as of today’s kicad nightly update, it seems like the GPG key pair used to sign the COPR repo is expired. Maybe renew it?
Here is the end part of the fedora dnf logs:
Downloading Packages:
[...]
(40/42): kicad-nightly-7.99.0-1.20230508git9f62e88.fc38.x86_ 2.2 MB/s | 68 MB 00:30
[...]
(42/42): kicad-nightly-doc-7.99.0-1.20230508gitb99e2da.fc38. 5.5 MB/s | 298 MB 00:54
---------------------------------------------------------------------------------------------
[...]
error: Verifying a signature using certificate DD4B35E70DC95FDE699B4F0C13A8A6344C710964 (@kicad_kicad (None) <@kicad#kicad@copr.fedorahosted.org>):
1. Certificiate 13A8A6344C710964 invalid: certificate is not alive
because: The primary key is not live
because: Expired on 2022-04-09T21:57:20Z
2. Key 13A8A6344C710964 invalid: key is not alive
because: The primary key is not live
because: Expired on 2022-04-09T21:57:20Z
The GPG keys listed for the "Copr repo for kicad owned by @kicad" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: kicad-nightly-7.99.0-1.20230508git9f62e88.fc38.x86_64
GPG Keys are configured as: https://download.copr.fedorainfracloud.org/results/@kicad/kicad/pubkey.gpg
Public key for kicad-nightly-doc-7.99.0-1.20230508gitb99e2da.fc38.noarch.rpm is not trusted. Failing package is: kicad-nightly-doc-7.99.0-1.20230508gitb99e2da.fc38.noarch
GPG Keys are configured as: https://download.copr.fedorainfracloud.org/results/@kicad/kicad/pubkey.gpg
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
I am guessing you just upgraded to Fedora 38 and didn’t do a clean install? Fedora 38 has some stricter policies regarding the GPG keys for repositories and packages, so expect some more of these errors with 3rd-party repos.
Looking at the KiCad repo specifically, the key served by the COPR right now is valid (I downloaded the pubkey from COPR just now):
$ gpg -vv pubkey.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
version 4, algo 1, created 1491861440, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: 13A8A6344C710964
# off=272 ctb=b4 tag=13 hlen=2 plen=56
:user ID packet: "@kicad_kicad (None) <@kicad#kicad@copr.fedorahosted.org>"
# off=330 ctb=89 tag=2 hlen=3 plen=340
:signature packet: algo 1, keyid 13A8A6344C710964
version 4, created 1618024969, md5len 0, sigclass 0x13
digest algo 8, begin of digest 6c 2f
hashed subpkt 27 len 1 (key flags: 2F)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 8 9 10 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 33 len 21 (issuer fpr v4 DD4B35E70DC95FDE699B4F0C13A8A6344C710964)
hashed subpkt 2 len 4 (sig created 2021-04-10)
hashed subpkt 9 len 4 (key expires after 9y0d5h25m)
subpkt 16 len 8 (issuer key ID 13A8A6344C710964)
data: [2046 bits]
pub rsa2048 2017-04-10 [SCEA] [expires: 2026-04-09]
DD4B35E70DC95FDE699B4F0C13A8A6344C710964
uid @kicad_kicad (None) <@kicad#kicad@copr.fedorahosted.org>
sig 13A8A6344C710964 2021-04-10 [selfsig]
I think you might have an older key installed on your system from when you added the COPR originally, and it has been updated/renewed already on the server but your system hasn’t gotten the updated key
Try running these commands to get the current key from the server:
Find the actual COPR key using: rpm -q --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n" gpg-pubkey | grep kicad
Remove your current GPG key for the COPR using sudo rpm -e gpg-pubkey-XXXXXXXX-XXXXXXXX (replacing the gpg-pubkey-* with the numbers from step 1.
Add the new COPR key: sudo rpm --import https://download.copr.fedorainfracloud.org/results/@kicad/kicad/pubkey.gpg
Indeed, that issue seems to be solved by manually purging the old gpg key.
I would guess this is the reason why for redhat-related distros usually they do not renew their keys, but actually completely change signing keys as to force a re-import of the new key.