[ZBX-17998] Too much GPG keys? Created: 2020 Apr 29  Updated: 2024 Apr 10  Resolved: 2020 Aug 31

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Packages (C)
Affects Version/s: None
Fix Version/s: 5.2.0alpha2, 5.2 (plan)

Type: Problem report Priority: Trivial
Reporter: Olexandr Assignee: Jurijs Klopovskis
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File Ansible log.txt    
Team: Team I
Sprint: Sprint 66 (Jul 2020), Sprint 67 (Aug 2020)
Story Points: 0.25

 Description   

Hello,

I dont know if it right topic to post, if its not correct topic - please move it to correct one.

I started to learn automation with Ansible few days ago, and used "dj-wasabi.zabbix-agent" Ansible role ( https://github.com/dj-wasabi/ansible-zabbix-agent )

After Zabbix Agent was installed at remote machine - i saw that that there is 2 gpg keys was added. I have Ubuntu 18.04 LTS server.

-----------------------

# apt-key list

......................................

/etc/apt/trusted.gpg.d/zabbix-official-repo.gpg
-----------------------------------------------
pub dsa1024 2012-10-28 [SC]
FBAB D5FB 2025 5ECA B22E E194 D13D 58E4 79EA 5ED4
uid [ unknown] Zabbix SIA <[email protected]>
sub elg1024 2012-10-28 [E]

pub rsa2048 2016-07-15 [SC]
A184 8F53 52D0 22B9 471D 83D0 082A B56B A14F E591
uid [ unknown] Zabbix LLC <[email protected]>
sub rsa2048 2016-07-15 [E]

 

Then i did clean install (on fresh installed Ubuntu 18.04), commands used:

# wget https://repo.zabbix.com/zabbix/4.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.4-1+bionic_all.deb
# dpkg -i zabbix-release_4.4-1+bionic_all.deb
# apt update
# apt install zabbix-agent zabbix-get zabbix-sender

 

And once more both this 2 gpg keys was present.

 

Im not an expert, but have question: if person have, for example, Ubuntu 18 --> is really 2 gpg keys need to be added/present in system? Why with Ubuntu OS also Debian key is being added?

 

 

 

 

At attached file (starting from line 69) there is "sign_keys" output from Ansible log

 Comments   
Comment by Olexandr [ 2020 Apr 29 ]

Total list of keys (according from Ansible log) below. Seems like "Bionic" (Ubuntu 18.04 LTS) should  have only 1 gpg key added:

"serena": {"sign_key": "79EA5ED4"}
"precise": {"sign_key": "79EA5ED4"}
"wheezy": {"sign_key": "79EA5ED4"}
"trusty": {"sign_key": "79EA5ED4"}
"jessie": {"sign_key": "79EA5ED4"}
"squeeze": {"sign_key": "79EA5ED4"}
"lucid": {"sign_key": "79EA5ED4"}
"sonya": {"sign_key": "79EA5ED4"}

"wheezy": {"sign_key": "A14FE591"}
"serena": {"sign_key": "A14FE591"}
"sonya": {"sign_key": "A14FE591"}
"cosmic": {"sign_key": "A14FE591"}
"bionic": {"sign_key": "A14FE591"}
"buster": {"sign_key": "A14FE591"}
"stretch": {"sign_key": "A14FE591"}

"xenial": {"sign_key": "E709712C"}

Comment by Jurijs Klopovskis [ 2020 Apr 29 ]

At some point we introduced a second A14FE591 key.
I need to check on why is it adding multiple keys in the repo.

Thanks for the report.

Comment by Jurijs Klopovskis [ 2020 Jul 01 ]

Hi, sahaQaa

Why with Ubuntu OS also Debian key is being added?

These are not Ubuntu and Debian specific keys. These are old(79EA5ED4) and new(A14FE591) keys.

The new key was added some time during 3.0 era and since 3.0 used both keys for different minor releases, both keys were shipped with zabbix-release. The zabbix-official-repo.gpg file was then simply reused for later major versions.

Suggest we remove the old key from zabbix-official-repo.gpg file starting with 5.2 version, palivoda

Comment by dimir [ 2020 Jul 01 ]

Since the "old" key became not supported on some newer OSs that we needed to support we introduced the new one. Some of those signed with the "old" key are still available in our repository.

The keys

79EA5ED4 Zabbix SIA <packager@zabbix.com> Old key
A14FE591 Zabbix LLC <packager@zabbix.com> New key

Keys used for signing (red = EOL, green = key still in use)

Distribution name and version Zabbix 2.2 Zabbix 3.0 Zabbix 3.2 >= Zabbix 4.0
Red Hat Enterprise Linux 5 79EA5ED4 79EA5ED4 A14FE591 A14FE591
Red Hat Enterprise Linux 6 79EA5ED4 79EA5ED4 A14FE591 A14FE591
Red Hat Enterprise Linux 7 79EA5ED4 79EA5ED4 A14FE591 A14FE591
Red Hat Enterprise Linux 8   A14FE591   A14FE591
Debian 6 (Squeeze) 79EA5ED4      
Debian 7 (Wheezy) 79EA5ED4 79EA5ED4 A14FE591  
Debian 8 (Jessie)   79EA5ED4 A14FE591 A14FE591
Debian 9 (Stretch)   A14FE591 A14FE591 A14FE591
Debian 10 (Buster)   A14FE591   A14FE591
Ubuntu 12.04 (Precise) 79EA5ED4      
Ubuntu 14.04 (Trusty) 79EA5ED4 79EA5ED4 A14FE591 A14FE591
Ubuntu 16.04 (Xenial)   A14FE591 A14FE591 A14FE591
Ubuntu 18.04 (Bionic)   A14FE591 A14FE591 A14FE591
Ubuntu 20.04 (Focal)       A14FE591

As you can see we still need to have the old key for Zabbix 3.0 on older platforms. I suggest adding this information to documentation in order to avoid further cases like that. If we remove the old key, we'd also need to remove all the packages from our repository, that are signed with that. I doubt this is a good idea.

Comment by dimir [ 2020 Jul 01 ]

Sorry, missed the suggestion above to remove the old key starting from 5.2 . This sounds good.

Comment by Jurijs Klopovskis [ 2020 Jul 17 ]

Fixed in pre 5.2 for deb-based distros.

Cannot remove the old key for rhel because packages from unsupported repo are signed with it.

Generated at Sun May 17 13:42:30 EEST 2026 using Jira 10.3.18#10030018-sha1:5642e4ad348b6c2a83ebdba689d04763a2393cab.