Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-32291

PackageKit does not handle some install errors correctly

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-9.5
    • PackageKit
    • None
    • None
    • rhel-display-hw-multimedia
    • ssg_display
    • 8
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • Unspecified
    • None

      What were you trying to do that didn't work?

      To install a package signed using key with an old hash algorithm (SHA1).

      Please provide the package NVR for which bug is seen:

      PackageKit-1.2.6-1.el9.x86_64

      How reproducible:

      Always

      Steps to reproduce

      1. Install createrepo_c: 
        sudo dnf install createrepo_c
      2. Download pk-test-repo.tar.bz2 (see attachements)
      3. Unpack and set repo: 
        tar -C /tmp -xf pk-test-repo.tar.bz2
createrepo /tmp/pk-test-repo/
sudo cp -av /tmp/pk-test-repo/pk-test-repo.repo /etc/yum.repos.d/
sudo restorecon /etc/yum.repos.d/pk-test-repo.repo
      4. Try to install "test-pkg" package by one of: 
        sudo pkcon install test-pkg
sudo pkcon -p -y install test-pkg

      Expected results

      Either install the package after answering "y" to the "Do you want to allow installing of unsigned software?" question, or print a meaningful error message / warning that it is not possible to install the package, like dnf does:

      $ sudo dnf install test-pkg
...
Importing GPG key 0xCADAF80D:
 Userid     : "Tester (Dummy GPG KEY with no passphrase) <tester@test.test>"
 Fingerprint: 561E 290B 79EC B69D A6E8 2336 6F52 9DEF CADA F80D
 From       : /tmp/pk-test-repo/RPM-GPG-KEY-CADAF80D.ascii.pub
Is this ok [y/N]: y
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: test-pkg-1.0-1.noarch
 GPG Keys are configured as: file:///tmp/pk-test-repo/RPM-GPG-KEY-CADAF80D.ascii.pub
Error: GPG check FAILED

      Actual results

      1. sudo pkcon install test-pkg asks "Do you want to allow installing of unsigned software?", but answer "y" ends up with the same question again and again:

      Do you want to allow installing of unsigned software? [N/y] y

                              [=========================]         
Querying                      [=========================]         
Installing                    [=========================]         
Finished                      [                         ] (0%)  
Do you want to allow installing of unsigned software? [N/y] y
...

      2. sudo pkcon -p -y install test-pkg ends up in loop:

      Transaction:	Installing
Status: 	Waiting in queue
Status: 	Waiting for authentication
Status: 	Waiting in queue
Status: 	Starting
Status: 	Querying
Status: 	Finished
Transaction:	Installing
Status: 	Waiting in queue
Status: 	Waiting for authentication
Status: 	Waiting in queue
Status: 	Starting
Status: 	Querying
Status: 	Finished
Transaction:	Installing
...

      In both cases, the package is not installed

        1. pk-test-repo.tar.bz2
          6 kB

              rhn-engineering-rhughes Richard Hughes
              rhn-support-bmilar Bohdan Milar
              Richard Hughes Richard Hughes
              Bohdan Milar Bohdan Milar
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: