| Bug #119212 | Expired GPG signature key for package repository | ||
|---|---|---|---|
| Submitted: | 22 Oct 2025 20:56 | Modified: | 29 Jan 23:55 |
| Reporter: | Emerson Silva | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Package Repos | Severity: | S2 (Serious) |
| Version: | >= 8.0.36 | OS: | Linux |
| Assigned to: | CPU Architecture: | x86 | |
| Tags: | gpg, repository, signature | ||
[22 Oct 2025 20:56]
Emerson Silva
[23 Oct 2025 14:08]
Marc Hassan
The key link in the description is broken (it has an extra slash at the end). It should be https://repo.mysql.com/RPM-GPG-KEY-mysql-2023.
[23 Oct 2025 15:10]
Eugene Gubenkov
It looks like this key was already updated on Ubuntu keyserver: https://keyserver.ubuntu.com/pks/lookup?search=B7B3B788A8D3785C&fingerprint=on&op=index So the workaround here is to receive the GPG key from the Ubuntu keyserver directly instead of letting "mysql-apt-config" configure it. New expiration date is set to 2027-10-23T12:03:47Z.
[24 Oct 2025 4:25]
Eugene Gubenkov
It looks like new mysql-apt-config is available that embeds a key with updated expiration date (mysql-apt-config_0.8.35-1_all.deb) at https://dev.mysql.com/get/mysql-apt-config_0.8.35-1_all.deb. It addresses the issue for me.
[24 Oct 2025 12:26]
Dayo Lasode
Any idea when https://repo.mysql.com/ will be updated with the new GPG key?
[24 Oct 2025 12:29]
Eugene Gubenkov
Dayo Lasode, There is no need to update the repository key itself. What was needed is updated expiration for the existing one. It is already happened. mysql-apt-config package was also updated and GPG with updated expiration is now embedded. Key/fingerprint is the same.
[24 Oct 2025 12:51]
Dayo Lasode
Hi Eugene This might be specific in my case but our automation pulls the key directly from https://repo.mysql.com/RPM-GPG-KEY-mysql-2023, which is the current latest one but that still shows as expired? ~$ sudo curl -fsSL https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 -o /tmp/fresh.asc -H "Cache-Control: no-cache" ~$ gpg --show-keys /tmp/fresh.asc pub rsa4096 2023-10-23 [SC] [expired: 2025-10-22] BCA43417C3B485DD128EC6D4B7B3B788A8D3785C uid MySQL Release Engineering <mysql-build@oss.oracle.com> sub rsa4096 2023-10-23 [E] [expired: 2025-10-22]
[24 Oct 2025 13:31]
Eugene Gubenkov
Hey Dayo Lasode, Yes, they did not update by this link. However, you can download updated at from Ubuntu key server already.
[27 Oct 2025 14:30]
David Ducos
If you want the exact steps to workaround this issue, this might helps you: root@6b032e81fe2e:~# curl -fsSL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xB7B3B788A8D3785C" -o /tmp/fresh.asc root@6b032e81fe2e:~# gpg --import /tmp/fresh.asc gpg: key B7B3B788A8D3785C: 1 signature not checked due to a missing key gpg: key B7B3B788A8D3785C: "MySQL Release Engineering <mysql-build@oss.oracle.com>" 3 new signatures gpg: Total number processed: 1 gpg: new signatures: 3 gpg: no ultimately trusted keys found root@6b032e81fe2e:~# gpg --output /usr/share/keyrings/mysql-apt-config.gpg --export BCA43417C3B485DD128EC6D4B7B3B788A8D3785C File '/usr/share/keyrings/mysql-apt-config.gpg' exists. Overwrite? (y/N) y Regards
[17 Nov 2025 12:43]
William David Edwards
Can someone please pertain to updating the key at https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 ? It's kind of stunning it's still out of date.
[8 Dec 2025 13:58]
William David Edwards
?
[21 Jan 12:43]
William David Edwards
?
