Bug #106188 The MySQL GPG key seems to be incorrect
Submitted: 17 Jan 2022 20:54 Modified: 5 Sep 2022 13:54
Reporter: cPanel, LLC Senior Tech's Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Packaging Severity:S1 (Critical)
Version:8.0, 5.7 OS:Any
Assigned to: CPU Architecture:Any

[17 Jan 2022 20:54] cPanel, LLC Senior Tech's 
Description:
We use the official MySQL GPG key:  https://repo.mysql.com/RPM-GPG-KEY-mysql (this is for all MySQL repos on all OSs). The latest packages do not seem to be signed with it.

The GPG keys listed for the "MySQL 8.0 Community Server" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: mysql-community-client-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-client-plugins-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-client-plugins-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-common-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-common-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-devel-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-devel-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-icu-data-files-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-icu-data-files-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-libs-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-libs-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Public key for mysql-community-server-8.0.28-1.el8.x86_64.rpm is not installed. Failing package is: mysql-community-server-8.0.28-1.el8.x86_64
GPG Keys are configured as: http://repo.mysql.com/RPM-GPG-KEY-mysql
Error: GPG check FAILED

Further more, the fact that it is using http and not https is a bit concerning here as well.

How to repeat:
We may be the first to see this since we install MySQL upon the installation of the cPanel & WHM Software.  Installations are currently failing because of this.

Suggested fix:
Sign the packages with the current key (or create new key and sign the packages).
[17 Jan 2022 21:25] Lennox Stevenson 
This is impacting my team as well. We were getting this issue when building our docker image for apache airflow as part of our deploy process.

```
apt-get update
Err:7 http://repo.mysql.com/apt/debian buster InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29
Reading package lists...
W: GPG error: http://repo.mysql.com/apt/debian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29
E: The repository 'http://repo.mysql.com/apt/debian buster InRelease' is not signed.
```

If there's an immediate solution beyond waiting for the public key to be upda ted let me know.
[17 Jan 2022 22:06] Terje Røsten 
Hi guys!

The current GPG key will soon expire, hence 8.0.28 packages are signed with a new key.

It's available as

 https://repo.mysql.com/RPM-GPG-KEY-mysql-2022

Updating the former location
 https://repo.mysql.com/RPM-GPG-KEY-mysql

with new content creates other set of problems, therefore new key
is at different URL.
[18 Jan 2022 9:08] MySQL Verification Team 
Hello!

Thank you for the report and feedback.

regards,
Umesh
[18 Jan 2022 9:12] MySQL Verification Team 
Related - Bug #105632
[18 Jan 2022 16:24] MySQL Verification Team 
Bug #106200 marked as duplicate of this one
[19 Jan 2022 7:07] Terje Røsten 
For more details regarding this issue and how to resolve it, please have a look in MySQL 8.0.28 Release Notes:

https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-28.html#mysqld-8-0-28-packaging
[19 Jan 2022 12:08] MySQL Verification Team 
Bug #106209 marked as duplicate of this one
[20 Jan 2022 13:55] Truls Bergskaug 
It seems that this gpg key only lasts for 2 years:
hashed subpkt 9 len 4 (key expires after 2y0d0h0m)

while the old key had much longer expiertime:
 hashed subpkt 9 len 4 (key expires after 19y18d5h47m)
 hashed subpkt 9 len 4 (key expires after 10y229d19h51m)
[20 Jan 2022 14:02] cPanel, LLC Senior Tech's 
Our concern was just that there appears to have been no known communication of this happening before it did.  We just saw hundreds of updates/installs fail and initially couldn't figure out what had changed. 

In the future, it would be good to post this somewhere well in advance.
[20 Jan 2022 14:10] Terje Røsten 
Hi!

Lifetime is reduced to improve security.

Indeed, commmunication before the change was less than wanted.

In future, we will try to improve this.

Thanks for your feedback and understanding so far.
[21 Jan 2022 10:45] Truls Bergskaug 
Will the old packages be updated with the new gpg requirements?
[21 Jan 2022 10:48] Terje Røsten 
No, we can't change content of files (side effect of resigning) without changing names, rebuilding old releases with new names will not happen.
[22 Jan 2022 17:39] Chris Duke 
We found the issue to be with the RPM-GPG-KEY-mysql key.  For us, running MySQL v5.7, we found that the latest RPM package uses a new key:  RPM-GPG-KEY-mysql-2022. 

So we had to setup test servers, get the new key, edit the repos file and point it to the new key.  When running yum update, it does throw up a warning about importing a new GPG key.

But it worked for us - so far so good.

Hope this helps.
[5 Sep 2022 13:54] Terje Røsten 
Issue resolved by signing packages with new GPG key.

The corresponding public GPG key used is:
 http://repo.mysql.com/RPM-GPG-KEY-mysql-2022
[5 Sep 2022 13:56] Terje Røsten 
Posted by developer:
 
Issue resolved by signing packages with new GPG key.

The corresponding public GPG key used is:
 http://repo.mysql.com/RPM-GPG-KEY-mysql-2022
[22 May 2025 9:41] Kenta Tanda 
I just want to confirm that this issue is still happening as of May 2025.

