How to install copr packages in dom0?

user11 · July 19, 2024, 9:14am

I would like to install the following copr package in dom0:

copr:fepitre/xfce4-i3:xfce4-i3-workspaces-plugin

Here is what I did for now:

Use a normal AppVM to enable the copr repository:

$ sudo dnf copr enable fepitre/xfce4-i3 epel-7-x86_64

Copy /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:fepitre:xfce4-i3.repo to dom0
Copy the gpg key from https://download.copr.fedorainfracloud.org/results/fepitre/xfce4-i3/pubkey.gpg to dom0
Do in dom0:

$ sudo rpm --import pubkey.gpg

Install the package:

$ sudo qubes-dom0-update xfce4-i3-workspaces-plugin

It downloads the packages but instead of installing, I get the following error message:

The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
'/usr/lib/qubes/qrexec-client-vm dom0 qubes.ReceiveUpdates /usr/lib/qubes/qfile-agent /var/lib/qubes/dom0-updates/packages/*.rpm' failed with exit code 1!

Questions:

How can I install packages from copr in dom0?

apparatus · July 19, 2024, 9:21am

Edit the /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:fepitre:xfce4-i3.repo in dom0 and change gpgkey from URL to the pubkey.gpg file path e.g.:

user11 · July 19, 2024, 9:37am

I copied pubkey.gpg to /etc/pki/rpm-gpg/RPM-GPG-KEY-fepitre-xfce4-i3
In /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:fepitre:xfce4-i3.repo, I changed gpgkey to file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fepitre-xfce4-i3

I still get the same error.

apparatus · July 19, 2024, 9:49am

Maybe try to clean dnf cache and try again.

sudo dnf clean all

user11 · July 19, 2024, 10:07am

I tried:

sudo dnf clean all

in dom0 and the update vm sys-vpn as well.
I still get the same error.
I even changed back my update vm to sys-net. It changed nothing.

apparatus · July 19, 2024, 10:18am

What’s the content of /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:fepitre:xfce4-i3.repo in dom0?

user11 · July 19, 2024, 10:26am

Here is the content of /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:fepitre:xfce4-i3.repo in dom0:

[copr:copr.fedorainfracloud.org:fepitre:xfce4-i3]
name=Copr repo for xfce4-i3 owned by fepitre
baseurl=https://download.copr.fedorainfracloud.org/results/fepitre/xfce4-i3/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
#gpgkey=https://download.copr.fedorainfracloud.org/results/fepitre/xfce4-i3/pubkey.gpg
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fepitre-xfce4-i3
repo_gpgcheck=0
enabled=1
enabled_metadata=1

apparatus · July 19, 2024, 11:55am

It seems to be the dependency package that is missing the signing key:

dom0 qrexec-policy-daemon[2295]: qrexec: qubes.ReceiveUpdates+: sys-net -> @adminvm: allowed to dom0
dom0 qubes.ReceiveUpdates+-sys-net[6449]: Error canonicalizing file: bad OpenPGP signature: InsecureAlgorithm(2)
dom0 qubes.ReceiveUpdates+-sys-net[6449]: Error canonicalizing /var/tmp/qubes-updates-tmpgcq49lz9.UNTRUSTED/i3ipc-glib-1.0.1-1.el7.x86_64.rpm

So I guess you need to add the signing key for i3ipc-glib-1.0.1-1.el7.x86_64.rpm package.

user11 · July 19, 2024, 4:53pm

The i3ipc-glib-1.0.1-1.el7.x86_64.rpm package is also part of the copr:copr.fedorainfracloud.org:fepitre:xfce4-i3 repository. Here a link to the repositiory package list. In theory, both package are supposed to rely on the same public key. I don’t know why i3ipc-glib specifically cause that error.

When I do this in a normal AppVM:

# dnf copr enable fepitre/xfce4-i3 epel-7-x86_64
# dnf install xfce4-i3-workspaces-plugin
...
Ask for approval for the fepitre/xfce4-i3 public key
Installs both 'xfce4-i3-workspaces-plugin' and 'i3ipc-glib'
...

apparatus · July 19, 2024, 5:07pm

You’re right, they use the same signing key:

