Bug #105632 Apt GPG Key (Debian Ubuntu) is expiring in 60 days (2022-02-16)
Submitted: 19 Nov 2021 0:24 Modified: 11 Jan 2022 19:14
Reporter: Randy Fay Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Packaging Severity:S2 (Serious)
Version:All, 8.0, 5.7 OS:Debian (All)
Assigned to: CPU Architecture:Any

[19 Nov 2021 0:24] Randy Fay 
Description:
The apt gpg key [published and used by mysql](https://dev.mysql.com/doc/refman/8.0/en/checking-gpg-signature.html) is expiring on 2022-02-16 (less than 90 days)

This affects all the mysql images, but also the mysql packages in general. I know that it needs to be fixed by Oracle, but don't know how to report to them. The key in the docker images will need to be updated as well.

`docker run -it --rm  --entrypoint=bash mysql:5.6 apt-key list` will show the keys in the 5.6 image. 

There you see the mysql gpg key expiring 2022-02-16
```
/etc/apt/trusted.gpg.d/mysql.gpg
--------------------------------
pub   dsa1024 2003-02-03 [SCA] [expires: 2022-02-16]
      A4A9 4068 76FC BD3C 4567  70C8 8C71 8D3B 5072 E1F5
uid           [ unknown] MySQL Release Engineering <mysql-build@oss.oracle.com>
```

Please get the powers that be to update this key soon! It's already quite late for the world at large.

How to repeat:
`docker run -it --rm  --entrypoint=bash mysql:5.6 apt-key list` will show the keys in the 5.6 image. 

There you see the mysql gpg key expiring 2022-02-16
```
/etc/apt/trusted.gpg.d/mysql.gpg
--------------------------------
pub   dsa1024 2003-02-03 [SCA] [expires: 2022-02-16]
      A4A9 4068 76FC BD3C 4567  70C8 8C71 8D3B 5072 E1F5
uid           [ unknown] MySQL Release Engineering <mysql-build@oss.oracle.com>
```

Suggested fix:
Update the key.
[19 Nov 2021 6:31] MySQL Verification Team 
Hello Randy Fay,

Thank you for the report and feedback.

regards,
Umesh
[7 Dec 2021 16:32] Randy Fay 
This has not been addressed, and we are now about 2 months from key expiration. Please prevent grave harm to the user community by solving this.
[11 Jan 2022 19:14] Daniel Price 
Posted by developer:
 
Fixed as of the upcoming 8.0.28 release:

"The GnuPG build key used to sign MySQL downloadable packages has been
updated. The previous GnuPG build key was set to expire on 2022-02-16. For
information about verifying the integrity and authenticity of MySQL
downloadable packages using GnuPG signature checking and to obtain a copy
of the our public GnuPG build key, see Signature Checking Using GnuPG."

Associated documentation updates will appear online with the MySQL 8.0.28 release.