During Dom0 update
$ sudo qubes-dom0-update
I received following messages:

Setting up and reading Presto delta metadata
Processing delta metadata
Packages(s) data still to download: 25M
*** ERROR while receiving updates:
Domain firewallvm sent not signed rpm: libvpx-1.2.0-1.fc18.x86_64.prm

This guide
http://qubes-os.org/trac/wiki/SoftwareUpdateDom0
doesn’t cover this situation

This thread

This file
/var/log/qubes/qrexec.2.log
contains all the same lines
“eintr
Domain firewallvm sent not signed rpm: …
No delta-package files removed by presto
eintr”

Marek: “By disabling verification (editing yum.conf and qubes-receive-updates) you probably allowed that attack to be successful against your system.”

if i change line
gpgcheck=1
to
gpgcheck=0
in
sudo nano -w /etc/yum.conf
then I still receive the same messages (about “not signed rpm”).

$ sudo /usr/lib/ques/qubes-receive-updates
Domain None not allowed to send dom0 updates

I don’t want to copy rpm’s like in this page
http://wiki.qubes-os.org/trac/wiki/CopyToDomZero
because these are not additional software. I think that update procedure should work automatically.

There is also similar problem in this unanswered thread:

So, how to perform Dom0 update right?

Perhaps the package really isn't signed by trusted key... You can check
/var/lib/qubes/dom0-updates in firewallvm ("rpm -Kv /path/to/file"). Or file
is broken or so.

In any case try again with sudo qubes-dom0-update --clean.

Perhaps the package really isn’t signed by trusted key…
Or file is broken or so.

This is not a single package. There is a list of more than hundred names.

In any case try again with sudo qubes-dom0-update --clean

This gives the same outcome (list of messages about unsigned packages)

You can check /var/lib/qubes/dom0-updates in firewallvm (“rpm -Kv /path/to/file”)

$ rpm -Kv libvpx-1.2.0-1.fc18.x86_64.rpm
libvpx-1.2.0-1.fc18.x86_64.rpm:
Header V3 RSA/SHA256 Signature, key ID de7f38bd: OK
Header SHA1 digest: OK (6b7aaa0f9776980fafbbe7d61c16687101f35c6f)
V3 RSA/SHA256 Signature, key ID de7f38bd: OK
MD5 digest: OK (759bacaf3f2e5c1f7b7917983f3cbde1)

Perhaps the package really isn't signed by trusted key...
Or file is broken or so.

This is not a single package. There is a list of more than hundred names.

Does this exceed 2GB? Or more than 2048 files?

In any case try again with sudo qubes-dom0-update --clean

This gives the same outcome (list of messages about unsigned packages)

You can check /var/lib/qubes/dom0-updates in firewallvm ("rpm -Kv

/path/to/file")

$ rpm -Kv libvpx-1.2.0-1.fc18.x86_64.rpm
libvpx-1.2.0-1.fc18.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID de7f38bd: OK
    Header SHA1 digest: OK (6b7aaa0f9776980fafbbe7d61c16687101f35c6f)
    V3 RSA/SHA256 Signature, key ID de7f38bd: OK
    MD5 digest: OK (759bacaf3f2e5c1f7b7917983f3cbde1)

Looks good...
One more thing: check if you have this key installed in dom0:
rpm -qa|grep gpg-pubkey-de7f38bd

If not, import with sudo rpm --import /etc/pki/rpm-gpg/*

This is not a single package. There is a list of more than hundred names.
Does this exceed 2GB? Or more than 2048 files?

423 018 316 bytes total in 389 files

One more thing: check if you have this key installed in dom0:
rpm -qa|grep gpg-pubkey-de7f38bd

yes, the key is installed

Now that this is being mentioned, I did an update the other day through the Template - Updates and I recieved a popup saying the app wasn't signed, and wanted to know if I trusted it and wanted to install it.

I found this quite odd, so I just wanted to mention this as well.

Thanks

It more and more looks like some Fedora mirror contains unsigned
(compromised?) packages...

Compromised, that doesn't seem very likley coming off a Fedora Repo?

Hmm

1. I went to the firewallvm, found the file in the folder /var/lib/qubes/dom0-updates/packages and checked it:
   the signature seems to be correct, so fedora repositories are OK.

rpm --checksig *.rpm | grep “NOT OK”

qubes-core-dom0-2.1.16-1.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#0a40e458)
qubes-manager-2.0.13-1.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#0a40e458)
xen-4.1.5-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#0a40e458)
xen-hvm-4.1.5gui2.1.10-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#0a40e458)
xen-hypervisor-4.1.5-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#0a40e458)
xen-libs-4.1.5-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#0a40e458)
xen-licenses-4.1.5-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#0a40e458)
xen-runtime-4.1.5-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#0a40e458)

[root@firewallvm packages]# rpm -qa | grep gpg-pubkey
gpg-pubkey-f6777c67-45e5b1b9
gpg-pubkey-1403bede-4bb73c9b
gpg-pubkey-de7f38bd-501f4964

[root@firewallvm /]# rpm --import /etc/pki/rpm-gpg/*

[root@firewallvm /]# rpm -qa | grep gpg-pubkey | sort
gpg-pubkey-0a40e458-50a52563
gpg-pubkey-1403bede-4bb73c9b
gpg-pubkey-a4d647e9-501f7eef
gpg-pubkey-ba094068-50d283ff
gpg-pubkey-de7f38bd-501f4964
gpg-pubkey-f531efa7-50a52148
gpg-pubkey-f6777c67-45e5b1b9
gpg-pubkey-fb4b18e6-50b96bfd

rpm --checksig /var/lib/qubes/dom0-updates/packages/*.rpm | grep “NOT OK”

1) I went to the firewallvm, found the file in the folder
/var/lib/qubes/dom0-updates/packages and checked it:
the signature seems to be correct, so fedora repositories are OK.

