Expired signing key for Intel oneAPI???

nsmeds · ‎04-28-2023

I am definitely not an expert on this, but my system (Fedora 38) has started to complain about the oneAPI signing key. This occurred upon upgrading from Fedora 37 and it is known that with Fedora 38 the requirements on the signing key by the DNF tool has become more strict.

When trying to manually install the signing (public) key I get the following error:

[nsmeds-x1(nsmeds):~] sudo rpmkeys --import https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB --nosignature
error: Certificate 1A8497B11911E097:
The certificate is expired: The primary key is not live
error: https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB: key 1 import failed.

[nsmeds-x1(nsmeds):~] gpg --openpgp  GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2016-09-28 [SC] [expired: 2019-09-27]
      BF4385F91CA5FC005AB39E1C1A8497B11911E097
uid           "CN = Intel(R) Software Development Products", O=Intel Corporation
pub   rsa2048 2019-09-30 [SC] [expires: 2023-09-30]
      52ABD6E87E421793971873FFACFA9FC57E6C5DBE
uid           Intel(R) Software Development Products
pub   rsa2048 2019-07-26 [SC] [expires: 2023-07-26]
      E1BA4ECEFB0656C61BF9794936B9569B3F1A1BC7
uid           KEY-PIDT-PGP-20190726
pub   rsa2048 2020-05-18 [SC] [expires: 2024-05-18]
      6113D31362A0D280FC025AAB640736427872A220
uid           CN=Intel(R) Software Development Products (PREPROD USE ONLY)

nsmeds · ‎04-28-2023

And here is the way to extend/renew the validation of an expired key.

https://superuser.com/questions/813421/can-you-extend-the-expiration-date-of-an-already-expired-gpg-key

ArpanB_Intel · ‎05-07-2023

Hi Nils, thank you for reaching out to us. We will check this issue and soon get back to you with our findings.

Metalfreak · ‎05-23-2023

Can confirm that its impossible to install oneAPI under Fedora 38. Even if you add the --nogpgcheck flag to the install command you get the following error:

  package intel-basekit-2023.1.0-46401.x86_64 does not verify: RSA signature: BAD (package tag 1002: invalid OpenPGP signature: Parsing an OpenPGP packet:
  Failed to parse Signature Packet
      because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
      because: Malformed MPI: leading bit is not set: expected bit 8 to be set in     1100 (c))

ArpanB_Intel · ‎05-26-2023

Nils, we do not support usage of non-native package managers like yum on Ubuntu or apt on RHEL, only the native ones. We have checked native package managers on all the supported platforms and they are fine:

ubuntu:22.04 - apt - OK
ubuntu:20.04 - apt - OK
debian:9 - apt - OK
debian:10 - apt - OK
debian:11 - apt - OK
redhat/ubi8 - dnf - OK
redhat/ubi9 - dnf - OK
rockylinux:8 - dnf - OK
rockylinux:9 - dnf - OK
fedora:36 - dnf - OK
fedora:37 - dnf - OK
amazonlinux:2 - yum - OK
amazonlinux:2022 - dnf - OK
registry.suse.com/suse/sle15:15.3 - zypper - OK
registry.suse.com/suse/sle15:15.4 - zypper - OK

The only known system where this issue appears is Fedora 38 which is not yet supported by oneAPI. It's tracked separately and will be resolved by the time a new Intel® oneAPI Toolkit version supporting it is released. Thus, this is not a defect for Intel® oneAPI Toolkit 2023.1.

ArpanB_Intel · ‎06-02-2023

Nils, unfortunately we were unable to hear back from you.

If you have any further query, please post a new question as this thread will no longer be monitored by Intel®.