RPM-GPG-KEY-ZABBIX
|
Duplicate |
Team I
[ZBX-17371] The GPG keys listed for the "Zabbix Official Repository - x86_64" repository are already installed but they are not correct for this package. Created: 2020 Feb 26 Updated: 2024 Apr 10 Resolved: 2020 Mar 03 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Packages (C) |
| Affects Version/s: | 3.0.30 |
| Fix Version/s: | 5.0 (plan) |
| Type: | Problem report | Priority: | Trivial |
| Reporter: | Hunter Buchanan | Assignee: | Jurijs Klopovskis |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | CentOS, repo, repository, rhel, yum | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
CentOS 7.6, Zabbix Agent 3.0.29, Yum repo located at repo.zabbix.com |
||
| Attachments: |
RPM-GPG-KEY-ZABBIX
|
||||
| Issue Links: |
|
||||
| Team: | Team I |
||||
| Sprint: | Sprint 61 (Feb 2020), Sprint 62 (Mar 2020) | ||||
| Story Points: | 0.25 | ||||
| Description |
|
Steps to reproduce:
Result:
warning: /var/cache/yum/x86_64/7/zabbix/packages/zabbix-agent-3.0.30-1.el7.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID a14fe591: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX The GPG keys listed for the "Zabbix Official Repository - x86_64" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository. Failing package is: zabbix-agent-3.0.30-1.el7.x86_64 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX
Additional Notes This started happening on all 6 of our production CentOS 7 machines about 28-29 hours ago (2020-02-24 10:00 PST). Removing repo entry, cleaning Yum cache, reinstalling repo package, and attempting to update zabbix-agent again results in the same error message. It's possible that the issue was present before zabbix-agent 3.0.30 was added to the Yum repo, but since we use Chef to manage these servers and they don't attempt to update yum packages until a new version is available, we didn't notice. Version 3.0.29 was installed without issue on these machines, meaning the issue wasn't present on December 20, 2019. I'm happy to provide any further info or test possible fixes. |
| Comments |
| Comment by Alexey Pustovalov [ 2020 Feb 26 ] |
|
I just tried the following commands: yum erase 'zabbix*' yum install http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm yum makecache yum install zabbix-agent and output of the latest command is:
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.koyanet.lv
* epel: fedora-epel.koyanet.lv
* extras: centos.koyanet.lv
* updates: centos.koyanet.lv
Resolving Dependencies
--> Running transaction check
---> Package zabbix-agent.x86_64 0:3.0.30-1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================================================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================================================================================================================================================================
Installing:
zabbix-agent x86_64 3.0.30-1.el7 zabbix 348 k
Transaction Summary
======================================================================================================================================================================================================================================================================================
Install 1 Package
Total download size: 348 k
Installed size: 1.3 M
Is this ok [y/d/N]: y
Downloading packages:
zabbix-agent-3.0.30-1.el7.x86_64.rpm | 348 kB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : zabbix-agent-3.0.30-1.el7.x86_64 1/1
Verifying : zabbix-agent-3.0.30-1.el7.x86_64 1/1
Installed:
zabbix-agent.x86_64 0:3.0.30-1.el7
Complete!
Could you provide exact command and steps you are trying? |
| Comment by Alexey Pustovalov [ 2020 Feb 26 ] |
|
update also does not produce any errors: # yum update zabbix-agent Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.koyanet.lv * epel: fedora-epel.koyanet.lv * extras: centos.koyanet.lv * updates: centos.koyanet.lv Resolving Dependencies --> Running transaction check ---> Package zabbix-agent.x86_64 0:3.0.29-1.el7 will be updated ---> Package zabbix-agent.x86_64 0:3.0.30-1.el7 will be an update --> Finished Dependency Resolution Dependencies Resolved ====================================================================================================================================================================================================================================================================================== Package Arch Version Repository Size ====================================================================================================================================================================================================================================================================================== Updating: zabbix-agent x86_64 3.0.30-1.el7 zabbix 348 k Transaction Summary ====================================================================================================================================================================================================================================================================================== Upgrade 1 Package Total download size: 348 k Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. zabbix-agent-3.0.30-1.el7.x86_64.rpm | 348 kB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : zabbix-agent-3.0.30-1.el7.x86_64 1/2 Cleanup : zabbix-agent-3.0.29-1.el7.x86_64 2/2 Verifying : zabbix-agent-3.0.30-1.el7.x86_64 1/2 Verifying : zabbix-agent-3.0.29-1.el7.x86_64 2/2 Updated: zabbix-agent.x86_64 0:3.0.30-1.el7 Complete! |
| Comment by Hunter Buchanan [ 2020 Feb 26 ] |
|
