Skip to content

Instantly share code, notes, and snippets.

@e7d
Last active November 12, 2024 20:57
Show Gist options
  • Save e7d/3b786c7410ca14a5ded61eec36de9874 to your computer and use it in GitHub Desktop.
Save e7d/3b786c7410ca14a5ded61eec36de9874 to your computer and use it in GitHub Desktop.
Remove obsolete GPG key from DNF (Fedora)

The problem

Initial situation

Using Fedora 38, say you want to update the package albert from manuelschneid3r, hosted at https://software.opensuse.org/download.html?project=home:manuelschneid3r&package=albert.

And with dnf update, you get the following output:

~ sudo dnf update
Dependencies resolved.
===============================================================================
 Package     Architecture     Version           Repository                Size
===============================================================================
Upgrading:
 albert      x86_64           0.20.14-532.1     home_manuelschneid3r     2.3 M

Transaction Summary
===============================================================================
Upgrade  1 Package

Total size: 2.3 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] albert-0.20.14-532.1.x86_64.rpm: Already downloaded
error: Verifying a signature using certificate A4B83CD05FDF5C5178482D4A1488EB46E192A257 (home:manuelschneid3r OBS Project <home:manuelschneid3r@build.opensuse.org>):
  1. Certificiate 1488EB46E192A257 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-03-05T03:37:15Z
  2. Key 1488EB46E192A257 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-03-05T03:37:15Z
error: Verifying a signature using certificate A4B83CD05FDF5C5178482D4A1488EB46E192A257 (home:manuelschneid3r OBS Project <home:manuelschneid3r@build.opensuse.org>):
  1. Certificiate 1488EB46E192A257 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-03-05T03:37:15Z
  2. Key 1488EB46E192A257 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-03-05T03:37:15Z
home:manuelschneid3r (Fedora_38)
GPG key at https://download.opensuse.org/repositories/home:/manuelschneid3r/Fedora_38/repodata/repomd.xml.key (0xE192A257) is already installed
The GPG keys listed for the "home:manuelschneid3r (Fedora_38)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: albert-0.20.14-532.1.x86_64
 GPG Keys are configured as: https://download.opensuse.org/repositories/home:/manuelschneid3r/Fedora_38/repodata/repomd.xml.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED

But checking the live GPG key at https://download.opensuse.org/repositories/home:/manuelschneid3r/Fedora_38/repodata/repomd.xml.key, you see the following information: image

Diagnostic

You have in your RPM cache, used by DNF, an obsolete key which is now expired, and which has the same key ID and fingerprint as the new key. Your system therefore assumes that it already has the requested key, even though its copy has expired.

The solution

Find the culprit

To find the currently stored key, run:

~ sudo rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-eb10b464-6202d9c6	Fedora (38) <fedora-38-primary@fedoraproject.org> public key
[...]
gpg-pubkey-e192a257-5e042aeb	home:manuelschneid3r OBS Project <home:manuelschneid3r@build.opensuse.org> public key
[...]

Here, the one we search for is named gpg-pubkey-e192a257-5e042aeb.

Get rid of it

Delete the key:

~ sudo rpm -e gpg-pubkey-e192a257-5e042aeb

Update again

Let's run the packages update again:

~ sudo dnf update
Dependencies resolved.
===============================================================================
 Package     Architecture     Version           Repository                Size
===============================================================================
Upgrading:
 albert      x86_64           0.20.14-532.1     home_manuelschneid3r     2.3 M

Transaction Summary
===============================================================================
Upgrade  1 Package

Total size: 2.3 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] albert-0.20.14-532.1.x86_64.rpm: Already downloaded
home:manuelschneid3r (Fedora_38)
Importing GPG key 0xE192A257:
 Userid     : "home:manuelschneid3r OBS Project <home:manuelschneid3r@build.opensuse.org>"
 Fingerprint: A4B8 3CD0 5FDF 5C51 7848 2D4A 1488 EB46 E192 A257
 From       : https://download.opensuse.org/repositories/home:/manuelschneid3r/Fedora_38/repodata/repomd.xml.key
Is this ok [y/N]: 

A new key is found, that's a good sign! Accept it and continue:

Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :
  Upgrading        : albert-0.20.14-532.1.x86_64
  Running scriptlet: albert-0.20.14-532.1.x86_64

Upgraded:
  albert-0.20.14-532.1.x86_64

Complete!

Job is done!

@dimaos32
Copy link

Спасибо!!!
Ваша инструкция помогла разобраться!
П.С. Первый раз с таким столкнулся...

@Brayman30
Copy link

Thank you for this! I had this issue with Google Chrome on Fedora.

@HymanZHAN
Copy link

HymanZHAN commented Feb 23, 2024

Lifesaver! Chrome update on Fedora has been annoying me for the past week, and this is just so helpful. Thank you very much!

@mak448a
Copy link

mak448a commented Apr 25, 2024

Thank you!

@TxMat
Copy link

TxMat commented Apr 25, 2024

Thanks ! Saved me time on fedora 38

@FrostyX
Copy link

FrostyX commented May 11, 2024

We are encountering these errors in Copr as well. Just for the record, I created an upstream issue rpm-software-management/dnf#2075

@hlovdal
Copy link

hlovdal commented May 20, 2024

Thank you so much for this information! It helped me resolve a similar issue in Fedora 39:

error: Verifying a signature using certificate 69B1C0916FDB15A8741743E8184B98BE3E68CD11 (home:ra3xdh OBS Project <home:ra3xdh@build.opensuse.org>):
  1. Certificiate 184B98BE3E68CD11 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2024-05-02T14:27:31Z
  2. Key 184B98BE3E68CD11 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2024-05-02T14:27:31Z
error: Verifying a signature using certificate 69B1C0916FDB15A8741743E8184B98BE3E68CD11 (home:ra3xdh OBS Project <home:ra3xdh@build.opensuse.org>):
  1. Certificiate 184B98BE3E68CD11 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2024-05-02T14:27:31Z
  2. Key 184B98BE3E68CD11 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2024-05-02T14:27:31Z
home:ra3xdh (Fedora_40)                                                                                                                                                                                     8.9 kB/s | 1.1 kB     00:00    
GPG key at https://download.opensuse.org/repositories/home:/ra3xdh/Fedora_40/repodata/repomd.xml.key (0x3E68CD11) is already installed
The GPG keys listed for the "home:ra3xdh (Fedora_40)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: qucs-s-24.2.1-2.1.x86_64
 GPG Keys are configured as: https://download.opensuse.org/repositories/home:/ra3xdh/Fedora_40/repodata/repomd.xml.key
The downloaded packages were saved in cache until the next successful transaction.

@Loki-Afro
Copy link

thank you !

@dreitagebart
Copy link

you are my hero!

@beto0607
Copy link

Thanks for this! Helped me a lot 💪

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment