‘Package XXX is not signed’ error during upgrade to Fedora 24

Many people hit issues like this when trying to upgrade to Fedora 24:

 Error: Package a52dec-0.7.4-19.fc24.x86_64.rpm is not signed

You can easily see that this is a very widespread issue if you look at comments section under our upgrade guide on fedora magazine. In fact, this issue probably affects everyone who has rpmfusion repository enabled (which is a very popular third-party repository). Usually the a52dec package is mentioned, because it’s early in the alphabet listing, but it can be a different one (depending on what you installed from rpmfusion).

The core issue is that even though their Fedora 24 repository is available, the packages in it are not signed yet – they simply did not have time to do that yet. However, rpmfusion repository metadata from Fedora 23 demand that all packages are signed (which is a good thing, package signing is crucial to prevent all kinds of nasty security attacks). The outcome is that DNF rejects the transaction for being unsecure.

According to rpmfusion maintainers, they are working on signing their repositories and it should be done hopefully soon. So if you’re not in a hurry with your upgrade, just wait a while and the problem will disappear soon (hopefully).

But, if you insist that you want to upgrade now, what are your options?

Some people suggest you can add --nogpgcheck option to the command line. Please don’t do that! That completely bypasses any security checks, even for proper Fedora packages! It will get you vulnerable to security attacks.

A much better option is to temporarily remove rpmfusion repositories:

$ sudo dnf remove 'rpmfusion-*-release'

and run the upgrade command again. You’ll likely need to add --allowerasing option, because it will probably want to remove some packages that you installed from rpmfusion (like vlc):

$ sudo dnf system-upgrade download --releasever=24 --allowerasing

This is OK, after you upgrade your system, you can enable rpmfusion repositories again, and install the packages that were removed prior to upgrade.

(I recommend to really remove rpmfusion repositories and not just disable them, because they manage their repos in a non-standard way, enabling and disabling their updates and updates-testing repos during the system lifecycle according to their needs, so it’s hard to know which repos to enable after the system upgrade – they are not the same as were enabled before the system upgrade. What they are doing is really rather ugly and it’s much better to perform a clean installation of their repos.)

After the system upgrade finishes, simply visit their website, install the repos again, and install any packages that you’re missing. This way, your upgrade was performed in a safe way. The packages installed from rpmfusion might still be installed unsafely (depending whether they manage to sign the repo by that time or not), but it’s much better than to upgrade your whole system unsafely.

To close this up, I’m sorry that people are hit by these complications, but it’s not something Fedora project can directly influence (except for banning third-party repos during system upgrades completely, or some similar drastic measure). This is in hands of those third-party repos. Hopefully lots of this pain will go away once we start using Flatpak.

Advertisements
‘Package XXX is not signed’ error during upgrade to Fedora 24

19 thoughts on “‘Package XXX is not signed’ error during upgrade to Fedora 24

  1. FoolishOwl says:

    Thanks for the clear explanation.

    I can’t blame RPM Fusion for lagging behind the Fedora release schedule, but posting a notice about it on its homepage would seem in order.

    1. @John That’s not the only issue. I have to mark all the packages as user installed because we have been pushing incompetent protocols like PackageKit that seems to always break things. dnf autoremove on my system wants to remove everything. How is that fair for a production operating system?

      Fedora’s fault is that it doesn’t know how to handle such scenarios. I have to run 3 commands to mark all packages user-installed. Another command to remove rpmfusion. After upgrade install rpmfusion. Figure out which packages are missing and install them. This is not a definition of hassle free install. Do these all over again every 6 months.

      This is definition of impossible for people who use Fedora for say writing cooking blog.

      1. Mat says:

        Maybe someone writing a cooking blog could use korora. They don’t update to the latest fedora until rpmfusion has caught up, since they depend on rpmfusion packages.

  2. John says:

    @sudhir

    “we have been pushing incompetent protocols like PackageKit ”

    Umm. PackageKit is not a protocol. It isn’t incompetent. You just ran into a bug.

    “Fedora’s fault is that it doesn’t know how to handle such scenarios”

    How would you propose Fedora handle that besides fixing it and documenting the problem? Unless you are able to write bug-free software, I don’t see your point.

    1. The keys are already present if you installed rpmfusion on Fedora 24. The problem is that they have their repository unsigned for Fedora 24. So the packages are rejected as unsafe.

      You can fix this problem by installing rpmfusion F24 repos on F23 and then upgrading, but it doesn’t do what you think it does. In reality it disables all rpmfusion repos except for one, which is unsigned, and the repo file specifies gpgcheck=0. Therefore it works. But that’s dependent on that ugly hack I mentioned (they swap enabled and disabled updates-testing repo as they wish, even during stable release), and that behavior can easily change in time, so I did not want to recommend this.

  3. JohnC says:

    According to rpmfusion maintainers, they are working on signing their repositories and it should be done hopefully soon.

    ok. Do you know how I will be able to know when they are done??

      1. But if, as you said in the other comment, they disabled gpg checks on their Fedora 24 repo, then you would “stop getting the error” right after upgrade+reinstall of the repo. But that wouldn’t actually mean it’s fixed.

  4. Rahul says:

    Would not advise by-passing the signature check … by the way, I upgraded from Fedora 21 to Fedora 24 yesterday (12th July’16) and found that RPMFusion had put out its GPG files which I downloaded and copied to /etc/pki/rpm-gpg, besides the Fedora 24 GPG files. As a result, the upgrade was flawless, with one exception – audio is not working but that is a separate topic !

  5. Juan Giraldo says:

    Hello, I’m trying to change my fedora 23 to 24, but after the downloading is completed, then appears an error like this: “file /usr/lib64/python2.7/site-packages/bottleneck/tests/replace_test.pyo from install of python2-Bottleneck-0.6.0-8.fc24.x86_64 conflicts with file from package python-Bottleneck-0.7.0-1.el7.x86_64”. Please any help!

    1. For some reason you have some EPEL7 packages installed. You should not have those on Fedora, and you had to do so manually and knowingly – so you most likely know which ones and why. Before upgrading, remove all such packages (“el7” in release tag) and the upgrade should then proceed just fine.

Leave a Reply (Markdown syntax supported)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s