New Percona Package Signing Key Requires Update on RHEL and CentOS

percona release package signing

On December 20th, 2018 we began to sign our packages with a new encryption key. Our percona-release package contains both the latest and older package signing keys. However, older versions of the percona-release rpm package do not contain our latest key. Users with older percona-release packages installed, that have not been updated, may see an error message when trying to install our newer packages.

Redhat Enterprise Linux (RHEL) and CentOS users may see an error similar to the following:

The GPG keys listed for the "Percona-Release YUM repository - x86_64" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

Thankfully,  the solution to this problem is simple. You will need to update your percona-release package before installing packages that are signed with the latest encryption key:

$ sudo yum update percona-release

Ubuntu and Debian systems will not encounter this error as package signing and key verification works differently on those systems.

Photo by Markus Spiske on Unsplash


Update the Signing Key for Percona Debian and Ubuntu Packages

signing key for Percona Debian and Ubuntu

signing key for Percona Debian and UbuntuIn this blog post, we’ll explain how to update the signing key for Percona Debian and Ubuntu packages.

Some of the users might have already noticed following warning on Ubuntu 16.04 (Xenial Xerus):

W: http://repo.percona.com/apt/dists/xenial/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)

when running apt-get update.

Percona .deb packages are signed with a key that uses an algorithm now considered weak. Starting with the next release, Debian and Ubuntu packages are signed with a new key that uses the much stronger SHA-512 algorithm. All future package release will also contain the new algorithm.

You’ll need to do one of the following in order to use the new key:

  • If you installed the Percona repository package as described here, this package is automatically updated to a new package version (percona-release_0.1-4). This package currently contains both the old and new keys. This helps make the transition easier (until all packages are signed with the new key).
  • Install the new Percona repository package as described in the installation guide.
  • Manually download and add the key from either keys.gnupg.net or keyserver.ubuntu.com by running:
    apt-key adv --keyserver keys.gnupg.net --recv-keys 8507EFA5 or
    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8507EFA5

It’s important that you add the new key before the next release. Otherwise you’ll see the following warning:

W: GPG error: http://repo.percona.com xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9334A25F8507EFA5

Leave any questions about updating the signing key for Percona Debian and Ubuntu packages in the comments below.

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com