I ran the exact same 4 commands as you... yum erase 'zabbix*' yum install http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm yum makecache yum install zabbix-agent And got nearly the exact same error message as I did before after running the last command: warning: /var/cache/yum/x86_64/7/zabbix/packages/zabbix-agent-3.0.30-1.el7.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID a14fe591: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX The GPG keys listed for the "Zabbix Official Repository - x86_64" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository. Failing package is: zabbix-agent-3.0.30-1.el7.x86_64 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX
|
| Comment by Alexey Pustovalov [ 2020 Feb 26 ] |
|
Try to use "yum clean all". Also please check manually added repositories in /etc/yum.conf and /etc/yum.repo.d/* |
| Comment by Hunter Buchanan [ 2020 Feb 26 ] |
|
Tried that already as well. There's no repo-specific info in /etc/yum.conf, and even when I remove all files in /etc/yum.repo.d with any mention of zabbix, then run "yum clean all," then add the repo again using zabbix-release, the error persists. |
| Comment by Alexey Pustovalov [ 2020 Feb 26 ] |
|
Please attach /etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX file to compare with vanilla. |
| Comment by Hunter Buchanan [ 2020 Feb 26 ] |
| Comment by Brett Clifford [ 2020 Feb 26 ] |
|
We are seeing the same issue It appears as though the latest rpm's http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/ have been signed with a different signature rhel 6 seems to be fine and signed with http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX
Here are the difference between previous version of rhel7 agent and current rpm -qpi zabbix-agent-3.0.29-1.el7.x86_64.rpm rpm -qpi zabbix-agent-3.0.30-1.el7.x86_64.rpm
3.0.30-1 is signed with a different RSA/SHA512 key which is not http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX |
| Comment by Patrick12 [ 2020 Feb 26 ] |
|
rpm --import https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591 resolve issue for me. |
| Comment by Brett Clifford [ 2020 Feb 26 ] |
|
The problem is not so much that you can import the key https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591 and this will fix the error it is that that signing of the package was changed from what it has been for a long time. Happy to go update our yum config to refer to the new key if this is now what it being used to sign RHEL7 rpm's I am all for the stronger algorithm
RHEL6 package still seemed to be signed with the DSA/SHA1 key
Also note there is only 1 key in https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX not 2. this is DSA/SHA1 key.
Not sure if i missed some notification regarding the change and if i did i apologise.
If we could get confirmation from zabbix team that going forward rhel7 packages and rhel8 it appears will be signed with the https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591 rather than the https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX DSA/SHA1 key i will fix on our side and add the new key to our infrastructure
Thanks in advance for information on key being used going forward |
| Comment by Hide Ishikawa [ 2020 Feb 26 ] |
|
I totally agree with Brett. I'm also experiencing the same issue in my infrastructure as well. In my environment, current key https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX is being install via http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm as documented here. If zabbix team has decided to get rid of this old key and move to new https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591, that is absolutely fine. BUT, then http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm should also be updated. Otherwise, we cannot assure whether the rpm is being released from proper organization without any man-in-the-middle modification to it. I appreciate if you could update http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm as well if new key is going to be used. |
| Comment by Brett Clifford [ 2020 Feb 26 ] |
|
ok sorted out. able to add both keys to our local copy of RPM-GPG-KEY-ZABBIX file which does seem to be supported having 2 keys in one file. can confirm imports both.
This way we do not need to update our yum.repos.d .repo file for zabbix's gpg reference to have a different file depending on rhel6 or rhel7 signing. We have a local copy of both the zabbix3 repo and the key we reference rather than sending every host directly to zabbix's own repo directly.
quick ansible run over all our hosts to import both keys and all good.
Would be good to have had both keys in https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX at the source but minor issue and all ok now.
|
| Comment by Patrick12 [ 2020 Feb 26 ] |
|
We can have a response from zabbix team? |
| Comment by Hunter Buchanan [ 2020 Feb 26 ] |
|
Thanks for the great info, Brett! Patrick's solution of importing the additional key fixes this issue for now, and if the repo maintainers can add the additional key to RPM-GPG-KEY-ZABBIX, then we won't have to worry about this in the future when we're spinning up a new CentOS 7 machine, wondering why zabbix-agent won't install. (Out of curiosity, does this issue apply to the CentOS/RHEL 8 version of the agent as well?) |
| Comment by Jurijs Klopovskis [ 2020 Feb 27 ] |
|
Released 3.0.30-2 for RHEL/CentOS. |
| Comment by Jurijs Klopovskis [ 2020 Feb 27 ] |
buchanan, No it should not. RHEL/CentOS 8 has always been signed by the new key. The issue was with 7 and older, where the old key is used for 3.0. |
| Comment by Brett Clifford [ 2020 Feb 27 ] |
|
Thanks Jurijs, Can confirm on our side the RHEL7 3.0.30-2 is signed with older DSA/SHA1 key.
|