$ rpm -qi i3ipc-glib-1.0.1-1.el7.x86_64.rpm 
warning: i3ipc-glib-1.0.1-1.el7.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID c6d4bc4e: NOKEY
Name        : i3ipc-glib
Version     : 1.0.1
Release     : 1.el7
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 307454
License     : GPL v3
Signature   : RSA/SHA256, Mon May  1 21:49:34 2023, Key ID 06ee527bc6d4bc4e
Source RPM  : i3ipc-glib-1.0.1-1.el7.src.rpm
Build Date  : Mon May  1 21:49:30 2023
Build Host  : d28991164d9d4286b5c81d6136b05de7
Vendor      : Fedora Copr - user fepitre
URL         : https://github.com/altdesktop/i3ipc-glib
Summary     : A C interface library to i3wm
Description :
A C interface library to i3wm.
$ rpm -qi xfce4-i3-workspaces-plugin-1.4.0-1.el7.x86_64.rpm 
warning: xfce4-i3-workspaces-plugin-1.4.0-1.el7.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID c6d4bc4e: NOKEY
Name        : xfce4-i3-workspaces-plugin
Version     : 1.4.0
Release     : 1.el7
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 89946
License     : GPL v3
Signature   : RSA/SHA256, Mon May  1 21:53:18 2023, Key ID 06ee527bc6d4bc4e
Source RPM  : xfce4-i3-workspaces-plugin-1.4.0-1.el7.src.rpm
Build Date  : Mon May  1 21:53:11 2023
Build Host  : ddcd7afe0880453880bf43466b0e6031
Vendor      : Fedora Copr - user fepitre
URL         : https://github.com/altdesktop/xfce4-i3-workspaces-plugin
Summary     : A workspaces plugin for xfce4 and the i3 window manager
Description :
A workspaces plugin for xfce4 and the i3 window manager.
$ gpg -n --import --import-options import-show pubkey.gpg 
pub   rsa2048 2020-05-02 [SCEA] [expires: 2025-05-01]
      9FEB78BF0B40B7D2E7DA4B9D06EE527BC6D4BC4E
uid                      fepitre_xfce4-i3 (None) <fepitre#xfce4-i3@copr.fedorahosted.org>

gpg: Total number processed: 1

I guess it’s just trying to install i3ipc-glib first and don’t check further because it’s failed.

I don’t know why is it failing.

apparatus · July 19, 2024, 9:59pm

It seems that there is an old and a new i3ipc-glib package present in the repository and they have the same version number.
Old one:
https://download.copr.fedorainfracloud.org/results/fepitre/xfce4-i3/epel-7-x86_64/01600193-i3ipc-glib/i3ipc-glib-1.0.1-1.el7.x86_64.rpm

$ rpm -qi i3ipc-glib-1.0.1-1.el7.x86_64.rpm 
warning: i3ipc-glib-1.0.1-1.el7.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c6d4bc4e: NOKEY
Name        : i3ipc-glib
Version     : 1.0.1
Release     : 1.el7
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 306530
License     : GPL v3
Signature   : RSA/SHA1, Sun Aug  9 17:11:25 2020, Key ID 06ee527bc6d4bc4e
Source RPM  : i3ipc-glib-1.0.1-1.el7.src.rpm
Build Date  : Sun Aug  9 17:11:23 2020
Build Host  : 5facf254c02148448ea81370db5739d1
URL         : https://github.com/altdesktop/i3ipc-glib
Summary     : A C interface library to i3wm
Description :
A C interface library to i3wm.

New one:
https://download.copr.fedorainfracloud.org/results/fepitre/xfce4-i3/epel-7-x86_64/05865327-i3ipc-glib/i3ipc-glib-1.0.1-1.el7.x86_64.rpm

$ rpm -qi i3ipc-glib-1.0.1-1.el7.x86_64.rpm 
warning: i3ipc-glib-1.0.1-1.el7.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID c6d4bc4e: NOKEY
Name        : i3ipc-glib
Version     : 1.0.1
Release     : 1.el7
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 307454
License     : GPL v3
Signature   : RSA/SHA256, Mon May  1 21:49:34 2023, Key ID 06ee527bc6d4bc4e
Source RPM  : i3ipc-glib-1.0.1-1.el7.src.rpm
Build Date  : Mon May  1 21:49:30 2023
Build Host  : d28991164d9d4286b5c81d6136b05de7
Vendor      : Fedora Copr - user fepitre
URL         : https://github.com/altdesktop/i3ipc-glib
Summary     : A C interface library to i3wm
Description :
A C interface library to i3wm.

And for some reason it’s downloading and using the old package. Maybe it gets the first occurrence of the package which is an old one?
The old package is using RSA/SHA1 signature algorithm that is no longer supported so this is where this error is coming from:

But I’m not sure how to fix this issue properly.
Maybe @fepitre will be able to help here.