Installng on Fedora 38 gpg signing issues

accuser · May 11, 2023, 9:50pm

Description of the issue: When installing brave via dnf on Fedora38 dnf errors out attempting to validate the signature.

error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support@brave.com>):
  Certificate 0BB75829C2D4E821 invalid: policy violation
      because: No binding signature at time 2023-05-09T19:32:44Z

How can this issue be reproduced?

Following the documentation at: https://brave.com/linux/

sudo dnf install dnf-plugins-core
sudo dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo
sudo rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
sudo dnf install brave-browser

Expected result:
Brave should be installed

Brave Version( check About Brave):
N/A

Additional Information:

[root@Augustine work]# dnf install brave-browser
Last metadata expiration check: 0:06:01 ago on Thu 11 May 2023 10:42:28 PM WEST.
Dependencies resolved.
==========================================================================================================================
 Package                         Architecture          Version                         Repository                    Size
==========================================================================================================================
Installing:
 brave-browser                   x86_64                1.51.114-1                      brave-browser                105 M
Installing dependencies:
 at                              x86_64                3.2.5-5.fc38                    fedora                        62 k
 brave-keyring                   noarch                1.10-1                          brave-browser                 11 k
 liberation-fonts                noarch                1:2.1.5-4.fc38                  fedora                       7.9 k

Transaction Summary
==========================================================================================================================
Install  4 Packages

Total download size: 105 M
Installed size: 105 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): at-3.2.5-5.fc38.x86_64.rpm                                                         487 kB/s |  62 kB     00:00    
(2/4): liberation-fonts-2.1.5-4.fc38.noarch.rpm                                           287 kB/s | 7.9 kB     00:00    
(3/4): brave-keyring-1.10-1.noarch.rpm                                                     47 kB/s |  11 kB     00:00    
(4/4): brave-browser-1.51.114-1.x86_64.rpm                                                 27 MB/s | 105 MB     00:03    
--------------------------------------------------------------------------------------------------------------------------
Total                                                                                      22 MB/s | 105 MB     00:04     
error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support@brave.com>):
  Certificate 0BB75829C2D4E821 invalid: policy violation
      because: No binding signature at time 2023-05-09T19:32:44Z
error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support@brave.com>):
  Certificate 0BB75829C2D4E821 invalid: policy violation
      because: No binding signature at time 2023-05-09T19:32:46Z
error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support@brave.com>):
  Certificate 0BB75829C2D4E821 invalid: policy violation
      because: No binding signature at time 2022-05-18T19:56:23Z
error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support@brave.com>):
  Certificate 0BB75829C2D4E821 invalid: policy violation
      because: No binding signature at time 2022-05-18T19:56:28Z
Problem opening package brave-browser-1.51.114-1.x86_64.rpm
Problem opening package brave-keyring-1.10-1.noarch.rpm
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

JimB1 · May 12, 2023, 1:57am

Can you show us the output from steps 1, 2, and 3 also?

accuser · May 12, 2023, 8:49am

Here you go! Let me know if you need any more info.

could this be related to recent changes in fedora’s crypto policies?
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

I’ve tried setting the policy to LEGACY but still no-go. I’ve also tried installing using the --nogpgcheck flag with dnf - no luck.

dnf install dnf-plugins-core

Fedora 38 - x86_64 - Updates                     12 kB/s |  14 kB     00:01    
Fedora 38 - x86_64 - Updates                    631 kB/s | 1.4 MB     00:02    
Fedora Modular 38 - x86_64 - Updates             19 kB/s |  17 kB     00:00    
Package dnf-plugins-core-4.4.0-1.fc38.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!

dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo

Adding repo from: https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo

rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc

no output

rpm can see the key and the repo is configured.
rpm -q gpg-pubkey --queryformat “%{NAME}-%{VERSION}-%{SUMMARY}\n” | grep Brave

gpg-pubkey-c2d4e821-Brave Software <support@brave.com> public key

dnf repolist | grep brave

brave-browser                                  Brave Browser

cat /etc/yum.repos.d/brave-browser.repo

[brave-browser]
name=Brave Browser
enabled=1
autorefresh=1
baseurl=https://brave-browser-rpm-release.s3.brave.com/$basearch

samy_k97 · May 12, 2023, 9:16am

I’ve been experiencing the same problem with Fedora 38 as accuser.

I’ve tried reinstalling by:

Deleting the key:

sudo rpm -e gpg-pubkey-c2d4e821-5bc51032

Deleting the repo:

sudo rm -r brave-browser.repo

Clean the dnf cache:

sudo dnf clean all

Update everything:

sudo dnf upgrade --refresh.

And follow the instructions avaliable on the website:

error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support@brave.com>):
  Certificate 0BB75829C2D4E821 invalid: policy violation
      because: No binding signature at time 2023-05-09T19:32:44Z
error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support@brave.com>):
  Certificate 0BB75829C2D4E821 invalid: policy violation
      because: No binding signature at time 2023-05-09T19:32:46Z
error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support@brave.com>):
  Certificate 0BB75829C2D4E821 invalid: policy violation
      because: No binding signature at time 2022-05-18T19:56:23Z
error: Verifying a signature using certificate D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821 (Brave Software <support@brave.com>):
  Certificate 0BB75829C2D4E821 invalid: policy violation
      because: No binding signature at time 2022-05-18T19:56:28Z
Problem opening package brave-browser-1.51.114-1.x86_64.rpm
Problem opening package brave-keyring-1.10-1.noarch.rpm
Error: GPG check FAILED

I’ve decided to check the Nightly build and I’ve been able to install with no problems.

