Buy Percona ServicesBuy Now!

New percona-release package improperly signed?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New percona-release package improperly signed?

    I've got the percona-release RPM installed, which configures the YUM repository (https://www.percona.com/doc/percona-...um_repo.html):

    # rpm -qi percona-release
    Name : percona-release Relocations: (not relocatable)
    Version : 0.1 Vendor: (none)
    Release : 3 Build Date: Mon 22 Sep 2014 04:09:02 AM EDT
    Install Date: Thu 10 Jan 2019 09:52:07 AM EST Build Host: vps-centos5-x64-03.ci.percona.com
    Group : System Environment/Base Source RPM: percona-release-0.1-3.src.rpm
    Size : 5921 License: GPL-3.0+
    Signature : DSA/SHA1, Mon 22 Sep 2014 04:09:07 AM EDT, Key ID 1c4cbdcdcd2efd2a
    Summary : Package to install Percona GPG key and YUM repo
    Description :
    percona-release package contains Percona GPG public key and Percona repository configuration for YUM


    But today, I noticed there's an upgrade, but when I try to install, it complains that the package was signed by an untrusted key. I downloaded the RPM file and checked its key:

    # rpm -qip /tmp/percona-release-1.0-3.noarch.rpm
    warning: /tmp/percona-release-1.0-3.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 8507efa5: NOKEY
    Name : percona-release Relocations: (not relocatable)
    Version : 1.0 Vendor: (none)
    Release : 3 Build Date: Mon 24 Dec 2018 02:54:31 AM EST
    Install Date: (not installed) Build Host: minimal-centos-7-x64-1316.ci.percona.com
    Group : System Environment/Base Source RPM: percona-release-1.0-3.src.rpm
    Size : 18261 License: GPL-3.0+
    Signature : RSA/8, Mon 24 Dec 2018 02:54:33 AM EST, Key ID 9334a25f8507efa5
    Summary : Package to install Percona GPG key and YUM repo
    Description :
    percona-release package contains Percona GPG public keys and Percona repository configuration for YUM

    Sure enough, it doesn't match. Is this percona-release-1.0.3 package legitimate? Why the different signing key?

    Thanks

    Norman
    Last edited by normelton; 01-10-2019, 11:29 AM.

  • #2
    A little more googling indicates this key is legit, explained here: https://www.percona.com/blog/2016/10...buntu-packages.

    But I'm still not sure why this is appearing in the yum repository's rpm files. The percona-release-1.0-1, released on Dec 20th, seems to have been signed by 8507efa5. The 1.0-2 package, released on Dec 24th, was signed by 8507efa5.

    Any idea why?

    Thanks!

    Norman

    Comment


    • #3
      You can fetch that package via HTTPS, which gives some credibility - https://repo.percona.com/yum/percona...0-3.noarch.rpm
      It's been a problem here too, and for some of our customers.

      Comment


      • #4
        Okay, I installed 1.0-1, then upgraded to 1.0.3. Seems that 1.0-1 is the "lillypad" version you need to move forward. That worked.

        Thanks

        Norman

        Comment

        Working...
        X