolve-dnf-158-1.el10.noarch
osbuild-composer-worker-149-4.el10_1.x86_64
osbuild-composer-core-149-4.el10_1.x86_64
osbuild-composer-149-4.el10_1.x86_64
# yum update
Updating Subscription Management repositories.
Last metadata expiration check: 0:27:26 ago on Wed 25 Feb 2026 08:40:32 AM CET.
Dependencies resolved.
Nothing to do.
Complete!
What is the impact of this issue to you?
Can't build RHEL9 images
Please provide the package NVR for which the bug is seen:
python3-osbuild-158-1.el10.noarch
osbuild-selinux-158-1.el10.noarch
osbuild-158-1.el10.noarch
osbuild-luks2-158-1.el10.noarch
osbuild-lvm2-158-1.el10.noarch
osbuild-ostree-158-1.el10.noarch
osbuild-depsolve-dnf-158-1.el10.noarch
osbuild-composer-worker-149-4.el10_1.x86_64
osbuild-composer-core-149-4.el10_1.x86_64
osbuild-composer-149-4.el10_1.x86_64
How reproducible is this bug?
Always
Steps to reproduce
- Push a minimal blueprint
# cat test_minimal_97.toml name = "TEST_MINIMAL_9" description = "RHEL9" distro = "rhel-9.7" # composer-cli blueprints push test_minimal_97.toml
- Build an image
# composer-cli compose start TEST_MINIMAL_9 qcow2
Expected results
Success
Actual results
Failure checking RPM signature of packages.
Additional information
Stracing shows:
6176 08:14:35.727444 execve("/usr/bin/rpmkeys", ["rpmkeys", "--root", "/run/osbuild/tree", "--checksig", "sha256:e87f53dcded2682c18f939e9f310505ca8e1da8a24543a44912af430a1658935"], ["container=bwrap-osbuild", "LC_CTYPE=C.UTF-8", "PATH=/usr/sbin:/usr/bin", "PYTHONPATH=/run/osbuild/lib", "PYTHONUNBUFFERED=1", "TERM=dumb", "PWD=/"] <unfinished ...> 6176 08:14:35.727531 <... execve resumed>) = 0 <0.000074> : 6176 08:14:35.749537 write(1</dev/null<char 1:3>>, " digests", 8) = 8 <0.000008> 6176 08:14:35.749575 write(1</dev/null<char 1:3>>, " SIGNATURES", 11) = 11 <0.000006> 6176 08:14:35.749596 write(1</dev/null<char 1:3>>, " NOT OK\n", 8) = 8 <0.000006>
Which tends to indicate that the GPG keys used by the temporary root are not accurate.
