yum install and update fail - GPG keys listed for the "CentOS-7 - Updates" repository are already installed but they are not correct

centos yum gpg

35,013

Solution 1

Some people ending up here might be able to solve their problem with this:

sudo yum install https://$(rpm -E '%{?centos:centos}%{!?centos:rhel}%{rhel}').iuscommunity.org/ius-release.rpm

and/or

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm

Then yum update and you're ready to go

Solution 2

I've seen the problem (LOL - sorry, not MITM or corrupt mirrors). I tracked it down to the version of gpg installed and linked on the system. Usually you'll want gpg2. But, gpg can end up being your default if (for instance) you're missing the gpg2 binary, missing or wrongly ordered PATH entries, missing a link to the binary, and so on.

Solution 3

Maybe there is really a issue with the mirror or some kind of MITM.

First (with intact cache, so before removing /var/cache/yum) get Key ID (the last 8 chars of the Key ID, the 9th is the newline)

rpm -qpi /var/cache/yum/x86_64/7/updates/packages/scap-security-guide-0.1.36-9.el7.centos.noarch.rpm | tail -c9

In my case this is f4a80eb5 (and i think it should be the same in your case)

Next we list all to rpm known gpg pubkeys and search for the one used our package

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep f4a80eb5

which should give us one result

gpg-pubkey-f4a80eb5-53a7ff4b    gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>)

If you don't have an output from the rpm -q gpg-pubkey command, this could be one of two things

rpm can not see the pubkey and you may need to import it with
```
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
```
The package from the mirror is NOT signed with correct key, which could be a MITM-Attack or a mirror overtake.

If you get exactly one result i don't really know what could be the problem right now. I would go for an strace to dig deeper into and to actually figure what's the problem.

35,013

iletras

Updated on September 18, 2022

Comments

iletras almost 2 years
I'm stumped by this update killing error.

This error squashes all updates until I disable gpgcheck on the updates repo. IE /etc/yum.repos.d/CentOS-Base.repo|[updates].gpgcheck=0

It's happening on Every machine I have - I thought at first that it was a 'pet/snowflake' type issue but no, it's affecting the whole herd.
```
warning: /var/cache/yum/x86_64/7/updates/packages/scap-security-guide-0.1.36-9.el7.centos.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f533f4fa: NOKEY
Public key for scap-security-guide-0.1.36-9.el7.centos.noarch.rpm is not installed
scap-security-guide-0.1.36-9.el7.centos.noarch.rpm                               | 4.4 MB  00:00:03
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

The GPG keys listed for the "CentOS-7 - Updates" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.


 Failing package is: scap-security-guide-0.1.36-9.el7.centos.noarch
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
```
gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 shows the correct fingerprint.

diff says /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 and http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7 match.

file says /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 is PGP public key block.

stat says it's a regular file.

ls -lZa /etc/pki/rpm-gpg/ shows all files owned by root:root with security Context: system_u:object_r:cert_t:s0

lsattr /etc/pki/rpm-gpg/ shows no attributes set.

No errors have been reported for the disk.

There's no memory nor record of any other update failing since the OS was installed in 2016.

The package's URL is http://mirror.centos.org/centos/7.5.1804/updates/x86_64/Packages/scap-security-guide-doc-0.1.36-9.el7.centos.noarch.rpm

yum provides scap-security-guide says: scap-security-guide-0.1.36-9.el7.centos.noarch is in Repo : updates

/etc/yum.repos.d/CentOS-Base.repo (excerpt)
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

/etc/yum.conf
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release

# Added after installing deltarpm
deltarpm=-1

After rebooting, I ran yum clean all which cleaned all active repos: base epel extras mariadb psychotic updates
followed by rm -rf /var/cache/yum
before re-running yum update
It threw the error again and continues to do so

Centos 7.4
Centos 7.5
Tim over 4 years

Thanks, this worked for me when using IUS community packages!
carlwgeorge almost 4 years

Adding the IUS repository won't have any effect on the errors for the "CentOS-7 - Updates" repository. They are totally separate things.
carlwgeorge almost 4 years

Adding the IUS or EPEL repository won't have any effect on the errors for the "CentOS-7 - Updates" repository. They are totally separate things.