Bug #85029 | APT GPG Key Expired | ||
---|---|---|---|
Submitted: | 16 Feb 2017 19:12 | Modified: | 20 Feb 2017 13:06 |
Reporter: | Daniel Bakken | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Packaging | Severity: | S2 (Serious) |
Version: | 5.7, 5.6 | OS: | Debian (Jessie) |
Assigned to: | CPU Architecture: | Any |
[16 Feb 2017 19:12]
Daniel Bakken
[17 Feb 2017 5:41]
MySQL Verification Team
Hello Daniel Bakken, Thank you for the report and feedback! Thanks, Umesh
[17 Feb 2017 7:47]
Lars Tangvald
Posted by developer: Hi, Sorry for the trouble. We're getting apt-config updated with the new key. Workaround: (run as root) apt-key del A4A9406876FCBD3C456770C88C718D3B5072E1F5 # Delete the old key export GNUPGHOME=$(mktemp -d) # This just sets it up so the key isn't added to your actual user gpg --keyserver ha.pool.sks-keyservers.net --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5 # Download the new one gpg --export A4A9406876FCBD3C456770C88C718D3B5072E1F5 /etc/apt/trusted.gpg.d/mysql.gpg # Add it to the list of apt keys apt-key list # This should now show the updated key
[17 Feb 2017 8:23]
Geert Vanderkelen
Easier one-liner, like in MySQL Docs: $ sudo apt-key adv --keyserver pgp.mit.edu --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5 Executing: /tmp/tmp.yJ1Cs6jTjh/gpg.1.sh --keyserver pgp.mit.edu --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5 gpg: requesting key 5072E1F5 from hkp server pgp.mit.edu gpg: key 5072E1F5: public key "MySQL Release Engineering <mysql-build@oss.oracle.com>" imported gpg: Total number processed: 1 gpg: imported: 1
[17 Feb 2017 8:59]
Lars Tangvald
Posted by developer: We have a simpler way to update the key in our docs, actually: sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5072E1F5
[17 Feb 2017 9:00]
Lars Tangvald
Posted by developer: Whops, didn't see your comment. Thanks :)
[17 Feb 2017 17:35]
Daniel Bakken
Thanks for the workaround. Now I won't have this problem again until 2019. ;) # apt-key list pub 1024D/5072E1F5 2003-02-03 [expires: 2019-02-17] uid MySQL Release Engineering <mysql-build@oss.oracle.com>
[20 Feb 2017 13:06]
Lars Tangvald
Posted by developer: We've also updated the mysql-apt-config package to get the key from a public keyserver (which in this case would mean it would simply be a matter of running dpkg-reconfigure to update it).
[22 Feb 2017 18:25]
Jake S
Note: If you are unable to open port 11371 you cannot upgrade mysql-apt-config successfully since it now forces the getting of the new keyfile (even if you've manually replaced it at the command line). Since the "gpg" program allows you to specify a port it would be ideal if this was possible here. Or alternatively, you could just try to get the key over port 80 if the default port fails.
[22 Feb 2017 18:26]
Jake S
With port 11371 blocked you can use: sudo apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 5072E1F5
[7 Mar 2017 11:04]
Hendrik Visage
<quote> With port 11371 blocked you can use: </quote> How do I inject that other URL into the dpkconfigure/apt-get update execution?
[22 Jun 2017 17:40]
Tobias Ravenstein
@Hendrik Visage you could temporary add an iptable DNAT rule: iptables -t nat -A OUTPUT -p tcp --dport 11371 -j DNAT --to-destination 18.9.60.141:80 update/install the package und remove the rule again Flush Example: iptables -t nat -F