Bug #106188 The MySQL GPG key seems to be incorrect
Submitted: 17 Jan 2022 20:54 Modified: 5 Sep 2022 13:54
Reporter: cPanel, LLC Senior Tech's Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Packaging Severity:S1 (Critical)
Version:8.0, 5.7 OS:Any
Assigned to: CPU Architecture:Any

[17 Jan 2022 20:54] cPanel, LLC Senior Tech's
Description:
We use the official MySQL GPG key:  https://repo.mysql.com/RPM-GPG-KEY-mysql (this is for all MySQL repos on all OSs). The latest packages do not seem to be signed with it.

The GPG keys listed for the "MySQL 8.0 Community Server" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: mysql-community-client-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-client-plugins-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-client-plugins-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-common-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-common-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-devel-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-devel-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-icu-data-files-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-icu-data-files-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-libs-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-libs-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-server-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-server-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Error: GPG check FAILED

Further more, the fact that it is using http and not https is a bit concerning here as well.

How to repeat:
We may be the first to see this since we install MySQL upon the installation of the cPanel & WHM Software.  Installations are currently failing because of this.

Suggested fix:
Sign the packages with the current key (or create new key and sign the packages).
[17 Jan 2022 21:25] Lennox Stevenson
This is impacting my team as well. We were getting this issue when building our docker image for apache airflow as part of our deploy process.

```
apt-get update
Err:7 http://repo.mysql.com/apt/debian buster InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29
Reading package lists...
W: GPG error: http://repo.mysql.com/apt/debian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29
E: The repository 'http://repo.mysql.com/apt/debian buster InRelease' is not signed.
```

If there's an immediate solution beyond waiting for the public key to be upda ted let me know.
[17 Jan 2022 22:06] Terje Røsten
Hi guys!

The current GPG key will soon expire, hence 8.0.28 packages are signed with a new key.

It's available as

 https://repo.mysql.com/RPM-GPG-KEY-mysql-2022

Updating the former location
 https://repo.mysql.com/RPM-GPG-KEY-mysql

with new content creates other set of problems, therefore new key
is at different URL.
[18 Jan 2022 9:08] MySQL Verification Team
Hello!

Thank you for the report and feedback.

regards,
Umesh
[18 Jan 2022 9:12] MySQL Verification Team
Related - Bug #105632
[18 Jan 2022 16:24] MySQL Verification Team
Bug #106200 marked as duplicate of this one
[19 Jan 2022 7:07] Terje Røsten
For more details regarding this issue and how to resolve it, please have a look in MySQL 8.0.28 Release Notes:

https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-28.html#mysqld-8-0-28-packaging
[19 Jan 2022 12:08] MySQL Verification Team
Bug #106209 marked as duplicate of this one
[20 Jan 2022 13:55] Truls Bergskaug
It seems that this gpg key only lasts for 2 years:
hashed subpkt 9 len 4 (key expires after 2y0d0h0m)

while the old key had much longer expiertime:
 hashed subpkt 9 len 4 (key expires after 19y18d5h47m)
 hashed subpkt 9 len 4 (key expires after 10y229d19h51m)
[20 Jan 2022 14:02] cPanel, LLC Senior Tech's
Our concern was just that there appears to have been no known communication of this happening before it did.  We just saw hundreds of updates/installs fail and initially couldn't figure out what had changed. 

In the future, it would be good to post this somewhere well in advance.
[20 Jan 2022 14:10] Terje Røsten
Hi!

Lifetime is reduced to improve security.

Indeed, commmunication before the change was less than wanted.

In future, we will try to improve this.

Thanks for your feedback and understanding so far.
[21 Jan 2022 10:45] Truls Bergskaug
Will the old packages be updated with the new gpg requirements?
[21 Jan 2022 10:48] Terje Røsten
No, we can't change content of files (side effect of resigning) without changing names, rebuilding old releases with new names will not happen.
[22 Jan 2022 17:39] Chris Duke
We found the issue to be with the RPM-GPG-KEY-mysql key.  For us, running MySQL v5.7, we found that the latest RPM package uses a new key:  RPM-GPG-KEY-mysql-2022. 

So we had to setup test servers, get the new key, edit the repos file and point it to the new key.  When running yum update, it does throw up a warning about importing a new GPG key.

But it worked for us - so far so good.

Hope this helps.
[5 Sep 2022 13:54] Terje Røsten
Issue resolved by signing packages with new GPG key.

The corresponding public GPG key used is:
 http://repo.mysql.com/RPM-GPG-KEY-mysql-2022
[5 Sep 2022 13:56] Terje Røsten
Posted by developer:
 
Issue resolved by signing packages with new GPG key.

The corresponding public GPG key used is:
 http://repo.mysql.com/RPM-GPG-KEY-mysql-2022