Fedora – GPG RPM Key Issue After Distribution Upgrade
After a Fedora distribution upgrade a rpm gpg key verification may fail. This may be due to rpm db changes and require the key to be deleted.
Caveat
Not only does this post not represent a root cause analysis, it does not provide an analysis of any other potential causes of the problem, nor does it explore alternative solutions. Hopefully it will be helpful to some, otherwise it can just be an aide-memoire for myself.
Problem manifestation
For me the issue occurred after a Fedora distribution upgrade from 37 to 38 and manifested itself installing a package from a repository that had already been added and used in Fedora 37.
What happened was this:-
[mgrantprg@minerva ~]$ sudo dnf install swocclient
Last metadata expiration check: 0:00:18 ago on Sun 11 Jun 2023 14:05:11 BST.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
swocclient x86_64 1.6.3-7.1 home_m-grant-prg 37 k
Installing dependencies:
libmgec2 x86_64 1.6.7-4.1 home_m-grant-prg 37 k
libmgesysutils1 x86_64 1.4.6-5.1 home_m-grant-prg 33 k
libswocclient2 x86_64 1.6.3-7.1 home_m-grant-prg 35 k
libswoccommon3 x86_64 1.6.3-7.1 home_m-grant-prg 41 k
swoccommon-conf x86_64 1.6.3-7.1 home_m-grant-prg 32 k
Transaction Summary
================================================================================
Install 6 Packages
Total download size: 214 k
Installed size: 473 k
Is this ok [y/N]: y
Downloading Packages:
(1/6): libswocclient2-1.6.3-7.1.x86_64.rpm 66 kB/s | 35 kB 00:00
(2/6): libmgesysutils1-1.4.6-5.1.x86_64.rpm 52 kB/s | 33 kB 00:00
(3/6): libmgec2-1.6.7-4.1.x86_64.rpm 50 kB/s | 37 kB 00:00
(4/6): libswoccommon3-1.6.3-7.1.x86_64.rpm 108 kB/s | 41 kB 00:00
(5/6): swocclient-1.6.3-7.1.x86_64.rpm 133 kB/s | 37 kB 00:00
(6/6): swoccommon-conf-1.6.3-7.1.x86_64.rpm 118 kB/s | 32 kB 00:00
--------------------------------------------------------------------------------
Total 212 kB/s | 214 kB 00:01
error: Verifying a signature using certificate 361329023DDAE78F2F8614313FD1CDB63E00F70B (home:m-grant-prg OBS Project <home:m-grant-prg@build.opensuse.org>):
1. Certificiate 3FD1CDB63E00F70B invalid: certificate is not alive
because: The primary key is not live
because: Expired on 2021-03-12T09:54:18Z
2. Key 3FD1CDB63E00F70B invalid: key is not alive
because: The primary key is not live
because: Expired on 2021-03-12T09:54:18Z
error: Verifying a signature using certificate 361329023DDAE78F2F8614313FD1CDB63E00F70B (home:m-grant-prg OBS Project <home:m-grant-prg@build.opensuse.org>):
1. Certificiate 3FD1CDB63E00F70B invalid: certificate is not alive
because: The primary key is not live
because: Expired on 2021-03-12T09:54:18Z
2. Key 3FD1CDB63E00F70B invalid: key is not alive
because: The primary key is not live
because: Expired on 2021-03-12T09:54:18Z
home:m-grant-prg (Fedora_38) 11 kB/s | 1.1 kB 00:00
GPG key at https://download.opensuse.org/repositories/home:/m-grant-prg/Fedora_38/repodata/repomd.xml.key
(0x3E00F70B) is already installed
^^^^^^^^^^ Offending key.
<snip repetition>
The GPG keys listed for the "home:m-grant-prg (Fedora_38)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: libmgec2-1.6.7-4.1.x86_64
GPG Keys are configured as: https://download.opensuse.org/repositories/home:/m-grant-prg/Fedora_38/repodata/repomd.xml.key
<snip repetition>
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
[mgrantprg@minerva ~]$
Suspected cause and solution
Apart from indicating that it is unhappy about keys, the error messages are a bit misleading and confusing. It would appear from the above that the key has expired; however, performing a similar installation in a new container executes trouble-free. So the keys are OK.
The suspect in this case is something incorrect, or made incorrect, in the rpm database due to the distribution upgrade.
The solution is to delete the offending key and perform the install again. (Performing the install again should retrieve the now missing key).
Note the hex value annotated above as the offending key.
