#21599 closed defect (fixed)
In Fedora 38, can't import oracle_vbox.asc, so impossible to check package signature
| Reported by: | Andre Robatino | Owned by: | |
|---|---|---|---|
| Component: | other | Version: | VirtualBox-7.0.8 |
| Keywords: | Cc: | ||
| Guest type: | other | Host type: | Linux |
Description
In Fedora 38, the command "rpm --import oracle_vbox.asc" gives
warning: Certificate 54422A4B98AB5139: Policy rejects subkey B6748A65281DDC4B: Policy rejected asymmetric algorithm
Because of this, it's impossible to check the signature of a signed RPM. See https://forums.virtualbox.org/viewtopic.php?f=7&t=109143 . (This is NOT associated with a specific version of VirtualBox but I was forced to specify one.)
Change History (8)
comment:2 by , 12 months ago
According to the official download page Download VirtualBox for Linux Hosts, VirtualBox 6.1.44/7.0.8 started using the newer key named oracle_vbox_2016.asc, which has been used for Debian-based Linux distributions since 2016, also for RPM-based Linux distributions now.
Can you verify that using the right key works for you?
comment:3 by , 12 months ago
The new file oracle_vbox_2016.asc does work, thanks! The .repo files at the bottom of the download page still need to be changed to contain the new file, if it's intended to provide a repo for new Fedora versions (37 and 38 are both missing right now).
comment:5 by , 12 months ago
Hi robatino,
From 6.1.44/7.0.8 we started to sign RPMs and RPM repos using SHA-256. Key oracle_vbox_2016.asc should be used in order to verify new signatures. If you intend to attach official VBox repo for Fedora packages, please refer to https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo (gpgkey was updated today).
Please let us know if it works for you, so ticket can be closed. Btw, this ticket is a duplicate of #21451.
comment:6 by , 12 months ago
Yes, like I said above, the new key works for me in verifying the signature for 7.0.8. The repo files are also updated, as fth0 said, though there are still no 37/38 repos at https://download.virtualbox.org/virtualbox/rpm/fedora/ . (They could just be copies of 36/ since the same RPM works in 36/37/38.) Sorry for the duplicate ticket.
comment:8 by , 12 months ago
Hi robatino,
Just FYI, https://download.virtualbox.org/virtualbox/rpm/fedora/37/ and https://download.virtualbox.org/virtualbox/rpm/fedora/38/ repositories are now also available.
The oracle_vbox.asc file hasn't changed in years, so this is definitely due to a change in the OS. Presumably the .asc file needs to be updated to a newer format (and future VirtualBox RPMs signed with that).