New Checkmk Version 2.3.0p20 does not verify: Header V4 RSA/SHA512 Signature

EnLandHirs · November 6, 2024, 12:00pm

New Checkmk Version 2.3.0p20 does not verify: Header V4 RSA/SHA512 Signature, key ID c4503261: BAD

Hannes · November 6, 2024, 5:00pm

Hi EnLandHirs,

That is certainly unexpected. We cannot reproduce the issue at the moment. Could you share a few more details?

your OS version
the version of dnf
did previous releases work?
(just to be sure and since it looks like it doesn’t like our gpg key) did you follow Installation on Red Hat and derivatives? Especially “4. Signed-package installation”.
is rpm -K ./check-mk-enterprise-2.3.0p20-el9-38.x86_64.rpm happy with the signature?

Thanks!
Hannes

EnLandHirs · November 7, 2024, 6:10am

Hi Hannes

Rocky Linux 9.4 (5.14.0-427.42.1.el9_4.x86_64)

dnf 4.14.0

Yes, all previous releases worked, and we are updating approximately every two weeks.

The key that we currently have is the same from your documentation

No, not happy

Hannes · November 7, 2024, 9:31am

Hmm, that is weird. I tried to reproduce it again in a fresh setup using docker:

[root@0c7ee47a1d76 /]# sha256sum /check-mk-enterprise-2.3.0p20-el9-38.x86_64.rpm 
2118517d52ab728cb80f66d1bfa7b524ba404977913e2380f47dfd101c748bb4  /check-mk-enterprise-2.3.0p20-el9-38.x86_64.rpm
[root@0c7ee47a1d76 /]# curl https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg > key.gpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4764  100  4764    0     0  16541      0 --:--:-- --:--:-- --:--:-- 16484
[root@0c7ee47a1d76 /]# gpg --show-key key.gpg
pub   rsa4096 2018-02-04 [SC]
      B1E7106575B723F00611C612434DAC48C4503261
uid                      Check_MK Software Release Signing Key (2018) <feedback@check-mk.org>
uid                      Check_MK Software Daily Build Signing Key (2018) <feedback@check-mk.org>
sub   rsa4096 2018-02-04 [E]

[root@0c7ee47a1d76 /]# rpm --import key.gpg
[root@0c7ee47a1d76 /]# rpm -K /check-mk-enterprise-2.3.0p20-el9-38.x86_64.rpm 
/check-mk-enterprise-2.3.0p20-el9-38.x86_64.rpm: digests signatures OK
[root@0c7ee47a1d76 /]# dnf --version
4.14.0
  Installed: dnf-0:4.14.0-8.el9.noarch at Sun Nov 19 22:25:22 2023
  Built    : Rocky Linux Build System (Peridot) <releng@rockylinux.org> at Wed Nov  1 01:53:30 2023

  Installed: rpm-0:4.16.1.3-25.el9.x86_64 at Sun Nov 19 22:25:20 2023
  Built    : Rocky Linux Build System (Peridot) <releng@rockylinux.org> at Wed Oct 18 05:58:34 2023
[root@0c7ee47a1d76 /]# rpm --version
RPM version 4.16.1.3
[root@0c7ee47a1d76 /]#

All I can think of at the moment is to ask you to double-check both the package and the gpg key file. If nothing helps, could you open a support ticket for us?

EnLandHirs · November 8, 2024, 12:54pm

We have found the error.
Our security has introduced a new scanner or created new policies which scanned the RPM and so it was not longer valid.
Thank you very much for your help Hannes
Best regards
Roman

system · November 8, 2025, 12:55pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.