RPM signed with new GPG keys???

XMLWordPrintable

    • Type: Incident report
    • Resolution: Unresolved
    • Priority: Major
    • None
    • Affects Version/s: 6.0.43rc1
    • Component/s: Packages (C)

      Steps to reproduce:

      1. Have a system setup with RedHat 8 + Zabbix 6.0 deployment.
        • We are deploying Zabbix Agent 2 in this specific case, but did see errors on the Sender and other plugin packages as well.
      2. Attempt to update to the new 6.0.43-release1.el8 packages.
      3. GPG key errors will occur because these new packages have a different signing key
      4. The zabbix-release package hasn't updated since July 2024.
        • We even tried looking at the GPG keys in the top level url:  https://repo.zabbix.com/
        • The newest GPG key here is from June 2024, and doesn't match the one on these new packages.

      Result:
      ```

      rpm -qpi zabbix-agent2-6.0.42-release1.el8.x86_64.rpm 
      warning: zabbix-agent2-6.0.42-release1.el8.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID a14fe591: NOKEY
      Name        : zabbix-agent2
      Version     : 6.0.42
      Release     : release1.el8
      Architecture: x86_64
      Install Date: (not installed)
      Group       : Applications/Internet
      Size        : 20029454
      License     : GPLv2+
      Signature   : RSA/SHA512, Tue 30 Sep 2025 03:05:16 AM EDT, Key ID 082ab56ba14fe591
      Source RPM  : zabbix-6.0.42-release1.el8.src.rpm
      Build Date  : Tue 30 Sep 2025 03:03:56 AM EDT
      Build Host  : builds-x86
      URL         : http://www.zabbix.com/
      Summary     : Zabbix agent 2
      Description :
      New implementation of zabbix agent.
      To be installed on monitored systems.

       

      rpm -qpi zabbix-agent2-6.0.43-release1.el8.x86_64.rpm 
      warning: zabbix-agent2-6.0.43-release1.el8.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID b5333005: NOKEY
      Name        : zabbix-agent2
      Version     : 6.0.43
      Release     : release1.el8
      Architecture: x86_64
      Install Date: (not installed)
      Group       : Applications/Internet
      Size        : 20039089
      License     : GPLv2+
      Signature   : RSA/SHA512, Tue 16 Dec 2025 12:42:23 PM EST, Key ID d913219ab5333005
      Source RPM  : zabbix-6.0.43-release1.el8.src.rpm
      Build Date  : Tue 16 Dec 2025 12:39:54 PM EST
      Build Host  : builds-x86
      URL         : http://www.zabbix.com/
      Summary     : Zabbix agent 2
      Description :
      New implementation of zabbix agent.
      To be installed on monitored systems.

      ```
      Expected:
      If there's a new GPG key, we would expect so see it in the top level URL, and zabbix-release package, BEFORE it actually gets used to sign something.  By waiting to publish the GPG key, you have broken any downstream deployments that JGTL every time.  If this was a mistake, and it should be signed with the older key, then something is wrong in the build pipeline for multiple packages here.

            Assignee:
            Jurijs Klopovskis
            Reporter:
            Kelly Shutt
            Votes:
            4 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: