[Rpm-maint] [rpm-software-management/rpm] Calling rpmKeyringAddKey on a subkey should not error out (Issue #3954)
Adam Williamson
notifications at github.com
Thu Sep 18 15:35:26 UTC 2025
AdamWill created an issue (rpm-software-management/rpm#3954)
**Describe the bug**
As discussed in https://bugzilla.redhat.com/show_bug.cgi?id=2372978 - see especially comment 17 onwards - it appears that, in RPM 6, calling `rpmKeyringAddKey()` on a subkey can cause an error. Possibly doing it on any subkey, possibly only doing it on a subkey that has already been added (e.g. via RPM 6's new 'automatically import subkeys' behavior). This caused problems in Fedora because libdnf currently has [its own implementation of finding and importing the subkeys](https://github.com/rpm-software-management/libdnf/blob/91a0bf9aada36a722855051526f012e0b5ab1af9/libdnf/dnf-keyring.cpp#L134) when adding new keys. So libdnf adds the main key - which, with RPM 6, causes rpm to add the subkeys - then finds and tries to add the subkeys itself, by calling `rpmKeyringAddKey()` on each one. With RPM 4 this was the right thing to do, and it worked. With RPM 6 it causes errors.
libdnf will change behavior to skip subkey import when running against RPM 6, but it still seems like this might be an unexploded footgun in other cases, so maybe it should change.
**To Reproduce**
Steps to reproduce the behavior:
1. Install a Fedora 43 Workstation system - https://dl.fedoraproject.org/pub/alt/stage/43_Beta-1.3/Workstation/x86_64/iso/Fedora-Workstation-Live-43_Beta-1.3.x86_64.iso
2. During first boot, say yes when asked if you want to enable third-party repositories (this enables the google-chrome repository, which uses a key file with subkeys)
3. Run GNOME Software and try to install any package
4. You should see an "Install Unsigned Software?" dialog, with an error message "failed to add subkeys for /var/cache/PackageKit/43/metadata/google-chrome-43-x86_64/linux_signing_key.pub to rpmdb". You won't be able to get rid of this - clicking through it just makes it come back
There's probably much easier ways to reproduce this, but that's the one I know about for sure.
**Expected behavior**
No errors when using a repository whose key has subkeys.
**Output**
See above - `failed to add subkeys for /var/cache/PackageKit/43/metadata/google-chrome-43-x86_64/linux_signing_key.pub to rpmdb`. In fact we also get errors for 20+ older Fedora key files that also have subkeys. Having the google-chrome repo enabled seems to cause PackageKit/libdnf to get stuck in a loop where it throws the errors every second. If you don't have the google-chrome repo enabled it shows the errors for the Fedora keys once, but doesn't get stuck in a loop or block package operations, AFAICT.
**Environment**
- Fedora 43
- rpm-5.99.91-5.fc43
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3954
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3954 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250918/7541a983/attachment.htm>
More information about the Rpm-maint
mailing list