# rpm --checksig *.rpm | grep "NOT OK"
qubes-core-dom0-2.1.16-1.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK
(MISSING KEYS: (MD5) PGP#0a40e458)
qubes-manager-2.0.13-1.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING
KEYS: (MD5) PGP#0a40e458)
xen-4.1.5-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS:
(MD5) PGP#0a40e458)
xen-hvm-4.1.5gui2.1.10-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK
(MISSING KEYS: (MD5) PGP#0a40e458)
xen-hypervisor-4.1.5-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK
(MISSING KEYS: (MD5) PGP#0a40e458)
xen-libs-4.1.5-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING
KEYS: (MD5) PGP#0a40e458)
xen-licenses-4.1.5-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK
(MISSING KEYS: (MD5) PGP#0a40e458)
xen-runtime-4.1.5-5.fc18.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK
(MISSING KEYS: (MD5) PGP#0a40e458)

(...)

[root@firewallvm /]# rpm --import /etc/pki/rpm-gpg/*

[root@firewallvm /]# rpm -qa | grep gpg-pubkey | sort
*gpg-pubkey-0a40e458-50a52563*

(...)

# rpm --checksig /var/lib/qubes/dom0-updates/packages/*.rpm | grep "NOT OK"
#

2) The set of keys in Dom0 differs from the set of keys in firevallvm:

[root@dom0 /]# rpm --import /etc/pki/rpm-gpg/*

[root@dom0 /]# rpm -qa | grep gpg-pubkey | sort
gpg-pubkey-0a40e458-50a52563
gpg-pubkey-de7f38bd-501f4964
gpg-pubkey-f531efa7-50a52148

Did you tried qubes-dom0-update after above import in dom0?

3) I determined which package name loaded from which file with
rpm -qa | grep pgp-pubkey | xargs rpm -qi | less
find /etc/pki/rpm-gpg/* -type f

gpg-pubkey-0a40e458-50a52563 = Qubes OS Release 2 Signing Key =?=
/etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-2-primary

Yes, that's right.

(...)

4) I tried to find the line of code, which prints the message in the
subject of this topic, with
find / -type f -iname "*.py" | xargs grep "sent not signed rpm"
find / -type f -iname "*.sh" | xargs grep "sent not signed rpm"
but didn't found the place.

/usr/lib/qubes/qubes-receive-updates

5) I wish to copy .rpm files by hands as in
http://wiki.qubes-os.org/trac/wiki/CopyToDomZero,
but don't know the name of destination folder in Dom0

/var/lib/qubes/updates/rpm, then run "createrepo /var/lib/qubes/updates".

But all above is quite strange: it looks like packages are good, yet dom0
service still refuses to accept them. When you copy those files to dom0, check
them with rpm -K, just to be sure.

What is the total size of all the updates in /var/lib/qubes/dom0-updates?
Perhaps you've hit size limit...

Did you tried qubes-dom0-update after above import in dom0?

yes

/usr/lib/qubes/qubes-receive-updates

When you copy those files to dom0, check them with rpm -K, just to be sure.

The folder [dom0]#/var/lib/qubes/updates/rpm was empty.

I commented the line
http://git.qubes-os.org/?p=marmarek/core-admin-linux.git;f=dom0-updates/qubes-receive-updates;hb=HEAD#l51

Then i run qubes-dom0-updates
it again gives me the list of errors,
but now the folder [dom0]#/var/lib/qubes/updates/rpm
contain .rpm files.

I verified all files in that folder with

rpm -K /var/lib/qubes/updates/rpm/* | grep “NOT OK”

and all files are correct.

run “createrepo /var/lib/qubes/updates”.

then i run

yum update

and it change 686 packages (there was 387 .rpm in folder, where I check them)

But all above is quite strange: it looks like packages are good, yet dom0 service still refuses to accept them.

How to find the root cause of this problem?

What is the total size of all the updates in /var/lib/qubes/dom0-updates?
Perhaps you’ve hit size limit…

[root@firewallvm /]# du --total -b /var/lib/qubes/dom0-updates/
412379524 /var/lib/qubes/dom0-updates/packages
6889 /var/lib/qubes/dom0-updates/etc/yum.repos.d
11840 /var/lib/qubes/dom0-updates/etc
62586880 /var/lib/qubes/dom0-updates/var/lib/rpm
4096 /var/lib/qubes/dom0-updates/var/lib/yum/yumdb
4096 /var/lib/qubes/dom0-updates/var/lib/yum/history/2013-09-30
31744 /var/lib/qubes/dom0-updates/var/lib/yum/history
39651 /var/lib/qubes/dom0-updates/var/lib/yum/rpmdb-indexes
4096 /var/lib/qubes/dom0-updates/var/lib/yum/repos/x86_64/2/updates
4096 /var/lib/qubes/dom0-updates/var/lib/yum/repos/x86_64/2/qubes-dom0-current
4096 /var/lib/qubes/dom0-updates/var/lib/yum/repos/x86_64/2/fedora
16384 /var/lib/qubes/dom0-updates/var/lib/yum/repos/x86_64/2
20480 /var/lib/qubes/dom0-updates/var/lib/yum/repos/x86_64
24576 /var/lib/qubes/dom0-updates/var/lib/yum/repos
104199 /var/lib/qubes/dom0-updates/var/lib/yum
62695175 /var/lib/qubes/dom0-updates/var/lib
62699271 /var/lib/qubes/dom0-updates/var
475127276 /var/lib/qubes/dom0-updates/
475127276 total