VirtualBox

2 年 前 建立

2 年 前 結束

2 年 前 更新

#21599 closed defect (fixed)

In Fedora 38, can't import oracle_vbox.asc, so impossible to check package signature

回報者: Andre Robatino 負責人:
元件: other 版本: VirtualBox-7.0.8
關鍵字: 副本:
Guest type: other Host type: Linux

描述

In Fedora 38, the command "rpm --import oracle_vbox.asc" gives

warning: Certificate 54422A4B98AB5139:
  Policy rejects subkey B6748A65281DDC4B: Policy rejected asymmetric algorithm

Because of this, it's impossible to check the signature of a signed RPM. See https://forums.virtualbox.org/viewtopic.php?f=7&t=109143 . (This is NOT associated with a specific version of VirtualBox but I was forced to specify one.)

更動歷史 (8)

comment:1 2 年 前Andre Robatino 編輯

The oracle_vbox.asc file hasn't changed in years, so this is definitely due to a change in the OS. Presumably the .asc file needs to be updated to a newer format (and future VirtualBox RPMs signed with that).

最後由 Andre Robatino 編輯於 2 年 前 (上一筆) (差異)

comment:2 2 年 前fth0 編輯

According to the official download page Download VirtualBox for Linux Hosts, VirtualBox 6.1.44/7.0.8 started using the newer key named oracle_vbox_2016.asc, which has been used for Debian-based Linux distributions since 2016, also for RPM-based Linux distributions now.

Can you verify that using the right key works for you?

comment:3 2 年 前Andre Robatino 編輯

The new file oracle_vbox_2016.asc does work, thanks! The .repo files at the bottom of the download page still need to be changed to contain the new file, if it's intended to provide a repo for new Fedora versions (37 and 38 are both missing right now).

comment:4 2 年 前fth0 編輯

Check the .repo files again. ;)

PS: I didn't do anything!

最後由 fth0 編輯於 2 年 前 (上一筆) (差異)

comment:5 2 年 前galitsyn 編輯

Hi robatino,

From 6.1.44/7.0.8 we started to sign RPMs and RPM repos using SHA-256. Key oracle_vbox_2016.asc should be used in order to verify new signatures. If you intend to attach official VBox repo for Fedora packages, please refer to https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo (gpgkey was updated today).

Please let us know if it works for you, so ticket can be closed. Btw, this ticket is a duplicate of #21451.

comment:6 2 年 前Andre Robatino 編輯

Yes, like I said above, the new key works for me in verifying the signature for 7.0.8. The repo files are also updated, as fth0 said, though there are still no 37/38 repos at https://download.virtualbox.org/virtualbox/rpm/fedora/ . (They could just be copies of 36/ since the same RPM works in 36/37/38.) Sorry for the duplicate ticket.

comment:7 2 年 前galitsyn 編輯

狀態: newclosed
處理結果: fixed

Thank you. Closing ticket.

注意: 瀏覽 TracTickets 來幫助您使用待辦事項功能

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette