yum install and update fail - GPG keys listed for the "CentOS-7 - Updates" repository are already installed but they are not correct
Solution 1
Some people ending up here might be able to solve their problem with this:
sudo yum install https://$(rpm -E '%{?centos:centos}%{!?centos:rhel}%{rhel}').iuscommunity.org/ius-release.rpm
and/or
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm
Then yum update and you're ready to go
Solution 2
I've seen the problem (LOL - sorry, not MITM or corrupt mirrors). I tracked it down to the version of gpg installed and linked on the system. Usually you'll want gpg2. But, gpg can end up being your default if (for instance) you're missing the gpg2 binary, missing or wrongly ordered PATH entries, missing a link to the binary, and so on.
Solution 3
Maybe there is really a issue with the mirror or some kind of MITM.
First (with intact cache, so before removing /var/cache/yum
) get Key ID (the last 8 chars of the Key ID, the 9th is the newline)
rpm -qpi /var/cache/yum/x86_64/7/updates/packages/scap-security-guide-0.1.36-9.el7.centos.noarch.rpm | tail -c9
In my case this is f4a80eb5
(and i think it should be the same in your case)
Next we list all to rpm known gpg pubkeys and search for the one used our package
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep f4a80eb5
which should give us one result
gpg-pubkey-f4a80eb5-53a7ff4b gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>)
If you don't have an output from the rpm -q gpg-pubkey
command, this could be one of two things
rpm can not see the pubkey and you may need to import it with
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
The package from the mirror is NOT signed with correct key, which could be a MITM-Attack or a mirror overtake.
If you get exactly one result i don't really know what could be the problem right now. I would go for an strace
to dig deeper into and to actually figure what's the problem.
Related videos on Youtube
iletras
Updated on September 18, 2022Comments
-
iletras almost 2 years
I'm stumped by this update killing error.
This error squashes all updates until I disable gpgcheck on the updates repo. IE /etc/yum.repos.d/CentOS-Base.repo|[updates].gpgcheck=0
It's happening on Every machine I have - I thought at first that it was a 'pet/snowflake' type issue but no, it's affecting the whole herd.
warning: /var/cache/yum/x86_64/7/updates/packages/scap-security-guide-0.1.36-9.el7.centos.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f533f4fa: NOKEY Public key for scap-security-guide-0.1.36-9.el7.centos.noarch.rpm is not installed scap-security-guide-0.1.36-9.el7.centos.noarch.rpm | 4.4 MB 00:00:03 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 The GPG keys listed for the "CentOS-7 - Updates" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository. Failing package is: scap-security-guide-0.1.36-9.el7.centos.noarch GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
shows the correct fingerprint.diff
says/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
andhttp://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7
match.file
says /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 is PGP public key block.stat
says it's a regular file.ls -lZa /etc/pki/rpm-gpg/
shows all files owned by root:root with security Context: system_u:object_r:cert_t:s0lsattr /etc/pki/rpm-gpg/
shows no attributes set.No errors have been reported for the disk.
There's no memory nor record of any other update failing since the OS was installed in 2016.
The package's URL is http://mirror.centos.org/centos/7.5.1804/updates/x86_64/Packages/scap-security-guide-doc-0.1.36-9.el7.centos.noarch.rpm
yum provides scap-security-guide
says: scap-security-guide-0.1.36-9.el7.centos.noarch is in Repo : updates/etc/yum.repos.d/CentOS-Base.repo (excerpt)
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#
baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7#
released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7/etc/yum.conf
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release#
Added after installing deltarpm
deltarpm=-1After rebooting, I ran
yum clean all
which cleaned all active repos:base epel extras mariadb psychotic updates
followed byrm -rf /var/cache/yum
before re-runningyum update
It threw the error again and continues to do soCentos 7.4
Centos 7.5 -
Tim over 4 yearsThanks, this worked for me when using IUS community packages!
-
carlwgeorge almost 4 yearsAdding the IUS repository won't have any effect on the errors for the "CentOS-7 - Updates" repository. They are totally separate things.
-
carlwgeorge almost 4 yearsAdding the IUS or EPEL repository won't have any effect on the errors for the "CentOS-7 - Updates" repository. They are totally separate things.