Skip to content

vmupdate: answer "yes" to the import key question #194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 26, 2025
Merged

vmupdate: answer "yes" to the import key question #194

merged 1 commit into from
Jun 26, 2025

Conversation

marmarek
Copy link
Member

When fetching repository metadata for the first time, dnf will ask for
confirmation on importing metadata signing key. Since the key is
imported from the local filesystem, it's safe to do, so do it
automatically.

QubesOS/qubes-issues#9807

@marmarek
vmupdate: answer "yes" to the import key question
5ee0faa 
When fetching repository metadata for the first time, dnf will ask for
confirmation on importing metadata signing key. Since the key is
imported from the local filesystem, it's safe to do, so do it
automatically.

QubesOS/qubes-issues#9807
This was referenced Jun 18, 2025
Open
Merged
@qubesos-bot
Copy link

qubesos-bot commented Jun 18, 2025
edited
Loading

OpenQA test summary

Complete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025062603-4.3&flavor=pull-requests

Test run included the following:

New failures, excluding unstable

Compared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025061004-4.3&flavor=update

  • system_tests_extra

    • TC_00_QVCTest_whonix-gateway-17: test_010_screenshare (failure)
      ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^... AssertionError: 0 == 0

  • system_tests_qwt_win10@hw13

    • windows_install: Failed (test died)
      # Test died: command 'script -e -c 'bash -x /usr/bin/qvm-create-win...

  • system_tests_qwt_win10_seamless@hw13

    • windows_clipboard_and_filecopy: unnamed test (unknown)
    • windows_clipboard_and_filecopy: Failed (test died)
      # Test died: no candidate needle with tag(s) 'windows-Edge-address-...

  • system_tests_qwt_win11@hw13

    • windows_install: Failed (test died)
      # Test died: command 'script -e -c 'bash -x /usr/bin/qvm-create-win...

  • system_tests_guivm_vnc_gui_interactive

    • clipboard_and_web: unnamed test (unknown)
    • clipboard_and_web: Failed (test died)
      # Test died: no candidate needle with tag(s) 'qubes-website' matche...

Failed tests

13 failures

  • system_tests_extra

    • TC_00_QVCTest_whonix-gateway-17: test_010_screenshare (failure)
      ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^... AssertionError: 0 == 0

    • TC_00_QVCTest_whonix-workstation-17: test_010_screenshare (failure)
      AssertionError: 1 != 0 : Timeout waiting for /dev/video0 in test-in...

  • system_tests_kde_gui_interactive

    • gui_keyboard_layout: wait_serial (wait serial expected)
      # wait_serial expected: "echo -e '[Layout]\nLayoutList=us,de' | sud...

    • gui_keyboard_layout: wait_serial (wait serial expected)
      # wait_serial expected: qr/JmOTS-\d+-/...

    • gui_keyboard_layout: Failed (test died + timed out)
      # Test died: command 'echo -e '[Layout]...

    • gui_keyboard_layout: wait_serial (wait serial expected)
      # wait_serial expected: "# "...

    • gui_keyboard_layout: wait_serial (wait serial expected)
      # wait_serial expected: qr/2E8vz-\d+-/...

  • system_tests_qwt_win10@hw13

    • windows_install: Failed (test died)
      # Test died: command 'script -e -c 'bash -x /usr/bin/qvm-create-win...

  • system_tests_qwt_win10_seamless@hw13

    • windows_clipboard_and_filecopy: unnamed test (unknown)
    • windows_clipboard_and_filecopy: Failed (test died)
      # Test died: no candidate needle with tag(s) 'windows-Edge-address-...

  • system_tests_qwt_win11@hw13

    • windows_install: Failed (test died)
      # Test died: command 'script -e -c 'bash -x /usr/bin/qvm-create-win...

  • system_tests_guivm_vnc_gui_interactive

    • clipboard_and_web: unnamed test (unknown)
    • clipboard_and_web: Failed (test died)
      # Test died: no candidate needle with tag(s) 'qubes-website' matche...

Fixed failures

Compared to: https://openqa.qubes-os.org/tests/142375#dependencies

10 fixed

Unstable tests

Performance Tests

Performance degradation:

6 performance degradations
  • debian-12-xfce_exec-data-simplex: 72.82 🔺 ( previous job: 65.51, degradation: 111.16%)
  • whonix-gateway-17_exec-data-duplex-root: 100.54 🔺 ( previous job: 90.74, degradation: 110.80%)
  • dom0_root_rnd4k_q1t1_read 3:read_bandwidth_kb: 7521.00 :small_red_triangle: ( previous job: 11086.00, degradation: 67.84%)
  • dom0_varlibqubes_seq1m_q8t1_write 3:write_bandwidth_kb: 35661.00 :small_red_triangle: ( previous job: 122848.00, degradation: 29.03%)
  • dom0_varlibqubes_seq1m_q1t1_write 3:write_bandwidth_kb: 143368.00 :small_red_triangle: ( previous job: 167872.00, degradation: 85.40%)
  • dom0_varlibqubes_rnd4k_q32t1_write 3:write_bandwidth_kb: 6935.00 :small_red_triangle: ( previous job: 8874.00, degradation: 78.15%)

Remaining performance tests:

66 tests
  • debian-12-xfce_exec: 6.62 🟢 ( previous job: 8.63, improvement: 76.72%)
  • debian-12-xfce_exec-root: 30.33 🔺 ( previous job: 29.44, degradation: 103.05%)
  • debian-12-xfce_socket: 9.23 🔺 ( previous job: 8.50, degradation: 108.62%)
  • debian-12-xfce_socket-root: 7.87 🟢 ( previous job: 8.31, improvement: 94.62%)
  • debian-12-xfce_exec-data-duplex: 76.27 🔺 ( previous job: 73.55, degradation: 103.71%)
  • debian-12-xfce_exec-data-duplex-root: 69.42 🟢 ( previous job: 70.01, improvement: 99.15%)
  • debian-12-xfce_socket-data-duplex: 165.24 🔺 ( previous job: 161.35, degradation: 102.41%)
  • fedora-42-xfce_exec: 9.05
  • fedora-42-xfce_exec-root: 57.98
  • fedora-42-xfce_socket: 7.78
  • fedora-42-xfce_socket-root: 8.14
  • fedora-42-xfce_exec-data-simplex: 76.24
  • fedora-42-xfce_exec-data-duplex: 75.10
  • fedora-42-xfce_exec-data-duplex-root: 111.90
  • fedora-42-xfce_socket-data-duplex: 154.09
  • whonix-gateway-17_exec: 6.30 🟢 ( previous job: 7.34, improvement: 85.82%)
  • whonix-gateway-17_exec-root: 38.51 🟢 ( previous job: 39.57, improvement: 97.30%)
  • whonix-gateway-17_socket: 6.87 🟢 ( previous job: 7.85, improvement: 87.49%)
  • whonix-gateway-17_socket-root: 6.76 🟢 ( previous job: 7.89, improvement: 85.59%)
  • whonix-gateway-17_exec-data-simplex: 78.59 🔺 ( previous job: 77.76, degradation: 101.06%)
  • whonix-gateway-17_exec-data-duplex: 68.70 🟢 ( previous job: 78.39, improvement: 87.64%)
  • whonix-gateway-17_socket-data-duplex: 174.40 🔺 ( previous job: 161.95, degradation: 107.69%)
  • whonix-workstation-17_exec: 7.81 🟢 ( previous job: 8.27, improvement: 94.40%)
  • whonix-workstation-17_exec-root: 56.17 🟢 ( previous job: 57.61, improvement: 97.50%)
  • whonix-workstation-17_socket: 8.73 🟢 ( previous job: 8.97, improvement: 97.33%)
  • whonix-workstation-17_socket-root: 8.30 🟢 ( previous job: 9.46, improvement: 87.69%)
  • whonix-workstation-17_exec-data-simplex: 77.61 🔺 ( previous job: 74.54, degradation: 104.12%)
  • whonix-workstation-17_exec-data-duplex: 72.72 🟢 ( previous job: 74.84, improvement: 97.16%)
  • whonix-workstation-17_exec-data-duplex-root: 90.52 🔺 ( previous job: 86.00, degradation: 105.25%)
  • whonix-workstation-17_socket-data-duplex: 163.11 🔺 ( previous job: 160.20, degradation: 101.81%)
  • dom0_root_seq1m_q8t1_read 3:read_bandwidth_kb: 387643.00 :green_circle: ( previous job: 289982.00, improvement: 133.68%)
  • dom0_root_seq1m_q8t1_write 3:write_bandwidth_kb: 102460.00 :green_circle: ( previous job: 101988.00, improvement: 100.46%)
  • dom0_root_seq1m_q1t1_read 3:read_bandwidth_kb: 257698.00 :green_circle: ( previous job: 14284.00, improvement: 1804.10%)
  • dom0_root_seq1m_q1t1_write 3:write_bandwidth_kb: 49791.00 :green_circle: ( previous job: 32696.00, improvement: 152.28%)
  • dom0_root_rnd4k_q32t1_read 3:read_bandwidth_kb: 102264.00 :green_circle: ( previous job: 17102.00, improvement: 597.97%)
  • dom0_root_rnd4k_q32t1_write 3:write_bandwidth_kb: 6151.00 :green_circle: ( previous job: 1091.00, improvement: 563.79%)
  • dom0_root_rnd4k_q1t1_write 3:write_bandwidth_kb: 3535.00 :green_circle: ( previous job: 1840.00, improvement: 192.12%)
  • dom0_varlibqubes_seq1m_q8t1_read 3:read_bandwidth_kb: 476408.00 :green_circle: ( previous job: 289182.00, improvement: 164.74%)
  • dom0_varlibqubes_seq1m_q1t1_read 3:read_bandwidth_kb: 443372.00 :green_circle: ( previous job: 433654.00, improvement: 102.24%)
  • dom0_varlibqubes_rnd4k_q32t1_read 3:read_bandwidth_kb: 99909.00 :small_red_triangle: ( previous job: 108760.00, degradation: 91.86%)
  • dom0_varlibqubes_rnd4k_q1t1_read 3:read_bandwidth_kb: 8054.00 :green_circle: ( previous job: 6356.00, improvement: 126.71%)
  • dom0_varlibqubes_rnd4k_q1t1_write 3:write_bandwidth_kb: 4501.00 :green_circle: ( previous job: 4420.00, improvement: 101.83%)
  • fedora-42-xfce_root_seq1m_q8t1_read 3:read_bandwidth_kb: 358487.00
  • fedora-42-xfce_root_seq1m_q8t1_write 3:write_bandwidth_kb: 262012.00
  • fedora-42-xfce_root_seq1m_q1t1_read 3:read_bandwidth_kb: 298824.00
  • fedora-42-xfce_root_seq1m_q1t1_write 3:write_bandwidth_kb: 95600.00
  • fedora-42-xfce_root_rnd4k_q32t1_read 3:read_bandwidth_kb: 79362.00
  • fedora-42-xfce_root_rnd4k_q32t1_write 3:write_bandwidth_kb: 1365.00
  • fedora-42-xfce_root_rnd4k_q1t1_read 3:read_bandwidth_kb: 7702.00
  • fedora-42-xfce_root_rnd4k_q1t1_write 3:write_bandwidth_kb: 1513.00
  • fedora-42-xfce_private_seq1m_q8t1_read 3:read_bandwidth_kb: 379506.00
  • fedora-42-xfce_private_seq1m_q8t1_write 3:write_bandwidth_kb: 197306.00
  • fedora-42-xfce_private_seq1m_q1t1_read 3:read_bandwidth_kb: 310046.00
  • fedora-42-xfce_private_seq1m_q1t1_write 3:write_bandwidth_kb: 66676.00
  • fedora-42-xfce_private_rnd4k_q32t1_read 3:read_bandwidth_kb: 84554.00
  • fedora-42-xfce_private_rnd4k_q32t1_write 3:write_bandwidth_kb: 3733.00
  • fedora-42-xfce_private_rnd4k_q1t1_read 3:read_bandwidth_kb: 8403.00
  • fedora-42-xfce_private_rnd4k_q1t1_write 3:write_bandwidth_kb: 1440.00
  • fedora-42-xfce_volatile_seq1m_q8t1_read 3:read_bandwidth_kb: 350225.00
  • fedora-42-xfce_volatile_seq1m_q8t1_write 3:write_bandwidth_kb: 129171.00
  • fedora-42-xfce_volatile_seq1m_q1t1_read 3:read_bandwidth_kb: 289581.00
  • fedora-42-xfce_volatile_seq1m_q1t1_write 3:write_bandwidth_kb: 19417.00
  • fedora-42-xfce_volatile_rnd4k_q32t1_read 3:read_bandwidth_kb: 80552.00
  • fedora-42-xfce_volatile_rnd4k_q32t1_write 3:write_bandwidth_kb: 2688.00
  • fedora-42-xfce_volatile_rnd4k_q1t1_read 3:read_bandwidth_kb: 7964.00
  • fedora-42-xfce_volatile_rnd4k_q1t1_write 3:write_bandwidth_kb: 497.00

This was referenced Jun 18, 2025
Closed
Merged
Merged
Merged
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Draft
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@3nprob
Copy link

3nprob commented Jun 21, 2025
edited
Loading

refresh runs on every upgrade - does this not have the potential to inadvertently accept remote keys at any upgrade?

Also, --assumeyes has the potential to accept other questions with unwanted consequences?

Wouldn't it be more safe and robust to explicitly import the key from local filesystem when/if necessary?

@marmarek
Copy link
Member Author

All good questions.

does this not have the potential to inadvertently accept remote keys at any upgrade?

Key location is specified in the repo file, all repos we include use file:// location. The same applies to all other popular repositories. If you modify the repo configuration to use remote location, then yes, it may import that key - you asked for it... But also, see the answer below.

Also, --assumeyes has the potential to accept other questions with unwanted consequences?

Not really, there aren't any other prompts during refresh operation. In fact, this prompt is only about metadata signatures (not package signatures), which most repositories don't use anyway...

Wouldn't it be more safe and robust to explicitly import the key from local filesystem when/if necessary?

If there would be a proper method for that, maybe (but also, it would require duplicating quite some part already done by dnf - for example to properly get repo config, including any drop-ins, check for enabled/disabled repos etc). But there isn't any API for importing metadata signing key - it's stored by dnf internally, keys imported to rpmdb via rpm --import are not the same thing. And the only "official" method is answering "yes" to that prompt...

@3nprob
Copy link

3nprob commented Jun 21, 2025

If you modify the repo configuration to use remote location, then yes, it may import that key - you asked for it...

Well, I may be happy with the location but still want to manually monitor the effective fingerprint or other changes. We should also be prompted on any unexpected key changes in any case IMO.

But there isn't any API for importing metadata signing key - it's stored by dnf internally, keys imported to rpmdb via rpm --import are not the same thing. And the only "official" method is answering "yes" to that prompt...

Hmm. Would you like me to take a shot at opening an upstream issue?

@marmarek
Copy link
Member Author

Well, I may be happy with the location but still want to manually monitor the effective fingerprint or other changes. We should also be prompted on any unexpected key changes in any case IMO.

Actually, I don't think so. The only way to get a different key in a local filesystem is that something (already authenticated) put it there. And making key rotation harder than it should be is a bad thing.

Hmm. Would you like me to take a shot at opening an upstream issue?

It's an issue known for a long time: https://bugzilla.redhat.com/show_bug.cgi?id=1768206

@marmarek marmarek merged commit 5ee0faa into QubesOS:main Jun 26, 2025
2 checks passed
@marmarek marmarek deleted the update-import-key branch July 15, 2025 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
openqa-pending
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marmarek @qubesos-bot @3nprob