EmergencyEMERGENCY? Get 24/7 Help Now!

Update the Signing Key for Percona Debian and Ubuntu Packages

 | October 13, 2016 |  Posted In: Events and Announcements, MySQL, Percona Software

PREVIOUS POST
NEXT POST

signing key for Percona Debian and UbuntuIn this blog post, we’ll explain how to update the signing key for Percona Debian and Ubuntu packages.

Some of the users might have already noticed following warning on Ubuntu 16.04 (Xenial Xerus):

W: http://repo.percona.com/apt/dists/xenial/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)

when running apt-get update.

Percona .deb packages are signed with a key that uses an algorithm now considered weak. Starting with the next release, Debian and Ubuntu packages are signed with a new key that uses the much stronger SHA-512 algorithm. All future package release will also contain the new algorithm.

You’ll need to do one of the following in order to use the new key:

  • If you installed the Percona repository package as described here, this package is automatically updated to a new package version (percona-release_0.1-4). This package currently contains both the old and new keys. This helps make the transition easier (until all packages are signed with the new key).
  • Install the new Percona repository package as described in the installation guide.
  • Manually download and add the key from either keys.gnupg.net or keyserver.ubuntu.com by running:
    apt-key adv --keyserver keys.gnupg.net --recv-keys 8507EFA5 or
    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8507EFA5

It’s important that you add the new key before the next release. Otherwise you’ll see the following warning:

W: GPG error: http://repo.percona.com xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9334A25F8507EFA5

Leave any questions about updating the signing key for Percona Debian and Ubuntu packages in the comments below.

PREVIOUS POST
NEXT POST

14 Comments

  • I’ve applied your fix but I still receive this message:

    W: http://repo.percona.com/apt/dists/xenial/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)

  • I did the following and that warning is still there:

    openxs@ubuntu:~$ sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 8507EFA5
    Executing: /tmp/tmp.LbE1B6GoGi/gpg.1.sh –keyserver
    keyserver.ubuntu.com
    –recv-keys
    8507EFA5
    gpg: requesting key 8507EFA5 from hkp server keyserver.ubuntu.com
    gpg: key 8507EFA5: “Percona MySQL Development Team (Packaging key) ” not changed
    gpg: Total number processed: 1
    gpg: unchanged: 1
    openxs@ubuntu:~$ sudo apt-get update
    Hit:1 http://repo.percona.com/apt xenial InRelease
    Hit:2 http://ua.archive.ubuntu.com/ubuntu xenial InRelease
    Hit:3 http://ua.archive.ubuntu.com/ubuntu xenial-updates InRelease
    Hit:4 http://ua.archive.ubuntu.com/ubuntu xenial-backports InRelease
    Get:5 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB]
    Fetched 94.5 kB in 2min 1s (779 B/s)
    Reading package lists… Done
    W: http://repo.percona.com/apt/dists/xenial/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)

    openxs@ubuntu:~$ dpkg -l | grep -i percona
    rc libperconaserverclient18.1 5.6.28-76.1-1.vivid i386 Percona Server database client library
    ii percona-release 0.1-4.xenial all Package to install Percona gpg key and APT repo
    ii percona-server-client-5.7 5.7.14-8-1.xenial i386 Percona Server database client binaries
    ii percona-server-common-5.7 5.7.14-8-1.xenial i386 Percona Server database common files (e.g. /etc/mysql/my.cnf)
    rc percona-server-server-5.6 5.6.28-76.1-1.vivid i386 Percona Server database server binaries
    ii percona-server-server-5.7 5.7.14-8-1.xenial i386 Percona Server database server binaries
    ii percona-toolkit 2.2.19-1 all Advanced MySQL and system command-line tools
    ii percona-xtrabackup-24 2.4.4-1.xenial i386 Open source backup tool for InnoDB and XtraDB
    rc percona-xtradb-cluster-garbd-3.x 3.14-1.vivid i386 Garbd components of Percona XtraDB Cluster
    rc percona-xtradb-cluster-server-5.6 5.6.27-25.13-1.vivid i386 Percona XtraDB Cluster database server binaries

  • same result here as everyone else, it’s like the keys aren’t provisioned yet?

    Also tried deleting the old one just to be sure
    > apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 8507EFA5
    Executing: /tmp/tmp.ALRFpeBGEk/gpg.1.sh –keyserver
    keyserver.ubuntu.com
    –recv-keys
    8507EFA5
    gpg: requesting key 8507EFA5 from hkp server keyserver.ubuntu.com
    gpg: key 8507EFA5: “Percona MySQL Development Team (Packaging key) ” not changed
    gpg: Total number processed: 1
    gpg: unchanged: 1
    (root@ams-app2)-(~)
    > apt-key del 8507EFA5
    OK
    (root@ams-app2)-(~)
    > apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 8507EFA5
    Executing: /tmp/tmp.IaVF3VMKNb/gpg.1.sh –keyserver
    keyserver.ubuntu.com
    –recv-keys
    8507EFA5
    gpg: requesting key 8507EFA5 from hkp server keyserver.ubuntu.com
    gpg: key 8507EFA5: public key “Percona MySQL Development Team (Packaging key) ” imported
    gpg: Total number processed: 1
    gpg: imported: 1 (RSA: 1)


    Fetched 190 kB in 5s (32.7 kB/s)
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    All packages are up to date.
    W: http://repo.percona.com/apt/dists/xenial/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)

  • Packages will be signed out with the new key as they come out. We have a planned release for Percona Server 5.6 tomorrow so you shouldn’t see this warning anymore once PS-5.6 is out.

  • You have the following download available:

    * https://www.percona.com/downloads/RPM-GPG-KEY-percona

    Could you make the ‘8507EFA5 key available for download via curl/wget as well?

  • RPM key is still the same one, only debian/ubuntu key has been upgraded. RPM repo will be updated on April 1st 2017 (once CentOS 5 gets decommissioned).

    • Sorry, I wasn’t clear: I meant is it possible to have a download link for the Deb/Ub key like you already do with the RPM key?

      • Ubuntu and Debian keys are now available for download as well:

        New key: https://percona.com/downloads/deb-percona-keyring.gpg
        Old key: https://percona.com/downloads/deb-percona-keyring-old.gpg

        Thank you for your suggestion!

  • I’m running Ubuntu 14.04 and I needed to run the following command for the key to update.

    apt-key adv –keyserver hkp://keyserver.ubuntu.com:80 –recv-keys 8507EFA5

  • It would be helpful to have some kind of permanent statement on your website about the signing keys that are in use currently and the best way to obtain them. Having to search for ‘gpg key’ to dig up this blog post is … inconvenient.

    What I was looking for was a link on the downloads page, to e.g. /downloads/signing-keys. You could list the keys that are currently valid, and any that are now obsolete. Also, while it is fine to point people to keyservers, I really don’t see the harm in hosting a copy of all those keys on your site as well. Lastly, if you do take the time to make such a page, please quote the long key signature (ie 9334A25F8507EFA5), some short ones have been spoofed.

Leave a Reply