On December 20th, 2018 we began to sign our packages with a new encryption key. Our percona-release package contains both the latest and older package signing keys. However, older versions of the percona-release rpm package do not contain our latest key. Users with older percona-release packages installed, that have not been updated, may see an error message when trying to install our newer packages.
Redhat Enterprise Linux (RHEL) and CentOS users may see an error similar to the following:
|
1 2 |
The GPG keys listed for the "Percona-Release YUM repository - x86_64" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository. |
Thankfully, the solution to this problem is simple. You will need to update your percona-release package before installing packages that are signed with the latest encryption key:
|
1 |
$ sudo yum update percona-release |
Ubuntu and Debian systems will not encounter this error as package signing and key verification works differently on those systems.
—
Photo by Markus Spiske on Unsplash
About the Author
David BennettDavid is a Director of Server Engineering at Percona in charge of the Percona XtraDB Cluster, Percona XtraBackup, and Build/Release teams. He joined Percona in 2014. With over 20 years experience in software development, he brings an abundance of skills and knowledge to the Percona QA team. David is well versed in MySQL, MongoDB, PostgreSQL, Linux, Perl, C/C++ and other open source technologies.
Just a comment I think I actually got that error even when I tried updating percona-release… what worked for me in the end was
yum remove percona-release
yum install percona-release
Broken for me also, upgrading does not give a working configuration. The defaults do not work.
The GPG keys listed for the “Percona-Release YUM repository – x86_64” repository are already installed but they are not correct for this package.
sudo(“yum install -y http://www.percona.com/downloads/percona-release/redhat/0.1-6/percona-release-0.1-6.noarch.rpm“)
sudo(“yum update -y percona-release”) #FIXME: They broke it – do not try this
sudo(‘percona-release setup ps56’) #NOTE: They do not support Amazon AMI (or ps56) so cannot do this
Found a remaining issue with this while trying to do reposync on CentOS 7. Packages install with yum OK, but reposync with –gpgcheck tosses the files after download when building a local repository. The key in /etc/pki/rpm-gpg is correct, but rpm -Kv on any of the packages released after the new key issuance does not pass with a key ID 8507efa5: NOKEY failure. So yum knows about the new key, but RPM itself does not. The fix was to force the keys into RPM with a sudo rpm –import /etc/pki/rpm-gpg/PERCONA-PACKAGING-KEY and then rpm -Kv tests work, as does a reposync with –gpgcheck.