VirtualBox

Opened 14 months ago

Closed 13 months ago

Last modified 13 months ago

#21599 closed defect (fixed)

In Fedora 38, can't import oracle_vbox.asc, so impossible to check package signature

Reported by: Andre Robatino Owned by:
Component: other Version: VirtualBox-7.0.8
Keywords: Cc:
Guest type: other Host type: Linux

Description

In Fedora 38, the command "rpm --import oracle_vbox.asc" gives

warning: Certificate 54422A4B98AB5139:
  Policy rejects subkey B6748A65281DDC4B: Policy rejected asymmetric algorithm

Because of this, it's impossible to check the signature of a signed RPM. See https://forums.virtualbox.org/viewtopic.php?f=7&t=109143 . (This is NOT associated with a specific version of VirtualBox but I was forced to specify one.)

Change History (8)

comment:1 by Andre Robatino, 14 months ago

The oracle_vbox.asc file hasn't changed in years, so this is definitely due to a change in the OS. Presumably the .asc file needs to be updated to a newer format (and future VirtualBox RPMs signed with that).

Last edited 14 months ago by Andre Robatino (previous) (diff)

comment:2 by fth0, 14 months ago

According to the official download page Download VirtualBox for Linux Hosts, VirtualBox 6.1.44/7.0.8 started using the newer key named oracle_vbox_2016.asc, which has been used for Debian-based Linux distributions since 2016, also for RPM-based Linux distributions now.

Can you verify that using the right key works for you?

comment:3 by Andre Robatino, 14 months ago

The new file oracle_vbox_2016.asc does work, thanks! The .repo files at the bottom of the download page still need to be changed to contain the new file, if it's intended to provide a repo for new Fedora versions (37 and 38 are both missing right now).

comment:4 by fth0, 14 months ago

Check the .repo files again. ;)

PS: I didn't do anything!

Last edited 14 months ago by fth0 (previous) (diff)

comment:5 by galitsyn, 14 months ago

Hi robatino,

From 6.1.44/7.0.8 we started to sign RPMs and RPM repos using SHA-256. Key oracle_vbox_2016.asc should be used in order to verify new signatures. If you intend to attach official VBox repo for Fedora packages, please refer to https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo (gpgkey was updated today).

Please let us know if it works for you, so ticket can be closed. Btw, this ticket is a duplicate of #21451.

comment:6 by Andre Robatino, 14 months ago

Yes, like I said above, the new key works for me in verifying the signature for 7.0.8. The repo files are also updated, as fth0 said, though there are still no 37/38 repos at https://download.virtualbox.org/virtualbox/rpm/fedora/ . (They could just be copies of 36/ since the same RPM works in 36/37/38.) Sorry for the duplicate ticket.

comment:7 by galitsyn, 13 months ago

Resolution: fixed
Status: newclosed

Thank you. Closing ticket.

Note: See TracTickets for help on using tickets.

© 2023 Oracle
ContactPrivacy policyTerms of Use