Fedora – GPG RPM Key Issue After Distribution Upgrade

After a Fedora distribution upgrade a rpm gpg key verification may fail. This may be due to rpm db changes and require the key to be deleted.

Caveat

Not only does this post not represent a root cause analysis, it does not provide an analysis of any other potential causes of the problem, nor does it explore alternative solutions. Hopefully it will be helpful to some, otherwise it can just be an aide-memoire for myself.

Problem manifestation

For me the issue occurred after a Fedora distribution upgrade from 37 to 38 and manifested itself installing a package from a repository that had already been added and used in Fedora 37.

What happened was this:-

[mgrantprg@minerva ~]$ sudo dnf install swocclient
Last metadata expiration check: 0:00:18 ago on Sun 11 Jun 2023 14:05:11 BST.
Dependencies resolved.
================================================================================
 Package              Arch        Version           Repository             Size
================================================================================
Installing:
 swocclient           x86_64      1.6.3-7.1         home_m-grant-prg       37 k
Installing dependencies:
 libmgec2             x86_64      1.6.7-4.1         home_m-grant-prg       37 k
 libmgesysutils1      x86_64      1.4.6-5.1         home_m-grant-prg       33 k
 libswocclient2       x86_64      1.6.3-7.1         home_m-grant-prg       35 k
 libswoccommon3       x86_64      1.6.3-7.1         home_m-grant-prg       41 k
 swoccommon-conf      x86_64      1.6.3-7.1         home_m-grant-prg       32 k

Transaction Summary
================================================================================
Install  6 Packages

Total download size: 214 k
Installed size: 473 k
Is this ok [y/N]: y
Downloading Packages:
(1/6): libswocclient2-1.6.3-7.1.x86_64.rpm       66 kB/s |  35 kB     00:00    
(2/6): libmgesysutils1-1.4.6-5.1.x86_64.rpm      52 kB/s |  33 kB     00:00    
(3/6): libmgec2-1.6.7-4.1.x86_64.rpm             50 kB/s |  37 kB     00:00    
(4/6): libswoccommon3-1.6.3-7.1.x86_64.rpm      108 kB/s |  41 kB     00:00    
(5/6): swocclient-1.6.3-7.1.x86_64.rpm          133 kB/s |  37 kB     00:00    
(6/6): swoccommon-conf-1.6.3-7.1.x86_64.rpm     118 kB/s |  32 kB     00:00    
--------------------------------------------------------------------------------
Total                                           212 kB/s | 214 kB     00:01     
error: Verifying a signature using certificate 361329023DDAE78F2F8614313FD1CDB63E00F70B (home:m-grant-prg OBS Project <home:m-grant-prg@build.opensuse.org>):
  1. Certificiate 3FD1CDB63E00F70B invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2021-03-12T09:54:18Z
  2. Key 3FD1CDB63E00F70B invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2021-03-12T09:54:18Z
error: Verifying a signature using certificate 361329023DDAE78F2F8614313FD1CDB63E00F70B (home:m-grant-prg OBS Project <home:m-grant-prg@build.opensuse.org>):
  1. Certificiate 3FD1CDB63E00F70B invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2021-03-12T09:54:18Z
  2. Key 3FD1CDB63E00F70B invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2021-03-12T09:54:18Z
home:m-grant-prg (Fedora_38)                     11 kB/s | 1.1 kB     00:00    
GPG key at https://download.opensuse.org/repositories/home:/m-grant-prg/Fedora_38/repodata/repomd.xml.key 
(0x3E00F70B) is already installed
 ^^^^^^^^^^ Offending key.

<snip repetition>

The GPG keys listed for the "home:m-grant-prg (Fedora_38)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: libmgec2-1.6.7-4.1.x86_64
 GPG Keys are configured as: https://download.opensuse.org/repositories/home:/m-grant-prg/Fedora_38/repodata/repomd.xml.key

<snip repetition>

The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
[mgrantprg@minerva ~]$

Suspected cause and solution

Apart from indicating that it is unhappy about keys, the error messages are a bit misleading and confusing. It would appear from the above that the key has expired; however, performing a similar installation in a new container executes trouble-free. So the keys are OK.

The suspect in this case is something incorrect, or made incorrect, in the rpm database due to the distribution upgrade.

The solution is to delete the offending key and perform the install again. (Performing the install again should retrieve the now missing key).

Note the hex value annotated above as the offending key.