The release build has been a problem with the 1.51.114 update. Updating to 1.51.110 has been fine

Riveeks · May 13, 2023, 12:06am

I also am getting this same issue

sandrth · May 13, 2023, 12:50pm

Same issue for me, with the exact same outputs for each step.

JimB1 · May 15, 2023, 7:07am

Interesting. Good find on that link. Not 100% clear if that’s the root cause; it looks like there’s been a ‘solution’ here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-bd9a4614ad

I never had this issue after upgrading from F37 to F38, so I’m not sure why it would affect some and not others, if this is indeed the issue.

Have you tried what’s posted there? Looks like: sudo dnf upgrade --refresh --advisory=FEDORA-2023-bd9a4614ad

That said, I’m also thinking all these issues were supposedly solved before the F38 release. So I’m not super optimistic about this fixing it for you unfortunately, but worth a shot.

accuser · May 15, 2023, 3:45pm

Interesting.

I’ve tried it and was unsuccessful. This is a fresh install of F38 (not an upgrade).

I had also tried setting the crypto policy to legacy, is that was also a no-go. Wish I could just ignore the darn gpg check. I don’t really want to run Brave as a Flatpack.

arivappa · May 15, 2023, 5:45pm

@accuser I too got the same problem. The problem seems to be with only release channel, just now I installed brave beta version and it is working well. I don’t know why release channel is giving us error …

I got to know about the problem here: https://www.reddit.com/r/brave_browser/comments/13hcye8/brave_browser_is_not_installing_on_fedora_linux_38/?utm_source=share&utm_medium=web2x&context=3

I hope it may help you … !!

GinnyGlider · May 15, 2023, 8:25pm

Oh, thought it was just me : D

Currently using the flatpack (first time) but it’s a bit buggy.
Brave beta worked for me. (In terms of it being installed)

Seems to be another post here on the forum: Installation GPG error on Fedora 38

A GitHub post on the issue one user suggested to try and skip the gpg check which I tried but it didn’t work: Installation GPG error on Fedora 38

“but the better solution is that brave should fix the certificates…”

Left this here if that helps others. Hope it gets fixed soon. Good day!

JimB1 · May 18, 2023, 3:50am

There is apparently a new brave-keyring package in their repo, does that solve anything? If you repeat the earlier steps, except now with the newer packages, any changes?

accuser · May 18, 2023, 6:52am

Great Success!! (in my best Borat voice)

thank you so much for the help!

by the way, also noticed a newer version of the browser package.

dnf install brave-browser

Dependencies resolved.
================================================================================
 Package               Arch        Version             Repository          Size
================================================================================
Installing:
 brave-browser         x86_64      1.51.118-1          brave-browser      105 M
Installing dependencies:
 at                    x86_64      3.2.5-5.fc38        fedora              62 k
 brave-keyring         noarch      1.11-1              brave-browser       11 k
 liberation-fonts      noarch      1:2.1.5-4.fc38      fedora             7.9 k

Transaction Summary
================================================================================
Install  4 Packages

Total size: 105 M
Total download size: 105 M
Installed size: 105 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] at-3.2.5-5.fc38.x86_64.rpm: Already downloaded                       
[SKIPPED] liberation-fonts-2.1.5-4.fc38.noarch.rpm: Already downloaded         
(3/4): brave-keyring-1.11-1.noarch.rpm          108 kB/s |  11 kB     00:00    
(4/4): brave-browser-1.51.118-1.x86_64.rpm       23 MB/s | 105 MB     00:04    
--------------------------------------------------------------------------------
Total                                            23 MB/s | 105 MB     00:04     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : liberation-fonts-1:2.1.5-4.fc38.noarch                 1/4 
  Installing       : at-3.2.5-5.fc38.x86_64                                 2/4 
  Running scriptlet: at-3.2.5-5.fc38.x86_64                                 2/4 
Created symlink /etc/systemd/system/multi-user.target.wants/atd.service → /usr/lib/systemd/system/atd.service.

  Installing       : brave-keyring-1.11-1.noarch                            3/4 
  Running scriptlet: brave-keyring-1.11-1.noarch                            3/4 
Redirecting to /bin/systemctl start atd.service

  Running scriptlet: brave-browser-1.51.118-1.x86_64                        4/4 
  Installing       : brave-browser-1.51.118-1.x86_64                        4/4 
  Running scriptlet: brave-browser-1.51.118-1.x86_64                        4/4 
  Verifying        : brave-browser-1.51.118-1.x86_64                        1/4 
  Verifying        : brave-keyring-1.11-1.noarch                            2/4 
  Verifying        : at-3.2.5-5.fc38.x86_64                                 3/4 
  Verifying        : liberation-fonts-1:2.1.5-4.fc38.noarch                 4/4 

Installed:
  at-3.2.5-5.fc38.x86_64            brave-browser-1.51.118-1.x86_64             
  brave-keyring-1.11-1.noarch       liberation-fonts-1:2.1.5-4.fc38.noarch      

Complete!

system · June 17, 2023, 6:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.