Skip to content

Instantly share code, notes, and snippets.

@e7d

e7d/remove-obsolete-gpg-key-from-dnf.md

Last active March 28, 2025 07:00
Show Gist options
  • Save e7d/3b786c7410ca14a5ded61eec36de9874 to your computer and use it in GitHub Desktop.
Save e7d/3b786c7410ca14a5ded61eec36de9874 to your computer and use it in GitHub Desktop.
Download ZIP
Remove obsolete GPG key from DNF (Fedora)
Raw
remove-obsolete-gpg-key-from-dnf.md

The problem

Initial situation

Using Fedora 38, say you want to update the package albert from manuelschneid3r, hosted at https://software.opensuse.org/download.html?project=home:manuelschneid3r&package=albert.

And with dnf update, you get the following output:

~ sudo dnf update
Dependencies resolved.
===============================================================================
 Package     Architecture     Version           Repository                Size
===============================================================================
Upgrading:
 albert      x86_64           0.20.14-532.1     home_manuelschneid3r     2.3 M

Transaction Summary
===============================================================================
Upgrade  1 Package

Total size: 2.3 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] albert-0.20.14-532.1.x86_64.rpm: Already downloaded
error: Verifying a signature using certificate A4B83CD05FDF5C5178482D4A1488EB46E192A257 (home:manuelschneid3r OBS Project <home:[email protected]>):
  1. Certificiate 1488EB46E192A257 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-03-05T03:37:15Z
  2. Key 1488EB46E192A257 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-03-05T03:37:15Z
error: Verifying a signature using certificate A4B83CD05FDF5C5178482D4A1488EB46E192A257 (home:manuelschneid3r OBS Project <home:[email protected]>):
  1. Certificiate 1488EB46E192A257 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-03-05T03:37:15Z
  2. Key 1488EB46E192A257 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-03-05T03:37:15Z
home:manuelschneid3r (Fedora_38)
GPG key at https://download.opensuse.org/repositories/home:/manuelschneid3r/Fedora_38/repodata/repomd.xml.key (0xE192A257) is already installed
The GPG keys listed for the "home:manuelschneid3r (Fedora_38)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: albert-0.20.14-532.1.x86_64
 GPG Keys are configured as: https://download.opensuse.org/repositories/home:/manuelschneid3r/Fedora_38/repodata/repomd.xml.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED

But checking the live GPG key at https://download.opensuse.org/repositories/home:/manuelschneid3r/Fedora_38/repodata/repomd.xml.key, you see the following information: image

Diagnostic

You have in your RPM cache, used by DNF, an obsolete key which is now expired, and which has the same key ID and fingerprint as the new key. Your system therefore assumes that it already has the requested key, even though its copy has expired.

The solution

Find the culprit

To find the currently stored key, run:

~ sudo rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-eb10b464-6202d9c6	Fedora (38) <[email protected]> public key
[...]
gpg-pubkey-e192a257-5e042aeb	home:manuelschneid3r OBS Project <home:[email protected]> public key
[...]

Here, the one we search for is named gpg-pubkey-e192a257-5e042aeb.

Get rid of it

Delete the key:

~ sudo rpm -e gpg-pubkey-e192a257-5e042aeb

Update again

Let's run the packages update again:

~ sudo dnf update
Dependencies resolved.
===============================================================================
 Package     Architecture     Version           Repository                Size
===============================================================================
Upgrading:
 albert      x86_64           0.20.14-532.1     home_manuelschneid3r     2.3 M

Transaction Summary
===============================================================================
Upgrade  1 Package

Total size: 2.3 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] albert-0.20.14-532.1.x86_64.rpm: Already downloaded
home:manuelschneid3r (Fedora_38)
Importing GPG key 0xE192A257:
 Userid     : "home:manuelschneid3r OBS Project <home:[email protected]>"
 Fingerprint: A4B8 3CD0 5FDF 5C51 7848 2D4A 1488 EB46 E192 A257
 From       : https://download.opensuse.org/repositories/home:/manuelschneid3r/Fedora_38/repodata/repomd.xml.key
Is this ok [y/N]:

A new key is found, that's a good sign! Accept it and continue:

Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :
  Upgrading        : albert-0.20.14-532.1.x86_64
  Running scriptlet: albert-0.20.14-532.1.x86_64

Upgraded:
  albert-0.20.14-532.1.x86_64

Complete!

Job is done!

@FrostyX
Copy link

FrostyX commented Jan 11, 2025

Fedora is not reluctant to fix this. Apart from the fact, that we are all part of Fedora and therefore anybody could fix it, there was a lot of work done on this issue and it is almost finished.

There is now a DNF4 plugin (Fedora 40 and lower)
https://github.com/rpm-software-management/dnf-plugins-core/blob/master/plugins/expired-pgp-keys.py
which can detect and remove the expired keys.

When DNF4 fails because of an expired key, it recommends using the plugin via --enableplugin=expired-pgp-keys:
rpm-software-management/dnf#2166

For F42+, this behavior will be in the core of DNF5 and enabled by default:
https://fedoraproject.org/wiki/Changes/Dnf5ExpiredPGPKeys

So this issue remains to be unsolved only for F41, where you can use the workaround explained on this gist, or use the plugin if you know about it. The problem is that users have no way of knowing about it.

@ccaneke
Copy link

ccaneke commented Feb 15, 2025

I have fedora version:

$ dnf --version
4.19.2

I tried using the workaround in this gist but after getting two gpg keys for chrome I decided it's safer to use the plug in:

$ sudo rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-18b8e74c-62f2920f    Fedora (39) <[email protected]> public key
gpg-pubkey-d38b4796-570c8cd3    Google Inc. (Linux Packages Signing Authority) <[email protected]> public key
gpg-pubkey-7fac5991-45f06f46    Google, Inc. Linux Package Signing Key <[email protected]> public key

However the plugin is not on version 4 of dnf on fedora 39 after I tried upgrading fedora again using this plugin:

$ sudo dnf --enableplugin=expired-pgp-keys system-upgrade download --releasever=41
No matches found for the following enable plugin patterns: expired-pgp-keys
Before you continue ensure that your system is fully upgraded by running "dnf --refresh upgrade". Do you want to continue [y/N]:

So I erased the first google chrome gpg-key (gpg-pubkey-d38b4796-570c8cd3) using sudo rpm -e gpg-pubkey-d38b4796-570c8cd3 since when I deleted the second gpg-key (gpg-pubkey-7fac5991-45f06f46) it turned out to be the latest chrome package gpg-key and gave the error:

image

The problem was that the existing chrome signing authority certificate was expired. dnf system-upgrade then replaced the deleted expired signing authority gpg-key with a new one:

Screenshot from 2025-02-15 11-53-41

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment