Hi, while trying to install Crystal on Fedora 38 I got the following error:
Running transaction check
Transaction check succeeded.
Running transaction test
RPM: error: Verifying a signature using certificate 321DC2EA7F0A4F06714516B8E456AE72856D1476 (devel:languages:crystal OBS Project <devel:languages:crystal@build.opensuse.org>):
RPM: Certificate E456AE72856D1476 invalid: policy violation
RPM: because: No binding signature at time 2023-06-23T17:13:28Z
RPM: error: Verifying a signature using certificate 321DC2EA7F0A4F06714516B8E456AE72856D1476 (devel:languages:crystal OBS Project <devel:languages:crystal@build.opensuse.org>):
RPM: Certificate E456AE72856D1476 invalid: policy violation
RPM: because: No binding signature at time 2023-06-23T17:13:28Z
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
package crystal-1.8.2-5.1.x86_64 does not verify: Header V3 RSA/SHA256 Signature, key ID 856d1476: BAD
I can reproduce the error with the installer. But only with Fedora 38.
It works fine on Fedora 37 and Rawhide. So it must be an error specific to 38.
Any idea what that error message means or how to fix it? I’m not familiar with the Fedory ecosystem.
The packages are built on OBS (Show devel:languages:crystal / crystal - openSUSE Build Service) which also hosts the repositories. Usually that works well.
Hi!
I tried all the methods described in the installation. It seems that the problem it is related to the key crypto algorithms used for signing, current Fedora crypto-policies are probably very strict. At the end I managed to install Crystal lowering the default policies, specifically:
sudo update-crypto-policies --set LEGACY # after updating the policies it is necessary to reboot
sudo rpm --erase gpg-pubkey-856d1476-608aaf94 # I don't know why I'd to also remove the key which gets anyway imported again after running dnf install crystal
sudo dnf install crystal
sudo update-crypto-policies --set DEFAULT # restrict policies again
Note: what I did is very empirical and had not much time to dig deeper, so I could be totally wrong, nevertheless I was finally able to install Crystal.
Hi, this is the second one I tried, and did not worked for me, but probably mi first attempt with the installer script created some problem and made the second method also failing. I’m going to test this in a new env. Thanks!
I’m getting exactly the same problem. I tried the two things …
zenbook [~]# dnf config-manager --add-repo https://download.opensuse.org/repositories/devel:languages:crystal/Fedora_38/devel:languages:crystal.repo
Adding repo from: https://download.opensuse.org/repositories/devel:languages:crystal/Fedora_38/devel:languages:crystal.repo
zenbook [~]# rm /etc/yum.repos.d/devel\:languages\:crystal.repo ^C
zenbook [~]# dnf install crystal
Crystal (Fedora_38) 955 B/s | 1.7 kB 00:01
keybase 1.8 kB/s | 3.3 kB 00:01
Dependencies resolved.
=======================================================================================================================================================
Package Architecture Version Repository Size
=======================================================================================================================================================
Installing:
crystal x86_64 1.9.2-2.1 devel_languages_crystal 33 M
Installing dependencies:
pcre-cpp x86_64 8.45-1.fc38.3 fedora 26 k
pcre-devel x86_64 8.45-1.fc38.3 fedora 490 k
pcre-utf16 x86_64 8.45-1.fc38.3 fedora 186 k
pcre-utf32 x86_64 8.45-1.fc38.3 fedora 175 k
Installing weak dependencies:
libyaml-devel x86_64 0.2.5-9.fc38 fedora 168 k
Transaction Summary
=======================================================================================================================================================
Install 6 Packages
Total size: 34 M
Total download size: 1.0 M
Installed size: 130 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] crystal-1.9.2-2.1.x86_64.rpm: Already downloaded
(2/6): pcre-cpp-8.45-1.fc38.3.x86_64.rpm 15 kB/s | 26 kB 00:01
(3/6): libyaml-devel-0.2.5-9.fc38.x86_64.rpm 85 kB/s | 168 kB 00:01
(4/6): pcre-utf32-8.45-1.fc38.3.x86_64.rpm 82 kB/s | 175 kB 00:02
(5/6): pcre-utf16-8.45-1.fc38.3.x86_64.rpm 75 kB/s | 186 kB 00:02
(6/6): pcre-devel-8.45-1.fc38.3.x86_64.rpm 66 kB/s | 490 kB 00:07
-------------------------------------------------------------------------------------------------------------------------------------------------------
Total 121 kB/s | 1.0 MB 00:08
error: Verifying a signature using certificate 321DC2EA7F0A4F06714516B8E456AE72856D1476 (devel:languages:crystal OBS Project <devel:languages:crystal@build.opensuse.org>):
1. Certificiate E456AE72856D1476 invalid: certificate is not alive
because: The primary key is not live
because: Expired on 2023-07-08T13:07:32Z
2. Key E456AE72856D1476 invalid: key is not alive
because: The primary key is not live
because: Expired on 2023-07-08T13:07:32Z
error: Verifying a signature using certificate 321DC2EA7F0A4F06714516B8E456AE72856D1476 (devel:languages:crystal OBS Project <devel:languages:crystal@build.opensuse.org>):
1. Certificiate E456AE72856D1476 invalid: certificate is not alive
because: The primary key is not live
because: Expired on 2023-07-08T13:07:32Z
2. Key E456AE72856D1476 invalid: key is not alive
because: The primary key is not live
because: Expired on 2023-07-08T13:07:32Z
Crystal (Fedora_38) 1.7 kB/s | 1.1 kB 00:00
GPG key at https://download.opensuse.org/repositories/devel:/languages:/crystal/Fedora_38/repodata/repomd.xml.key (0x856D1476) is already installed
The GPG keys listed for the "Crystal (Fedora_38)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: crystal-1.9.2-2.1.x86_64
GPG Keys are configured as: https://download.opensuse.org/repositories/devel:/languages:/crystal/Fedora_38/repodata/repomd.xml.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
zenbook [~]# wget 'https://raw.githubusercontent.com/crystal-lang/distribution-scripts/7dd5ba51c1c21c02e51c07ac945999569a8e21a0/packages/scripts/install.sh'
--2023-07-21 12:42:27-- https://raw.githubusercontent.com/crystal-lang/distribution-scripts/7dd5ba51c1c21c02e51c07ac945999569a8e21a0/packages/scripts/install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6929 (6.8K) [text/plain]
Saving to: ‘install.sh’
install.sh 100%[========================================================================>] 6.77K --.-KB/s in 0s
2023-07-21 12:42:28 (30.6 MB/s) - ‘install.sh’ saved [6929/6929]
zenbook [~]# bash install.sh
keybase 12 kB/s | 3.3 kB 00:00
Package dnf-plugins-core-4.4.1-1.fc38.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Adding repo from: https://download.opensuse.org/repositories/devel:languages:crystal/Fedora_38/devel:languages:crystal.repo
Crystal (Fedora_38) 3.0 kB/s | 1.7 kB 00:00
Dependencies resolved.
=======================================================================================================================================================
Package Architecture Version Repository Size
=======================================================================================================================================================
Installing:
crystal x86_64 1.9.2-2.1 devel_languages_crystal 33 M
Installing dependencies:
pcre-cpp x86_64 8.45-1.fc38.3 fedora 26 k
pcre-devel x86_64 8.45-1.fc38.3 fedora 490 k
pcre-utf16 x86_64 8.45-1.fc38.3 fedora 186 k
pcre-utf32 x86_64 8.45-1.fc38.3 fedora 175 k
Installing weak dependencies:
libyaml-devel x86_64 0.2.5-9.fc38 fedora 168 k
Transaction Summary
=======================================================================================================================================================
Install 6 Packages
Total size: 34 M
Installed size: 130 M
Downloading Packages:
[SKIPPED] crystal-1.9.2-2.1.x86_64.rpm: Already downloaded
[SKIPPED] libyaml-devel-0.2.5-9.fc38.x86_64.rpm: Already downloaded
[SKIPPED] pcre-cpp-8.45-1.fc38.3.x86_64.rpm: Already downloaded
[SKIPPED] pcre-devel-8.45-1.fc38.3.x86_64.rpm: Already downloaded
[SKIPPED] pcre-utf16-8.45-1.fc38.3.x86_64.rpm: Already downloaded
[SKIPPED] pcre-utf32-8.45-1.fc38.3.x86_64.rpm: Already downloaded
error: Verifying a signature using certificate 321DC2EA7F0A4F06714516B8E456AE72856D1476 (devel:languages:crystal OBS Project <devel:languages:crystal@build.opensuse.org>):
1. Certificiate E456AE72856D1476 invalid: certificate is not alive
because: The primary key is not live
because: Expired on 2023-07-08T13:07:32Z
2. Key E456AE72856D1476 invalid: key is not alive
because: The primary key is not live
because: Expired on 2023-07-08T13:07:32Z
error: Verifying a signature using certificate 321DC2EA7F0A4F06714516B8E456AE72856D1476 (devel:languages:crystal OBS Project <devel:languages:crystal@build.opensuse.org>):
1. Certificiate E456AE72856D1476 invalid: certificate is not alive
because: The primary key is not live
because: Expired on 2023-07-08T13:07:32Z
2. Key E456AE72856D1476 invalid: key is not alive
because: The primary key is not live
because: Expired on 2023-07-08T13:07:32Z
Crystal (Fedora_38) 3.6 kB/s | 1.1 kB 00:00
GPG key at https://download.opensuse.org/repositories/devel:/languages:/crystal/Fedora_38/repodata/repomd.xml.key (0x856D1476) is already installed
The GPG keys listed for the "Crystal (Fedora_38)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: crystal-1.9.2-2.1.x86_64
GPG Keys are configured as: https://download.opensuse.org/repositories/devel:/languages:/crystal/Fedora_38/repodata/repomd.xml.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
A clean install works, so the problem is on dnf not cleaning the key. I don’t know how to do that, but I would try either cleaning the cache, or see if someone knows a better solution than to skip the gpg test.
dnf install crystal --nogpgcheck
Last metadata expiration check: 0:00:17 ago on Fri 21 Jul 2023 05:51:58 PM +03.
Dependencies resolved.
=======================================================================================================================================================
Package Architecture Version Repository Size
=======================================================================================================================================================
Installing:
crystal x86_64 1.9.2-2.1 devel_languages_crystal 33 M
Installing dependencies:
pcre-cpp x86_64 8.45-1.fc38.3 fedora 26 k
pcre-devel x86_64 8.45-1.fc38.3 fedora 490 k
pcre-utf16 x86_64 8.45-1.fc38.3 fedora 186 k
pcre-utf32 x86_64 8.45-1.fc38.3 fedora 175 k
Installing weak dependencies:
libyaml-devel x86_64 0.2.5-9.fc38 fedora 168 k
Transaction Summary
=======================================================================================================================================================
Install 6 Packages
Total size: 34 M
Installed size: 130 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] crystal-1.9.2-2.1.x86_64.rpm: Already downloaded
[SKIPPED] libyaml-devel-0.2.5-9.fc38.x86_64.rpm: Already downloaded
[SKIPPED] pcre-cpp-8.45-1.fc38.3.x86_64.rpm: Already downloaded
[SKIPPED] pcre-devel-8.45-1.fc38.3.x86_64.rpm: Already downloaded
[SKIPPED] pcre-utf16-8.45-1.fc38.3.x86_64.rpm: Already downloaded
[SKIPPED] pcre-utf32-8.45-1.fc38.3.x86_64.rpm: Already downloaded
Running transaction check
Transaction check succeeded.
Running transaction test
RPM: error: Verifying a signature using certificate 321DC2EA7F0A4F06714516B8E456AE72856D1476 (devel:languages:crystal OBS Project <devel:languages:crystal@build.opensuse.org>):
RPM: 1. Certificiate E456AE72856D1476 invalid: certificate is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2023-07-08T13:07:32Z
RPM: 2. Key E456AE72856D1476 invalid: key is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2023-07-08T13:07:32Z
RPM: error: Verifying a signature using certificate 321DC2EA7F0A4F06714516B8E456AE72856D1476 (devel:languages:crystal OBS Project <devel:languages:crystal@build.opensuse.org>):
RPM: 1. Certificiate E456AE72856D1476 invalid: certificate is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2023-07-08T13:07:32Z
RPM: 2. Key E456AE72856D1476 invalid: key is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2023-07-08T13:07:32Z
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
package crystal-1.9.2-2.1.x86_64 does not verify: Header V3 RSA/SHA256 Signature, key ID 856d1476: NOTTRUSTED
Trying to disable gpg check from the yum repo file
Yes, the GPG key you have installed is expired. But there’s a new one available which just doesn’t get used because the old one is still cached.
I believe you can list the installed keys with rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' and then remove the expired one with rpm -e <name>-<version>-<release>.