[#ZBX-24761] Jul 2022 key for repo.zabbix.com exprires on 2024-07-04

[ZBX-24761] Jul 2022 key for repo.zabbix.com exprires on 2024-07-04 Created: 2024 Jul 02 Updated: 2025 Mar 26 Resolved: 2024 Aug 05
Status:	Closed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Packages (C)
Affects Version/s:	None
Fix Version/s:	None

Type:

Problem report

Priority:

Trivial

Reporter:

Jurijs Klopovskis

Assignee:

Arturs Dancis

Resolution:

Fixed

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Attachments:

RPM-GPG-KEY-ZABBIX-08EFA7DD

Team:

Team D

Sprint:

Prev.Sprint, S24-W26/27

Story Points:

Description

A key used to sign some packages on repo.zabbix.com expires very soon.

pub   rsa4096 2022-07-05 [SC] [expires: 2024-07-04]
      D9AA84C2B617479C6E4FCF4D19F2475308EFA7DD
uid           [ unknown] Zabbix LLC (Jul 2022) <[email protected]>
sub   rsa4096 2022-07-05 [E] [expires: 2024-07-04]

Repositories affected:

Zabbix 6.0 & 6.4 EL9
non-supported el9 & el8 on aarch64

Comments

Comment by Jurijs Klopovskis [ 2024 Jul 02 ]

~~The plan is to re-sign the affected packages and release an update for the zabbix-release package.~~

~~The Apr 2024 key shall be used.~~

pub   rsa4096 2024-04-30 [SC] [expires: 2034-04-28]
      4C3D6F2CC75F5146754FC374D913219AB5333005
uid           [ unknown] Zabbix LLC (Apr 2024) <[email protected]>
sub   rsa4096 2024-04-30 [E] [expires: 2034-04-28]

As for the non-supported, repo I plan to create a new repository called third-party, signed by the Apr 2024 key, to be used for zabbix 7.0+ instead of non-supported. While keeping the old non-supported repo intact for serving older Zabbix versions.

Comment by Brian van Baekel [ 2024 Jul 02 ]

Question: The 'non-supported' repo keeps working with a new key, right?

Comment by Jurijs Klopovskis [ 2024 Jul 02 ]

Question: The 'non-supported' repo keeps working with a new key, right?

Yes. The affected packages in non-supported repo will be re-signed with the new key.

Comment by Jurijs Klopovskis [ 2024 Jul 02 ]

Update: A simpler solution was found.

The expiry date for the existing key has been extended until 2023

pub   rsa4096 2022-07-05 [SC] [expires: 2034-06-30]
      D9AA84C2B617479C6E4FCF4D19F2475308EFA7DD
uid           [ unknown] Zabbix LLC (Jul 2022) <[email protected]>
sub   rsa4096 2022-07-05 [E] [expires: 2034-06-30]

981b5f8caaba402cd958b5817be376b5b2cc19c1  /etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-08EFA7DD

RPM-GPG-KEY-ZABBIX-08EFA7DD

New zabbix-release packages, containing the updated key, have been published for 5.0, 6.0, 6.4 and 7.0 (EL 8 & 9)

Comment by Jurijs Klopovskis [ 2024 Jul 15 ]

One will get errors like this.

error: Verifying a signature using certificate D9AA84C2B617479C6E4FCF4D19F2475308EFA7DD (Zabbix LLC (Jul 2022) <[email protected]>):
  1. Certificiate 19F2475308EFA7DD invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2024-07-04T11:41:23Z
  2. Key 19F2475308EFA7DD invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2024-07-04T11:41:23Z

To resolve the issue manually reinstall the correct zabbix-release package.

rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rhel/9/x86_64/zabbix-release-7.0-3.el9.noarch.rpm

The actual package must be for your variant of rhel. See previous comment.

The run dnf update

Comment by Arturs Dancis [ 2024 Jul 31 ]

Documentation updated:

Installation > Upgrade procedure > Upgrade from packages:
- Red Hat Enterprise Linux (7.2, 7.0, 6.4, 6.0, 5.0)
- Debian/Ubuntu (7.2, 7.0, 6.4, 6.0, 5.0)
Installation > Known issues (7.2, 7.0, 6.4, 6.0, 5.0)

Generated at Sat Mar 29 04:34:36 EET 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.

[ZBX-24761] Jul 2022 key for repo.zabbix.com exprires on 2024-07-04 Created: 2024 Jul 02 Updated: 2025 Mar 26 Resolved: 2024 Aug 05