Bug #107143 mysql80-community-release-el8-4.noarch.rpm is not signed
Submitted: 27 Apr 2022 14:02 Modified: 3 Jun 2022 15:41
Reporter: Hans Borresen Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Packaging Severity:S2 (Serious)
Version:8 OS:CentOS
Assigned to: Balasubramanian Kandasamy CPU Architecture:Any
Tags: rpm

[27 Apr 2022 14:02] Hans Borresen
Description:
The latest update to mysql80-community-release-el8 is not gpg signed at all.

This causes update failures.

[root@localhost tmp]# rpm -qpi ./mysql80-community-release-el8-3.noarch.rpm | grep Signature
Signature   : RSA/SHA256, Mon 10 Jan 2022 05:20:47 AM CST, Key ID 467b942d3a79bd29
[root@localhost tmp]# rpm -qpi ./mysql80-community-release-el8-4.noarch.rpm | grep Signature
Signature   : (none)

How to repeat:
Start on an EL8 variant server -- I am testing using AlmaLinux 8.5

Install the old version of mysql80-community-release-el8 (which was signed):

    dnf install https://repo.mysql.com//mysql80-community-release-el8-3.noarch.rpm

Then, disable the AlmaLinux mysql module to ensure we can use the community repos:

    dnf module disable mysql

Install the community server -- and accept the gpg signature during the install:

    dnf install mysql-community-server
    ...
    Importing GPG key 0x3A79BD29:
 Userid     : "MySQL Release Engineering <mysql-build@oss.oracle.com>"
 Fingerprint: 859B E8D7 C586 F538 430B 19C2 467B 942D 3A79 BD29
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2022
Is this ok [y/N]: y
Key imported successfully
MySQL 8.0 Community Server                                                                                                                                                                                1.9 MB/s | 1.9 kB     00:00
Importing GPG key 0x5072E1F5:
 Userid     : "MySQL Release Engineering <mysql-build@oss.oracle.com>"
 Fingerprint: A4A9 4068 76FC BD3C 4567 70C8 8C71 8D3B 5072 E1F5
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-mysql
Is this ok [y/N]: y
...

This ensures that we have accepted the signing keys.

Then, finally, try to update the mysql80-community-release package to the latest version:

    dnf upgrade mysql80-community-release

It will fail with the following:

Package mysql80-community-release-el8-4.noarch.rpm is not signed
Error: GPG check FAILED

Suggested fix:
Ensure that the rpm files are properly signed.
[28 Apr 2022 4:05] MySQL Verification Team
Hello Hans Borresen,

Thank you for the report and feedback.

regards,
Umesh
[2 Jun 2022 14:19] Hans Borresen
Just to note: this was fixed a while ago, though nothing was posted.
[3 Jun 2022 15:41] Balasubramanian Kandasamy
Thanks for the bug report.

We have signed the el8 repo setup rpm and published them to dev.mysql.com and the yum repository.