New Percona Package Signing Key Requires Update on RHEL and CentOS

On December 20th, 2018 we began to sign our packages with a new encryption key. Our percona-release package contains both the latest and older package signing keys. However, older versions of the percona-release rpm package do not contain our latest key. Users with older percona-release packages installed, that have not been updated, may see an error message when trying to install our newer packages.

Redhat Enterprise Linux (RHEL) and CentOS users may see an error similar to the following:

Thankfully,  the solution to this problem is simple. You will need to update your percona-release package before installing packages that are signed with the latest encryption key:

Ubuntu and Debian systems will not encounter this error as package signing and key verification works differently on those systems.

Photo by Markus Spiske on Unsplash

Share this post

Comments (3)

  • Hrvoje

    Just a comment I think I actually got that error even when I tried updating percona-release… what worked for me in the end was
    yum remove percona-release
    yum install percona-release

    February 5, 2019 at 3:38 pm
  • William Volkman

    Broken for me also, upgrading does not give a working configuration. The defaults do not work.
    The GPG keys listed for the “Percona-Release YUM repository – x86_64” repository are already installed but they are not correct for this package.
    sudo(“yum install -y“)
    sudo(“yum update -y percona-release”) #FIXME: They broke it – do not try this
    sudo(‘percona-release setup ps56’) #NOTE: They do not support Amazon AMI (or ps56) so cannot do this

    February 15, 2019 at 9:09 pm
  • Scott

    Found a remaining issue with this while trying to do reposync on CentOS 7. Packages install with yum OK, but reposync with –gpgcheck tosses the files after download when building a local repository. The key in /etc/pki/rpm-gpg is correct, but rpm -Kv on any of the packages released after the new key issuance does not pass with a key ID 8507efa5: NOKEY failure. So yum knows about the new key, but RPM itself does not. The fix was to force the keys into RPM with a sudo rpm –import /etc/pki/rpm-gpg/PERCONA-PACKAGING-KEY and then rpm -Kv tests work, as does a reposync with –gpgcheck.

    March 17, 2020 at 3:49 pm

Comments are closed.

Use Percona's Technical Forum to ask any follow-up questions on this blog topic.