Delete the key (NB alpha hex characters must be in lower case):-

[mgrantprg@minerva ~]$ sudo rpm -e gpg-pubkey-3e00f70b
[mgrantprg@minerva ~]$

Now attempt the failing activity again:-

[mgrantprg@minerva ~]$ sudo dnf install swocclient
Last metadata expiration check: 0:01:12 ago on Sun 11 Jun 2023 14:15:17 BST.
Dependencies resolved.
================================================================================
 Package              Arch        Version           Repository             Size
================================================================================
Installing:
 swocclient           x86_64      1.6.3-7.1         home_m-grant-prg       37 k
Installing dependencies:
 libmgec2             x86_64      1.6.7-4.1         home_m-grant-prg       37 k
 libmgesysutils1      x86_64      1.4.6-5.1         home_m-grant-prg       33 k
 libswocclient2       x86_64      1.6.3-7.1         home_m-grant-prg       35 k
 libswoccommon3       x86_64      1.6.3-7.1         home_m-grant-prg       41 k
 swoccommon-conf      x86_64      1.6.3-7.1         home_m-grant-prg       32 k

Transaction Summary
================================================================================
Install  6 Packages

Total download size: 214 k
Installed size: 473 k
Is this ok [y/N]: y
Downloading Packages:
(1/6): libmgec2-1.6.7-4.1.x86_64.rpm             83 kB/s |  37 kB     00:00    
(2/6): libswocclient2-1.6.3-7.1.x86_64.rpm       66 kB/s |  35 kB     00:00    
(3/6): libmgesysutils1-1.4.6-5.1.x86_64.rpm      51 kB/s |  33 kB     00:00    
(4/6): libswoccommon3-1.6.3-7.1.x86_64.rpm      100 kB/s |  41 kB     00:00    
(5/6): swocclient-1.6.3-7.1.x86_64.rpm           93 kB/s |  37 kB     00:00    
(6/6): swoccommon-conf-1.6.3-7.1.x86_64.rpm      88 kB/s |  32 kB     00:00    
--------------------------------------------------------------------------------
Total                                           210 kB/s | 214 kB     00:01     
home:m-grant-prg (Fedora_38)                     12 kB/s | 1.1 kB     00:00    
Importing GPG key 0x3E00F70B:
 Userid     : "home:m-grant-prg OBS Project <home:m-grant-prg@build.opensuse.org>"
 Fingerprint: 3613 2902 3DDA E78F 2F86 1431 3FD1 CDB6 3E00 F70B
 From       : https://download.opensuse.org/repositories/home:/m-grant-prg/Fedora_38/repodata/repomd.xml.key
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : libmgec2-1.6.7-4.1.x86_64                              1/6 
  Running scriptlet: libmgec2-1.6.7-4.1.x86_64                              1/6 
  Installing       : libmgesysutils1-1.4.6-5.1.x86_64                       2/6 
  Running scriptlet: libmgesysutils1-1.4.6-5.1.x86_64                       2/6 
  Installing       : swoccommon-conf-1.6.3-7.1.x86_64                       3/6 
  Installing       : libswoccommon3-1.6.3-7.1.x86_64                        4/6 
  Running scriptlet: libswoccommon3-1.6.3-7.1.x86_64                        4/6 
  Installing       : libswocclient2-1.6.3-7.1.x86_64                        5/6 
  Running scriptlet: libswocclient2-1.6.3-7.1.x86_64                        5/6 
  Installing       : swocclient-1.6.3-7.1.x86_64                            6/6 
  Running scriptlet: swocclient-1.6.3-7.1.x86_64                            6/6 
  Verifying        : libmgec2-1.6.7-4.1.x86_64                              1/6 
  Verifying        : libmgesysutils1-1.4.6-5.1.x86_64                       2/6 
  Verifying        : libswocclient2-1.6.3-7.1.x86_64                        3/6 
  Verifying        : libswoccommon3-1.6.3-7.1.x86_64                        4/6 
  Verifying        : swocclient-1.6.3-7.1.x86_64                            5/6 
  Verifying        : swoccommon-conf-1.6.3-7.1.x86_64                       6/6 

Installed:
  libmgec2-1.6.7-4.1.x86_64              libmgesysutils1-1.4.6-5.1.x86_64       
  libswocclient2-1.6.3-7.1.x86_64        libswoccommon3-1.6.3-7.1.x86_64        
  swocclient-1.6.3-7.1.x86_64            swoccommon-conf-1.6.3-7.1.x86_64       

Complete!
[mgrantprg@minerva ~]$

Hey presto, at least in these circumstances, problem solved.

My Projects