[24 Jan 15:50]
David Ducos
On EL10, I had to do this: rpm -e gpg-pubkey-a8d3785c-6536acda curl -fsSL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xB7B3B788A8D3785C" -o /tmp/fresh.asc gpg --import /tmp/fresh.asc rm /etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2023 gpg --output /etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2023 --export BCA43417C3B485DD128EC6D4B7B3B788A8D3785C Regards
[25 Jan 13:17]
KC Tessarek
using the following on fedora 43 [mysql-8.4-lts-community] name=MySQL 8.4 LTS Community Server baseurl=https://repo.mysql.com/yum/mysql-8.4-community/fc/$releasever/$basearch/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2023 dnf update mysql-communi* Updating and loading repositories: Repositories loaded. Package Arch Version Repository Size Upgrading: mysql-community-client x86_64 8.4.8-10.fc43 mysql-8.4-lts-community 63.1 MiB replacing mysql-community-client x86_64 8.4.7-10.fc42 mysql-8.4-lts-community 63.1 MiB mysql-community-client-plugins x86_64 8.4.8-10.fc43 mysql-8.4-lts-community 13.0 MiB replacing mysql-community-client-plugins x86_64 8.4.7-10.fc42 mysql-8.4-lts-community 13.0 MiB mysql-community-common x86_64 8.4.8-10.fc43 mysql-8.4-lts-community 10.9 MiB replacing mysql-community-common x86_64 8.4.7-10.fc42 mysql-8.4-lts-community 10.9 MiB mysql-community-icu-data-files x86_64 8.4.8-10.fc43 mysql-8.4-lts-community 4.3 MiB replacing mysql-community-icu-data-files x86_64 8.4.7-10.fc42 mysql-8.4-lts-community 4.3 MiB mysql-community-libs x86_64 8.4.8-10.fc43 mysql-8.4-lts-community 7.2 MiB replacing mysql-community-libs x86_64 8.4.7-10.fc42 mysql-8.4-lts-community 7.2 MiB mysql-community-server x86_64 8.4.8-10.fc43 mysql-8.4-lts-community 102.0 MiB replacing mysql-community-server x86_64 8.4.7-10.fc42 mysql-8.4-lts-community 102.0 MiB Transaction Summary: Upgrading: 6 packages Replacing: 6 packages Total size of inbound packages is 29 MiB. Need to download 0 B. After this operation, 27 KiB extra will be used (install 200 MiB, remove 200 MiB). Is this ok [y/N]: y Running transaction Transaction failed: Signature verification failed. OpenPGP check for package "mysql-community-client-8.4.8-10.fc43.x86_64" (/var/cache/libdnf5/mysql-8.4-lts-community-05cb0c16d737f314/packages/mysql-community-client-8.4.8-10.fc43.x86_64.rpm) from repo "mysql-8.4-lts-community" has failed: Problem occurred when opening the package.
[27 Jan 13:53]
Balasubramanian Kandasamy
Thanks for the bug report. GPG Key RPM-GPG-KEY-mysql-2023 is no longer active. Please use RPM-GPG-KEY-mysql-2025 in the repo file. [mysql-8.4-lts-community] name=MySQL 8.4 LTS Community Server baseurl=https://repo.mysql.com/yum/mysql-8.4-community/fc/$releasever/$basearch/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2025
[27 Jan 14:00]
KC Tessarek
Thanks, but the 2025 key is not on https://repo.mysql.com/ So where do I get the key?
[27 Jan 14:01]
Balasubramanian Kandasamy
You can also add the MySQL GPG key to your system using below command: sudo rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2025
[27 Jan 14:03]
KC Tessarek
That's weird. It's not listed when you browse to https://repo.mysql.com/ But thanks a bunch for the answer. must be an alias on the web server or something, because the key is returned... Hmmm.
[27 Jan 14:25]
Daniël van Eeden
I've also noticed outdated/incorrect directory listings. Example: On https://repo.mysql.com/yum/mysql-tools-community/fc/ https://repo.mysql.com/yum/mysql-tools-community/fc/42/ ← listed https://repo.mysql.com/yum/mysql-tools-community/fc/43/ ← not listed
[28 Jan 4:36]
KC Tessarek
Can incorrect directory listing be discussed in this bug, or shall we open a new issue? I believe that this should be fixed. I often go through repo listings for debugging purposes but also to find the proper URL for .repo files. I doubt I am the only person who does that.
[29 Jan 11:56]
Balasubramanian Kandasamy
Fedora is no longer supported on 8.0.x release, so the tools directories for Fedora 42 and 43 are empty. You can install the Shell/Router 8.4.x and 9.x RPMs from the following locations: https://repo.mysql.com/yum/mysql-tools-8.4-community/fc/ (OR) https://repo.mysql.com/yum/mysql-tools-innovation-community/fc/ We are currently addressing the directory listing issues.
[29 Jan 15:56]
William David Edwards
How can I trust that key when it's listed/documented nowhere?
[29 Jan 23:55]
Balasubramanian Kandasamy
It was a transient issue with the cache. The files are now visible. Please refer to the following page for the GPG documentation. https://dev.mysql.com/doc/refman/9.6/en/checking-gpg-signature.html
