GPG signature test failed for security enhanced RHEL9 - Can't install ZoL (partially solved)

[deajan]

System information

Distribution Name | AlmaLinux
Distribution Version | 9.4
Kernel Version | 5.14.0-427.13.1.el9_4.x86_64
Architecture | x86_64
OpenZFS Version | N/A

Describe the problem you're observing

When trying to install the zfs repository on a rpm based machine that requires GPG signing (eg openscap configured profile / FIPS configured), dnf complains about the missing GPG key.

[root@localhost]# dnf install https://zfsonlinux.org/epel/zfs-release-2-3$(rpm --eval "%{dist}").noarch.rpm
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:10:21 ago on Thu Nov 14 11:47:55 2024.
zfs-release-2-3.el9.noarch.rpm                                                                                                111 kB/s |  13 kB     00:00
Dependencies resolved.
==============================================================================================================================================================
 Package                                Architecture                      Version                               Repository                               Size
==============================================================================================================================================================
Installing:
 zfs-release                            noarch                            2-3.el9                               @commandline                             13 k

Transaction Summary
==============================================================================================================================================================
Install  1 Package

Total size: 13 k
Installed size: 6.5 k
Is this ok [y/N]: y
Downloading Packages:
Public key for zfs-release-2-3.el9.noarch.rpm is not installed
Error: GPG check FAILED

Describe how to reproduce the problem

Setup AlmaLinux 9 / RHEL 9 / RockyLinux 9 with OpenSCAP ANSSI-BP028 High profile

dnf install openscap scap-security-guide
oscap xccdf eval --profile anssi_bp28_high --fetch-remote-resources --remediate /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml
reboot

Install zfs repository for EL9.

Quick workaround

I could indeed install by bypassing GPG checks:

dnf --nogpgcheck install https://zfsonlinux.org/epel/zfs-release-2-3$(rpm --eval "%{dist}").noarch.rpm

Longer workaround trial (get the ZFS maintainer GPG key into rpm)

I think it would be nice to show on the corresponding wiki page how to setup the GPG key, which IMO isn't straightforward:

I've found the GPG key on this page, which shows 3 separate keys (Ned, Tony and Brian), of which Ned's keys are from 2015, and Tony's keys are from 2017 and seem to include other keys. I choose the latter since it's the newest, and Brian only signs rc releases AFAIK.

Also, I didn't find a way to "raw" download the key from pgp.mit.edu so I did a little awk to clenaup the HTML parts. Improvments to this are welcome :)

Here's a quick howto install the GPG key I came up with:

curl -o zfs_tony_hutter.gpg.html -L 'http://pgp.mit.edu/pks/lookup?op=get&search=0x6AD860EED4598027'
awk 'BEGIN{RS=SUBSEP; ORS="" } { sub(/.*-----BEGIN PGP PUBLIC KEY BLOCK-----/, "-----BEGIN PGP PUBLIC KEY BLOCK-----"); sub(/-----END PGP PUBLIC KEY BLOCK-----.*/, "-----END PGP PUBLIC KEY BLOCK-----"); print }' zfs_tony_hutter.gpg.html > zfs_tony_hutter.gpg.key
rpm --import zfs_tony_hutter.gpg.key

The above commands failed with:

warning: Signature not supported. Hash algorithm SHA1 not available.
error: zfs_tony_hutter.gpg.key: key 1 import failed.

So I think the keys that are linked to on the ZoL wiki page are old ones.
Any idea where to download recent ZoL team GPG keys ? Perhaps the wiki links need an update.

Include any warning/errors/backtraces from the system logs

Extended dnf logs

2024-11-14T11:58:16+0100 DDEBUG Command: dnf install https://zfsonlinux.org/epel/zfs-release-2-3.el9.noarch.rpm
2024-11-14T11:58:16+0100 DDEBUG Installroot: /
2024-11-14T11:58:16+0100 DDEBUG Releasever: 9
2024-11-14T11:58:16+0100 DEBUG cachedir: /var/cache/dnf
2024-11-14T11:58:16+0100 DDEBUG Base command: install
2024-11-14T11:58:16+0100 DDEBUG Extra commands: ['install', 'https://zfsonlinux.org/epel/zfs-release-2-3.el9.noarch.rpm']
2024-11-14T11:58:16+0100 DEBUG User-Agent: constructed: 'libdnf (AlmaLinux 9.4; generic; Linux.x86_64)'
2024-11-14T11:58:16+0100 DEBUG repo: using cache for: appstream
2024-11-14T11:58:16+0100 DEBUG appstream: using metadata from Mon Nov 11 10:34:10 2024.
2024-11-14T11:58:16+0100 DEBUG repo: using cache for: baseos
2024-11-14T11:58:16+0100 DEBUG baseos: using metadata from Mon Nov 11 10:35:04 2024.
2024-11-14T11:58:16+0100 DEBUG repo: using cache for: extras
2024-11-14T11:58:16+0100 DEBUG extras: using metadata from Mon Nov 11 10:35:39 2024.
2024-11-14T11:58:16+0100 DEBUG repo: using cache for: epel
2024-11-14T11:58:16+0100 DEBUG epel: using metadata from Thu Nov 14 04:32:02 2024.
2024-11-14T11:58:16+0100 DEBUG repo: using cache for: epel-cisco-openh264
2024-11-14T11:58:16+0100 DEBUG epel-cisco-openh264: using metadata from Mon May 22 18:19:21 2023.
2024-11-14T11:58:16+0100 INFO Last metadata expiration check: 0:10:21 ago on Thu Nov 14 11:47:55 2024.
2024-11-14T11:58:16+0100 DDEBUG timer: sack setup: 415 ms
2024-11-14T11:58:16+0100 DEBUG --> Starting dependency resolution
2024-11-14T11:58:16+0100 DEBUG ---> Package zfs-release.noarch 2-3.el9 will be installed
2024-11-14T11:58:16+0100 DEBUG --> Finished dependency resolution
2024-11-14T11:58:16+0100 DDEBUG timer: depsolve: 26 ms
2024-11-14T11:58:16+0100 INFO Dependencies resolved.
2024-11-14T11:58:16+0100 INFO ==============================================================================================================================================================
 Package                                Architecture                      Version                               Repository                               Size
==============================================================================================================================================================
Installing:
 zfs-release                            noarch                            2-3.el9                               @commandline                             13 k

Transaction Summary
==============================================================================================================================================================
Install  1 Package

2024-11-14T11:58:16+0100 INFO Total size: 13 k
2024-11-14T11:58:16+0100 INFO Installed size: 6.5 k
2024-11-14T11:58:19+0100 INFO Downloading Packages:
2024-11-14T11:58:19+0100 DEBUG Using rpmkeys executable at /usr/bin/rpmkeys to verify signatures
2024-11-14T11:58:19+0100 CRITICAL Public key for zfs-release-2-3.el9.noarch.rpm is not installed
2024-11-14T11:58:19+0100 DDEBUG Cleaning up.
2024-11-14T11:58:19+0100 DDEBUG /var/cache/dnf/commandline-5fd3bd7dde2b1c5e/packages/zfs-release-2-3.el9.noarch.rpm removed
2024-11-14T11:58:19+0100 DDEBUG Plugins were unloaded.
2024-11-14T11:58:19+0100 SUBDEBUG
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 67, in main
    return _main(base, args, cli_class, option_parser_class)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 106, in _main
    return cli_run(cli, base)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 130, in cli_run
    ret = resolving(cli, base)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 176, in resolving
    base.do_transaction(display=displays)
  File "/usr/lib/python3.9/site-packages/dnf/cli/cli.py", line 238, in do_transaction
    self.gpgsigcheck(install_pkgs)
  File "/usr/lib/python3.9/site-packages/dnf/cli/cli.py", line 305, in gpgsigcheck
    raise dnf.exceptions.Error(_("GPG check FAILED"))
dnf.exceptions.Error: GPG check FAILED
2024-11-14T11:58:19+0100 CRITICAL Error: GPG check FAILED

Linked to #15195