My environment:

AlmaLinux 9.5 (RHEL 9 compatible)

MySQL version: 8.0.42

Repository: http://repo.mysql.com/yum/mysql-8.0-community/el/9/x86_64/

GPG keys: RPM-GPG-KEY-mysql, RPM-GPG-KEY-mysql-2022 (imported correctly)

Even with the correct GPG keys and repo settings, DNF throws this error:

"The GPG keys listed for the 'MySQL 8.0 Community Server' repository are already installed but they are not correct for this package."

So I had to use --nogpgcheck to install it.

It looks like the exact same issue described here. Could you please check if the packages are signed with the correct key, or if something changed recently?

Thanks!
[22 May 2025 9:57] Terje Røsten 
Hi,

current key used is: 

 https://repo.mysql.com/RPM-GPG-KEY-mysql-2023

Can you please verify this key works for you?
[11 Apr 4:10] Josh Whitlow 
I'm running Rocky Linux 10.1

I'm trying to get MySQL 8.4 LTS up and running and whenever i run this command:

sudo dnf install mysql-community-server -y

The error output complains they expired and GPG check failed (October 2025 exp date)

They were set to: gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2023

I tried all these listed in the same directory:

RPM-GPG-KEY-mysql
RPM-GPG-KEY-mysql-2022 
RPM-GPG-KEY-mysql-2023

This bug thread seemed to indicate the 2025 one was what I needed so I got that one:
https://bugs.mysql.com/bug.php?id=119212

sudo rpm --import RPM-GPG-KEY-mysql-2025

This is the key it retrieved: https://repo.mysql.com/RPM-GPG-KEY-mysql-2025

I updated the file being used here to reference the new 2025 key:
/etc/yum.repos.d/mysql-community.repo

and then ran:

sudo dnf clean all
sudo dnf makecache
sudo dnf install mysql-community-server -y

But I'm still getting the same error GPG check FAILED along with the expiration dates still showing 2025-10-22, and the errors are now referencing the new 2025 keys.

Full errors:

Verifying a signature using certificate BCA43417C3B485DD128EC6D4B7B3B788A8D3785C (MySQL Release Engineering <mysql-build@oss.oracle.com>):
  1. Certificiate B7B3B788A8D3785C invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
  2. Key B7B3B788A8D3785C invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
error: Verifying a signature using certificate BCA43417C3B485DD128EC6D4B7B3B788A8D3785C (MySQL Release Engineering <mysql-build@oss.oracle.com>):
  1. Certificiate B7B3B788A8D3785C invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
  2. Key B7B3B788A8D3785C invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
error: Verifying a signature using certificate BCA43417C3B485DD128EC6D4B7B3B788A8D3785C (MySQL Release Engineering <mysql-build@oss.oracle.com>):
  1. Certificiate B7B3B788A8D3785C invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
  2. Key B7B3B788A8D3785C invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
error: Verifying a signature using certificate BCA43417C3B485DD128EC6D4B7B3B788A8D3785C (MySQL Release Engineering <mysql-build@oss.oracle.com>):
  1. Certificiate B7B3B788A8D3785C invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
  2. Key B7B3B788A8D3785C invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
error: Verifying a signature using certificate BCA43417C3B485DD128EC6D4B7B3B788A8D3785C (MySQL Release Engineering <mysql-build@oss.oracle.com>):
  1. Certificiate B7B3B788A8D3785C invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
  2. Key B7B3B788A8D3785C invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
error: Verifying a signature using certificate BCA43417C3B485DD128EC6D4B7B3B788A8D3785C (MySQL Release Engineering <mysql-build@oss.oracle.com>):
  1. Certificiate B7B3B788A8D3785C invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
  2. Key B7B3B788A8D3785C invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
error: Verifying a signature using certificate BCA43417C3B485DD128EC6D4B7B3B788A8D3785C (MySQL Release Engineering <mysql-build@oss.oracle.com>):
  1. Certificiate B7B3B788A8D3785C invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
  2. Key B7B3B788A8D3785C invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
error: Verifying a signature using certificate BCA43417C3B485DD128EC6D4B7B3B788A8D3785C (MySQL Release Engineering <mysql-build@oss.oracle.com>):
  1. Certificiate B7B3B788A8D3785C invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
  2. Key B7B3B788A8D3785C invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2025-10-22T17:26:50Z
The GPG keys listed for the "MySQL 8.4 LTS Community Server" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: mysql-community-client-8.4.8-1.el10.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2025
Public key for mysql-community-client-plugins-8.4.8-1.el10.x86_64.rpm is not trusted. Failing package is: mysql-community-client-plugins-8.4.8-1.el10.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2025
Public key for mysql-community-common-8.4.8-1.el10.x86_64.rpm is not trusted. Failing package is: mysql-community-common-8.4.8-1.el10.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2025
Public key for mysql-community-icu-data-files-8.4.8-1.el10.x86_64.rpm is not trusted. Failing package is: mysql-community-icu-data-files-8.4.8-1.el10.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2025
Public key for mysql-community-libs-8.4.8-1.el10.x86_64.rpm is not trusted. Failing package is: mysql-community-libs-8.4.8-1.el10.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2025
Public key for mysql-community-server-8.4.8-1.el10.x86_64.rpm is not trusted. Failing package is: mysql-community-server-8.4.8-1.el10.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2025
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED