[SOLVED] darktable 4.6.0 will not install from Fedora repo

I’m running Fedora 39 and just installed the graphics:darktable RPM repo from the install page. Here’s the graphics:darktable.repo file:

[graphics_darktable]
name=Darktable (Fedora_39)
type=rpm-md
baseurl=https://download.opensuse.org/repositories/graphics:/darktable/Fedora_39/
gpgcheck=1
gpgkey=https://download.opensuse.org/repositories/graphics:/darktable/Fedora_39/repodata/repomd.xml.key
enabled=1

When I try to install it using dnf upgrade darktable, it fails with the following error about an expired key:

error: Verifying a signature using certificate 3247B7519EDBEAB422E900A3040524A84C70D8B5 (graphics:darktable OBS Project <graphics:darktable@build.opensuse.org>):
  1. Certificiate 040524A84C70D8B5 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-05-16T15:21:19Z
  2. Key 040524A84C70D8B5 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-05-16T15:21:19Z
error: Verifying a signature using certificate 3247B7519EDBEAB422E900A3040524A84C70D8B5 (graphics:darktable OBS Project <graphics:darktable@build.opensuse.org>):
  1. Certificiate 040524A84C70D8B5 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-05-16T15:21:19Z
  2. Key 040524A84C70D8B5 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-05-16T15:21:19Z
Darktable (Fedora_39)                                                       2.5 kB/s | 1.1 kB     00:00    
GPG key at https://download.opensuse.org/repositories/graphics:/darktable/Fedora_39/repodata/repomd.xml.key (0x4C70D8B5) is already installed
The GPG keys listed for the "Darktable (Fedora_39)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: darktable-4.6.0-72.1.x86_64
 GPG Keys are configured as: https://download.opensuse.org/repositories/graphics:/darktable/Fedora_39/repodata/repomd.xml.key

As a workaround, I tried using the flatpak version, which installed, but was apparently not compiled to use my GPU, because it was painfully slow generating thumbnails.

Suggestions?

could it be you have an old version of the key cached. this works here in a container.

cat t.repo 
[graphics_darktable]
name=Darktable (Fedora_39)
type=rpm-md
baseurl=https://download.opensuse.org/repositories/graphics:/darktable/Fedora_39/
gpgcheck=1
gpgkey=https://download.opensuse.org/repositories/graphics:/darktable/Fedora_39/repodata/repomd.xml.key
enabled=1
[root@bd54b39802d3 yum.repos.d]# dnf update
Fedora 39 - x86_64                                                                                                               11 MB/s |  89 MB     00:08    
Fedora 39 openh264 (From Cisco) - x86_64                                                                                        2.1 kB/s | 2.5 kB     00:01    
Fedora 39 - x86_64 - Updates                                                                                                     28 MB/s |  26 MB     00:00    
Darktable (Fedora_39)                                                                                                           468 kB/s |  76 kB     00:00    
dnf install darktable
Last metadata expiration check: 0:10:11 ago on Sat Dec 23 23:50:57 2023.
Dependencies resolved.
================================================================================================================================================================
 Package                                               Architecture         Version                                      Repository                        Size
================================================================================================================================================================
Installing:
 darktable                                             x86_64               4.6.0-72.1                                   graphics_darktable               6.2 M
1 Like

Thanks, that makes sense, but how would I clear out an old version of the key? dnf clean all didn’t do it. I still get the same result, and I have the same graphics:darktable.repo file. Here’s the complete output:

# dnf install darktable
Last metadata expiration check: 0:01:49 ago on Sat 23 Dec 2023 07:12:13 PM EST.
Dependencies resolved.
============================================================================================================
 Package                Architecture        Version                   Repository                       Size
============================================================================================================
Installing:
 darktable              x86_64              4.6.0-72.1                graphics_darktable              6.2 M

Transaction Summary
============================================================================================================
Install  1 Package

Total size: 6.2 M
Installed size: 29 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] darktable-4.6.0-72.1.x86_64.rpm: Already downloaded                                              
error: Verifying a signature using certificate 3247B7519EDBEAB422E900A3040524A84C70D8B5 (graphics:darktable OBS Project <graphics:darktable@build.opensuse.org>):
  1. Certificiate 040524A84C70D8B5 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-05-16T15:21:19Z
  2. Key 040524A84C70D8B5 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-05-16T15:21:19Z
error: Verifying a signature using certificate 3247B7519EDBEAB422E900A3040524A84C70D8B5 (graphics:darktable OBS Project <graphics:darktable@build.opensuse.org>):
  1. Certificiate 040524A84C70D8B5 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-05-16T15:21:19Z
  2. Key 040524A84C70D8B5 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-05-16T15:21:19Z
Darktable (Fedora_39)                                                       3.1 kB/s | 1.1 kB     00:00    
GPG key at https://download.opensuse.org/repositories/graphics:/darktable/Fedora_39/repodata/repomd.xml.key (0x4C70D8B5) is already installed
The GPG keys listed for the "Darktable (Fedora_39)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: darktable-4.6.0-72.1.x86_64
 GPG Keys are configured as: https://download.opensuse.org/repositories/graphics:/darktable/Fedora_39/repodata/repomd.xml.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

you can try to download the key file again and import it again. maybe that overwrites it.

Thanks, that did it. I had no idea where the old expired keys were located, but with a quick search I was able to identify and remove them with:

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
rpm -e gpg-pubkey-4c70d8b5-5e63bbef
rpm -e gpg-pubkey-d59097ab-52d46e88

Posting the details here in case others are faced with the same issue.

JFYI: --qf "%{nvr}\t%{summary}\n"

is a shortcut :slight_smile: