Buy Percona ServicesBuy Now!

YUM repository not signed with Percona's key (key change?)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • YUM repository not signed with Percona's key (key change?)

    I'm seeing trouble in our CI system when we test that it's possible to install the latest percona-toolkit package using YUM.

    Code:
    Dependencies Resolved
    
    ========================================================================================================================
     Package                      Arch                Version                     Repository                           Size
    ========================================================================================================================
    Installing:
     percona-toolkit              x86_64              3.0.13-1.el7                percona-release-x86_64              7.4 M
    Installing for dependencies:
     perl-DBD-MySQL               x86_64              4.023-6.el7                 base                                140 k
     perl-DBI                     x86_64              1.627-4.el7                 base                                802 k
     perl-Net-Daemon              noarch              0.48-5.el7                  base                                 51 k
     perl-PlRPC                   noarch              0.2020-14.el7               base                                 36 k
    
    Transaction Summary
    ========================================================================================================================
    Install  1 Package (+4 Dependent packages)
    
    Total download size: 8.4 M
    Installed size: 9.8 M
    Is this ok [y/d/N]: y
    Downloading packages:
    (1/5): perl-DBD-MySQL-4.023-6.el7.x86_64.rpm                                                     | 140 kB  00:00:00    
    (2/5): perl-Net-Daemon-0.48-5.el7.noarch.rpm                                                     |  51 kB  00:00:00    
    (3/5): perl-PlRPC-0.2020-14.el7.noarch.rpm                                                       |  36 kB  00:00:00    
    (4/5): perl-DBI-1.627-4.el7.x86_64.rpm                                                           | 802 kB  00:00:00    
    warning: /var/cache/yum/x86_64/7/percona-release-x86_64/packages/percona-toolkit-3.0.13-1.el7.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8507efa5: NOKEY
    Public key for percona-toolkit-3.0.13-1.el7.x86_64.rpm is not installed
    (5/5): percona-toolkit-3.0.13-1.el7.x86_64.rpm                                                   | 7.4 MB  00:00:07    
    ------------------------------------------------------------------------------------------------------------------------
    Total                                                                                   1.2 MB/s | 8.4 MB  00:00:07    
    Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Percona
    
    
    The GPG keys listed for the "Percona-Release YUM repository - x86_64" repository are already installed but they are not correct for this package.
    Check that the correct key URLs are configured for this repository.
    
    
     Failing package is: percona-toolkit-3.0.13-1.el7.x86_64
     GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Percona
    According to what I'm seeing here, the signature on the Percona-Release YUM repository doesn't match the key that signed percona-toolkit. I tried using the PGP key from https://www.percona.com/downloads/RPM-GPG-KEY-percona to validate the package instead, and that doesn't work either.

    Where can I find a trustworthy source for the PGP key that Percona is signing packages with?

    Tim
    Last edited by tim-scalefactory; 01-10-2019, 12:21 PM.

  • #2
    Hello Tim, I think there was a temporary glitch with this update. Could you check again for me please?

    Comment


    • #3
      There are PGP keys inside https://repo.percona.com/yum/percona...0-3.noarch.rpm

      If we extract these keys and validate against those, we can make the tests pass. I'd hoped there'd be a different way to verify that these are the genuine public keys for Percona.
      Am I right to guess that fetching https://repo.percona.com/yum/percona...0-3.noarch.rpm via HTTPS is the official way to verify those keys?

      Tim

      Comment


      • #4
        To get the Percona keys you have to use the percona-release package, there's a report here about the issue and we believe it to be fixed https://jira.percona.com/browse/PT-1685

        If you need more info though I can ask one of the engineers to check in with you. I _think_ that you/your company might have found a similar issue with/for us a few months back so it might be that I am misunderstanding what you're seeing. So please do shout out if you still need more info?

        Comment

        Working...
        X