Bug #106188 | The MySQL GPG key seems to be incorrect | ||
---|---|---|---|
Submitted: | 17 Jan 2022 20:54 | Modified: | 5 Sep 2022 13:54 |
Reporter: | cPanel, LLC Senior Tech's | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Packaging | Severity: | S1 (Critical) |
Version: | 8.0, 5.7 | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[17 Jan 2022 20:54]
cPanel, LLC Senior Tech's
[17 Jan 2022 21:25]
Lennox Stevenson
This is impacting my team as well. We were getting this issue when building our docker image for apache airflow as part of our deploy process. ``` apt-get update Err:7 http://repo.mysql.com/apt/debian buster InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29 Reading package lists... W: GPG error: http://repo.mysql.com/apt/debian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29 E: The repository 'http://repo.mysql.com/apt/debian buster InRelease' is not signed. ``` If there's an immediate solution beyond waiting for the public key to be upda ted let me know.
[17 Jan 2022 22:06]
Terje Røsten
Hi guys! The current GPG key will soon expire, hence 8.0.28 packages are signed with a new key. It's available as https://repo.mysql.com/RPM-GPG-KEY-mysql-2022 Updating the former location https://repo.mysql.com/RPM-GPG-KEY-mysql with new content creates other set of problems, therefore new key is at different URL.
[18 Jan 2022 9:08]
MySQL Verification Team
Hello! Thank you for the report and feedback. regards, Umesh
[18 Jan 2022 9:12]
MySQL Verification Team
Related - Bug #105632
[18 Jan 2022 16:24]
MySQL Verification Team
Bug #106200 marked as duplicate of this one
[19 Jan 2022 7:07]
Terje Røsten
For more details regarding this issue and how to resolve it, please have a look in MySQL 8.0.28 Release Notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-28.html#mysqld-8-0-28-packaging
[19 Jan 2022 12:08]
MySQL Verification Team
Bug #106209 marked as duplicate of this one
[20 Jan 2022 13:55]
Truls Bergskaug
It seems that this gpg key only lasts for 2 years: hashed subpkt 9 len 4 (key expires after 2y0d0h0m) while the old key had much longer expiertime: hashed subpkt 9 len 4 (key expires after 19y18d5h47m) hashed subpkt 9 len 4 (key expires after 10y229d19h51m)
[20 Jan 2022 14:02]
cPanel, LLC Senior Tech's
Our concern was just that there appears to have been no known communication of this happening before it did. We just saw hundreds of updates/installs fail and initially couldn't figure out what had changed. In the future, it would be good to post this somewhere well in advance.
[20 Jan 2022 14:10]
Terje Røsten
Hi! Lifetime is reduced to improve security. Indeed, commmunication before the change was less than wanted. In future, we will try to improve this. Thanks for your feedback and understanding so far.
[21 Jan 2022 10:45]
Truls Bergskaug
Will the old packages be updated with the new gpg requirements?
[21 Jan 2022 10:48]
Terje Røsten
No, we can't change content of files (side effect of resigning) without changing names, rebuilding old releases with new names will not happen.
[22 Jan 2022 17:39]
Chris Duke
We found the issue to be with the RPM-GPG-KEY-mysql key. For us, running MySQL v5.7, we found that the latest RPM package uses a new key: RPM-GPG-KEY-mysql-2022. So we had to setup test servers, get the new key, edit the repos file and point it to the new key. When running yum update, it does throw up a warning about importing a new GPG key. But it worked for us - so far so good. Hope this helps.
[5 Sep 2022 13:54]
Terje Røsten
Issue resolved by signing packages with new GPG key. The corresponding public GPG key used is: http://repo.mysql.com/RPM-GPG-KEY-mysql-2022
[5 Sep 2022 13:56]
Terje Røsten
Posted by developer: Issue resolved by signing packages with new GPG key. The corresponding public GPG key used is: http://repo.mysql.com/RPM-GPG-KEY-mysql-2022