ToddAndMargo via users wrote: > On 6/13/25 3:28 PM, ToddAndMargo via users wrote: > Open SUSE pulled a "NOTTRUSTED". [...] > 2) if so, what is the workaround? > > # dnf install waterfox-6.5.9-4.1.x86_64.rpm
Not sure why you're installing it manually to be honest. I tested it in an F41 container and it worked just fine: [root@20245a7c82c1 /]# dnf -qq list --installed waterfox Installed packages waterfox.x86_64 6.5.9-4.1 home_hawkeye116477_waterfox That was after using: dnf config-manager addrepo --from-repofile=https://download.opensuse.org/repositories/home:hawkeye116477:waterfox/Fedora_41/home:hawkeye116477:waterfox.repo dnf install waterfox > Updating and loading repositories: > Repositories loaded. > Package Arch Version Repository Size > Installing: > waterfox x86_64 6.5.9-4.1 @commandline 242.1 > MiB > > Transaction Summary: > Installing: 1 package > > Total size of inbound packages is 74 MiB. Need to download 0 B. > After this operation, 242 MiB extra will be used (install 242 MiB, remove 0 > B). > Is this ok [y/N]: y > Running transaction > Transaction failed: Rpm transaction failed. > Warning: skipped OpenPGP checks for 1 package from repository: @commandline > - package waterfox-6.5.9-4.1.x86_64 does not verify: Header V3 RSA/SHA256 > Signature, key ID 625a271e: NOTTRUSTED If you had the repo installed from ages ago, you very well may need to remove the key and install it again, as until very recently, rpm had no way to refresh GPG keys. (I don't think that's even in a released version of rpm yet, but if it is, it's not in F41 at the very least.) So you have to use rpm -e gpg-pubkey-625a271e and then let dnf install it again (having added the repo properly). [root@20245a7c82c1 /]# rpm -qi gpg-pubkey-625a271e | gpg --show-key pub rsa2048 2017-04-05 [SC] [expires: 2027-07-10] E64C7A04DC653D07ACA3EA585E62D791625A271E uid home:hawkeye116477 OBS Project <home:hawkeye116...@build.opensuse.org> This is not much different than was needed for many other third-party repos after updating to Fedora 40 or whenever it was that the gpg backend in rpm was switch to sequoia, which does much better/stricter checking of keys. Many third-party repos updated their keys rather than generated entirely new keys, which requires manual work from their users. I don't know if anything other than the key expiration had to be changed for the home:hawkeye116477 repo key, but even in that case, rpm's inability to refresh keys requires such a change to be managed manually. (Tangentially, and IMO, the smarter move is to generate an entirely new key, add it to the gpgkey parameter in the repo file, in addition to the existing key and then allow some time to pass before removing the old key. But that also presumes that they provide a package which manages the repo file rather than just some "hey, download this file and chuck it in place.") None of this is really all that hard to do and is something anyone adding third-party repos to their system should be familiar with and comfortable doing. -- Todd
signature.asc
Description: PGP signature
-- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue