In this blog post, we’ll explain how to update the signing key for Percona Debian and Ubuntu packages.
Some of the users might have already noticed following warning on Ubuntu 16.04 (Xenial Xerus):
W: http://repo.percona.com/apt/dists/xenial/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)
when running apt-get update.
Percona .deb packages are signed with a key that uses an algorithm now considered weak. Starting with the next release, Debian and Ubuntu packages are signed with a new key that uses the much stronger SHA-512 algorithm. All future package release will also contain the new algorithm.
You’ll need to do one of the following in order to use the new key:
- If you installed the Percona repository package as described here, this package is automatically updated to a new package version (
percona-release_0.1-4). This package currently contains both the old and new keys. This helps make the transition easier (until all packages are signed with the new key). - Install the new Percona repository package as described in the installation guide.
- Manually download and add the key from either keys.gnupg.net or keyserver.ubuntu.com by running:
apt-key adv --keyserver keys.gnupg.net --recv-keys 8507EFA5or
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8507EFA5
It’s important that you add the new key before the next release. Otherwise you’ll see the following warning:
W: GPG error: http://repo.percona.com xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9334A25F8507EFA5
Leave any questions about updating the signing key for Percona Debian and Ubuntu packages in the comments below.
Comments (15)
I’ve applied your fix but I still receive this message:
W: http://repo.percona.com/apt/dists/xenial/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)I did the following and that warning is still there:
openxs@ubuntu:~$ sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 8507EFA5
Executing: /tmp/tmp.LbE1B6GoGi/gpg.1.sh –keyserver
keyserver.ubuntu.com
–recv-keys
8507EFA5
gpg: requesting key 8507EFA5 from hkp server keyserver.ubuntu.com
gpg: key 8507EFA5: “Percona MySQL Development Team (Packaging key) ” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
openxs@ubuntu:~$ sudo apt-get update
Hit:1 http://repo.percona.com/apt xenial InRelease
Hit:2 http://ua.archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://ua.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:4 http://ua.archive.ubuntu.com/ubuntu xenial-backports InRelease
Get:5 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB]
Fetched 94.5 kB in 2min 1s (779 B/s)
Reading package lists… Done
W: http://repo.percona.com/apt/dists/xenial/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)
openxs@ubuntu:~$ dpkg -l | grep -i percona
rc libperconaserverclient18.1 5.6.28-76.1-1.vivid i386 Percona Server database client library
ii percona-release 0.1-4.xenial all Package to install Percona gpg key and APT repo
ii percona-server-client-5.7 5.7.14-8-1.xenial i386 Percona Server database client binaries
ii percona-server-common-5.7 5.7.14-8-1.xenial i386 Percona Server database common files (e.g. /etc/mysql/my.cnf)
rc percona-server-server-5.6 5.6.28-76.1-1.vivid i386 Percona Server database server binaries
ii percona-server-server-5.7 5.7.14-8-1.xenial i386 Percona Server database server binaries
ii percona-toolkit 2.2.19-1 all Advanced MySQL and system command-line tools
ii percona-xtrabackup-24 2.4.4-1.xenial i386 Open source backup tool for InnoDB and XtraDB
rc percona-xtradb-cluster-garbd-3.x 3.14-1.vivid i386 Garbd components of Percona XtraDB Cluster
rc percona-xtradb-cluster-server-5.6 5.6.27-25.13-1.vivid i386 Percona XtraDB Cluster database server binaries
same result here as everyone else, it’s like the keys aren’t provisioned yet?
Also tried deleting the old one just to be sure
> apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 8507EFA5
Executing: /tmp/tmp.ALRFpeBGEk/gpg.1.sh –keyserver
keyserver.ubuntu.com
–recv-keys
8507EFA5
gpg: requesting key 8507EFA5 from hkp server keyserver.ubuntu.com
gpg: key 8507EFA5: “Percona MySQL Development Team (Packaging key) ” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
(root@ams-app2)-(~)
> apt-key del 8507EFA5
OK
(root@ams-app2)-(~)
> apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 8507EFA5
Executing: /tmp/tmp.IaVF3VMKNb/gpg.1.sh –keyserver
keyserver.ubuntu.com
–recv-keys
8507EFA5
gpg: requesting key 8507EFA5 from hkp server keyserver.ubuntu.com
gpg: key 8507EFA5: public key “Percona MySQL Development Team (Packaging key) ” imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
…
Fetched 190 kB in 5s (32.7 kB/s)
Reading package lists… Done
Building dependency tree
Reading state information… Done
All packages are up to date.
W: http://repo.percona.com/apt/dists/xenial/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)
Packages will be signed out with the new key as they come out. We have a planned release for Percona Server 5.6 tomorrow so you shouldn’t see this warning anymore once PS-5.6 is out.
I do not get the warning today, just checked.
You have the following download available:
* https://www.percona.com/downloads/RPM-GPG-KEY-percona
Could you make the ‘8507EFA5 key available for download via curl/wget as well?
This might help you out: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9334A25F8507EFA5
Another method:
curl –silent “http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&options=mr&search=0x8507EFA5”
This should return txt version of the key
RPM key is still the same one, only debian/ubuntu key has been upgraded. RPM repo will be updated on April 1st 2017 (once CentOS 5 gets decommissioned).
Sorry, I wasn’t clear: I meant is it possible to have a download link for the Deb/Ub key like you already do with the RPM key?
Ubuntu and Debian keys are now available for download as well:
New key: https://percona.com/downloads/deb-percona-keyring.gpg
Old key: https://percona.com/downloads/deb-percona-keyring-old.gpg
Thank you for your suggestion!
Awesome!
I’m running Ubuntu 14.04 and I needed to run the following command for the key to update.
apt-key adv –keyserver hkp://keyserver.ubuntu.com:80 –recv-keys 8507EFA5
It would be helpful to have some kind of permanent statement on your website about the signing keys that are in use currently and the best way to obtain them. Having to search for ‘gpg key’ to dig up this blog post is … inconvenient.
What I was looking for was a link on the downloads page, to e.g. /downloads/signing-keys. You could list the keys that are currently valid, and any that are now obsolete. Also, while it is fine to point people to keyservers, I really don’t see the harm in hosting a copy of all those keys on your site as well. Lastly, if you do take the time to make such a page, please quote the long key signature (ie 9334A25F8507EFA5), some short ones have been spoofed.
It would be nice if you could post the full 40-bit signature of the new key. More and more tools no longer accept the short sig format, due to possible collisions.