Delete the key (NB alpha hex characters must be in lower case):-
[mgrantprg@minerva ~]$ sudo rpm -e gpg-pubkey-3e00f70b
[mgrantprg@minerva ~]$
Now attempt the failing activity again:-
[mgrantprg@minerva ~]$ sudo dnf install swocclient
Last metadata expiration check: 0:01:12 ago on Sun 11 Jun 2023 14:15:17 BST.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
swocclient x86_64 1.6.3-7.1 home_m-grant-prg 37 k
Installing dependencies:
libmgec2 x86_64 1.6.7-4.1 home_m-grant-prg 37 k
libmgesysutils1 x86_64 1.4.6-5.1 home_m-grant-prg 33 k
libswocclient2 x86_64 1.6.3-7.1 home_m-grant-prg 35 k
libswoccommon3 x86_64 1.6.3-7.1 home_m-grant-prg 41 k
swoccommon-conf x86_64 1.6.3-7.1 home_m-grant-prg 32 k
Transaction Summary
================================================================================
Install 6 Packages
Total download size: 214 k
Installed size: 473 k
Is this ok [y/N]: y
Downloading Packages:
(1/6): libmgec2-1.6.7-4.1.x86_64.rpm 83 kB/s | 37 kB 00:00
(2/6): libswocclient2-1.6.3-7.1.x86_64.rpm 66 kB/s | 35 kB 00:00
(3/6): libmgesysutils1-1.4.6-5.1.x86_64.rpm 51 kB/s | 33 kB 00:00
(4/6): libswoccommon3-1.6.3-7.1.x86_64.rpm 100 kB/s | 41 kB 00:00
(5/6): swocclient-1.6.3-7.1.x86_64.rpm 93 kB/s | 37 kB 00:00
(6/6): swoccommon-conf-1.6.3-7.1.x86_64.rpm 88 kB/s | 32 kB 00:00
--------------------------------------------------------------------------------
Total 210 kB/s | 214 kB 00:01
home:m-grant-prg (Fedora_38) 12 kB/s | 1.1 kB 00:00
Importing GPG key 0x3E00F70B:
Userid : "home:m-grant-prg OBS Project <home:m-grant-prg@build.opensuse.org>"
Fingerprint: 3613 2902 3DDA E78F 2F86 1431 3FD1 CDB6 3E00 F70B
From : https://download.opensuse.org/repositories/home:/m-grant-prg/Fedora_38/repodata/repomd.xml.key
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : libmgec2-1.6.7-4.1.x86_64 1/6
Running scriptlet: libmgec2-1.6.7-4.1.x86_64 1/6
Installing : libmgesysutils1-1.4.6-5.1.x86_64 2/6
Running scriptlet: libmgesysutils1-1.4.6-5.1.x86_64 2/6
Installing : swoccommon-conf-1.6.3-7.1.x86_64 3/6
Installing : libswoccommon3-1.6.3-7.1.x86_64 4/6
Running scriptlet: libswoccommon3-1.6.3-7.1.x86_64 4/6
Installing : libswocclient2-1.6.3-7.1.x86_64 5/6
Running scriptlet: libswocclient2-1.6.3-7.1.x86_64 5/6
Installing : swocclient-1.6.3-7.1.x86_64 6/6
Running scriptlet: swocclient-1.6.3-7.1.x86_64 6/6
Verifying : libmgec2-1.6.7-4.1.x86_64 1/6
Verifying : libmgesysutils1-1.4.6-5.1.x86_64 2/6
Verifying : libswocclient2-1.6.3-7.1.x86_64 3/6
Verifying : libswoccommon3-1.6.3-7.1.x86_64 4/6
Verifying : swocclient-1.6.3-7.1.x86_64 5/6
Verifying : swoccommon-conf-1.6.3-7.1.x86_64 6/6
Installed:
libmgec2-1.6.7-4.1.x86_64 libmgesysutils1-1.4.6-5.1.x86_64
libswocclient2-1.6.3-7.1.x86_64 libswoccommon3-1.6.3-7.1.x86_64
swocclient-1.6.3-7.1.x86_64 swoccommon-conf-1.6.3-7.1.x86_64
Complete!
[mgrantprg@minerva ~]$
Hey presto, at least in these circumstances, problem solved.
My Projects
Software and Debian packaging sources can be found on GitHub: https://github.com/m-grant-prg
Debian, Fedora, openSUSE and Raspbian packages can be found on the openSUSE Build Service: https://build.opensuse.org/project/show/home:m-grant-prg
Ubuntu packages can be found in my PPA on LaunchPad: https://code.launchpad.net/~m-grant-prg/+archive/ubuntu/utils
The entry point to my Ubuntu packages on LaunchPad: https://launchpad.net/~m-grant-prg