Hi,
I recently started using Fedora flatpak remote in Fedora 30 Silverblue, but now I'm facing issue with GPG verification. I didn't had any issue when installing the application from the remote few days ago, but when I'm trying to do `flatpak update` I'm getting "Error: Can't pull from untrusted non-gpg verified remote"
Why the flatpak remote is not GPG signed? Or is there another issue?
Regards, mkonecny
P.S.: I sent the same message to Fedora devel mailing list, but because there is no response I'm sending it also to Fedora desktop mailing list.
On Tue, Apr 16, 2019 at 3:50 AM Michal Konecny mkonecny@redhat.com wrote:
I recently started using Fedora flatpak remote in Fedora 30 Silverblue, but now I'm facing issue with GPG verification. I didn't had any issue when installing the application from the remote few days ago, but when I'm trying to do `flatpak update` I'm getting "Error: Can't pull from untrusted non-gpg verified remote"
Why the flatpak remote is not GPG signed? Or is there another issue?
I think there is another issue - GPG signatures are not used for OCI remotes.
What the issue is I'm not sure: * What version of Flatpak? * What application are you trying to update? * What exactly do you see when you try to update? Does it matter if you do a general 'flatpak update' or 'flatpak update <app-id>'?
Thanks for reporting the issue! Owen
Hi Owen,
I already reported this to releng team [0], but here are some details: * flatpak version - flatpak-1.2.4-2.fc30.x86_64 * application to update - org.mozilla.Thunderbird * output of flatpak update: ``` Looking for updates…
ID Arch Branch Remote Download 1. [✗] org.mozilla.Thunderbird x86_64 stable fedora < 60.2 MB
Error: Can't pull from untrusted non-gpg verified remote Updates complete. error: There were one or more errors ```
mkonecny
[0] - https://pagure.io/releng/issue/8291
On 4/16/19 9:01 PM, Owen Taylor wrote:
On Tue, Apr 16, 2019 at 3:50 AM Michal Konecny mkonecny@redhat.com wrote:
I recently started using Fedora flatpak remote in Fedora 30 Silverblue, but now I'm facing issue with GPG verification. I didn't had any issue when installing the application from the remote few days ago, but when I'm trying to do `flatpak update` I'm getting "Error: Can't pull from untrusted non-gpg verified remote"
Why the flatpak remote is not GPG signed? Or is there another issue?
I think there is another issue - GPG signatures are not used for OCI remotes.
What the issue is I'm not sure:
- What version of Flatpak?
- What application are you trying to update?
- What exactly do you see when you try to update? Does it matter if
you do a general 'flatpak update' or 'flatpak update <app-id>'?
Thanks for reporting the issue! Owen _______________________________________________ desktop mailing list -- desktop@lists.fedoraproject.org To unsubscribe send an email to desktop-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@lists.fedoraproject.or...
On Wed, Apr 17, 2019 at 4:01 AM Michal Konecny mkonecny@redhat.com wrote:
Hi Owen,
I already reported this to releng team [0], but here are some details:
- flatpak version - flatpak-1.2.4-2.fc30.x86_64
- application to update - org.mozilla.Thunderbird
- output of flatpak update:
Looking for updates… ID Arch Branch Remote Download 1. [✗] org.mozilla.Thunderbird x86_64 stable fedora < 60.2 MB Error: Can't pull from untrusted non-gpg verified remote Updates complete. error: There were one or more errors
Hmm, I wouldn't have thought it was possible, but you *might* be the first person to have tried updating a flatpak from an OCI system remote (most of my testing has been with user remotes). There seems to potentially a bug where the 'install' and 'update' code paths in the Flatpak code are differently ordered.
In the install case, it's "is an OCI remote? do X - otherwise, is it an unsigned GPG remote? error out" In the update case it's "is it an unsigned GPG remote? error out - otherwise, is it a is an OCI remote? do X"
I'm puzzling over how to reproduce this without rebuilding a Flatpak and waiting for it to be pushed to the testing remote. May just be easiest to extend the Flatpak test suite.
Owen
Owen Taylor píše v St 17. 04. 2019 v 10:09 -0400:
On Wed, Apr 17, 2019 at 4:01 AM Michal Konecny mkonecny@redhat.com wrote:
Hi Owen,
I already reported this to releng team [0], but here are some details:
- flatpak version - flatpak-1.2.4-2.fc30.x86_64
- application to update - org.mozilla.Thunderbird
- output of flatpak update:
Looking for updates… ID Arch Branch Remote Download 1. [✗] org.mozilla.Thunderbird x86_64 stable fedora < 60.2 MB Error: Can't pull from untrusted non-gpg verified remote Updates complete. error: There were one or more errors
Hmm, I wouldn't have thought it was possible, but you *might* be the first person to have tried updating a flatpak from an OCI system remote (most of my testing has been with user remotes). There seems to potentially a bug where the 'install' and 'update' code paths in the Flatpak code are differently ordered.
In the install case, it's "is an OCI remote? do X - otherwise, is it an unsigned GPG remote? error out" In the update case it's "is it an unsigned GPG remote? error out - otherwise, is it a is an OCI remote? do X"
I'm puzzling over how to reproduce this without rebuilding a Flatpak and waiting for it to be pushed to the testing remote. May just be easiest to extend the Flatpak test suite.
He's not the only one. It hasn't worked for me either. I just haven't had time to look at it. I've had problems updating other flatpaks in Software, too, because it's effectively blocks "Update All" operation.
Jiri
I also noticed the issue with gnome-software and I created a ticket for it on upstream - https://gitlab.gnome.org/GNOME/gnome-software/issues/638
mkonecny
On 4/18/19 1:52 PM, Jiri Eischmann wrote:
Owen Taylor píše v St 17. 04. 2019 v 10:09 -0400:
On Wed, Apr 17, 2019 at 4:01 AM Michal Konecny mkonecny@redhat.com wrote:
Hi Owen,
I already reported this to releng team [0], but here are some details:
- flatpak version - flatpak-1.2.4-2.fc30.x86_64
- application to update - org.mozilla.Thunderbird
- output of flatpak update:
Looking for updates… ID Arch Branch Remote Download 1. [✗] org.mozilla.Thunderbird x86_64 stable fedora < 60.2 MB Error: Can't pull from untrusted non-gpg verified remote Updates complete. error: There were one or more errors
Hmm, I wouldn't have thought it was possible, but you *might* be the first person to have tried updating a flatpak from an OCI system remote (most of my testing has been with user remotes). There seems to potentially a bug where the 'install' and 'update' code paths in the Flatpak code are differently ordered.
In the install case, it's "is an OCI remote? do X - otherwise, is it an unsigned GPG remote? error out" In the update case it's "is it an unsigned GPG remote? error out - otherwise, is it a is an OCI remote? do X"
I'm puzzling over how to reproduce this without rebuilding a Flatpak and waiting for it to be pushed to the testing remote. May just be easiest to extend the Flatpak test suite.
He's not the only one. It hasn't worked for me either. I just haven't had time to look at it. I've had problems updating other flatpaks in Software, too, because it's effectively blocks "Update All" operation.
Jiri _______________________________________________ desktop mailing list -- desktop@lists.fedoraproject.org To unsubscribe send an email to desktop-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@lists.fedoraproject.or...
Hi Owen,
it looks like the issue is solved for me. Today I was able to update org.mozilla.Thunderbird.
Thank you
On 4/17/19 4:09 PM, Owen Taylor wrote:
On Wed, Apr 17, 2019 at 4:01 AM Michal Konecny mkonecny@redhat.com wrote:
Hi Owen,
I already reported this to releng team [0], but here are some details:
- flatpak version - flatpak-1.2.4-2.fc30.x86_64
- application to update - org.mozilla.Thunderbird
- output of flatpak update:
Looking for updates… ID Arch Branch Remote Download 1. [✗] org.mozilla.Thunderbird x86_64 stable fedora < 60.2 MB Error: Can't pull from untrusted non-gpg verified remote Updates complete. error: There were one or more errors
Hmm, I wouldn't have thought it was possible, but you *might* be the first person to have tried updating a flatpak from an OCI system remote (most of my testing has been with user remotes). There seems to potentially a bug where the 'install' and 'update' code paths in the Flatpak code are differently ordered.
In the install case, it's "is an OCI remote? do X - otherwise, is it an unsigned GPG remote? error out" In the update case it's "is it an unsigned GPG remote? error out - otherwise, is it a is an OCI remote? do X"
I'm puzzling over how to reproduce this without rebuilding a Flatpak and waiting for it to be pushed to the testing remote. May just be easiest to extend the Flatpak test suite.
Owen _______________________________________________ desktop mailing list -- desktop@lists.fedoraproject.org To unsubscribe send an email to desktop-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@lists.fedoraproject.or...
On 5/15/19 09:13, Michal Konecny wrote:
Hi Owen,
it looks like the issue is solved for me. Today I was able to update org.mozilla.Thunderbird.
This was a flatpak issue. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5a1d654c34 was the update that fixed it (for F30).
Would be awesome if someone who's still on F29 could give one more karma to the F29 flatpak update that fixes the same issue there: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bee51b498
Thanks!
Kalev
desktop@lists.fedoraproject.org