Since upgrade from CentOS Linux 8.5 to CentOS Stream 8 the rpm key import does no longer work.
[root@vm2 ~]# cat /etc/centos-release
CentOS Stream release 8
[root@vm2 ~]# rpm -q kernel rpm
kernel-4.18.0-358.el8.x86_64
rpm-4.14.3-21.el8.x86_64
[root@vm2 ~]# rpm --import https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg
error: https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg: key 1 import failed.
Anyone seen this problem?
What happens, if you download the key manually and add it then?
It makes no difference , the rpm import does not work. Other key import like rpm --import https://rpms.remirepo.net/RPM-GPG-KEY-remi2018 work without any problems.
I just tested this on a clean vagrant box. No problems there at all.
Is there possibly a proxy or something else interfering with the download?
Today i installed a fresh virtual machine from CentOS-Stream-8-x86_64-20220202-boot.iso and minimal software selection.
# wget -q https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg
# md5sum Check_MK-pubkey.gpg
c0a986fa0bb0d9dfc5b29ef2cc93f962 Check_MK-pubkey.gpg
# rpm --import Check_MK-pubkey.gpg
error: Check_MK-pubkey.gpg: key 1 import failed.
[root@localhost ~]# wget https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg
[root@localhost ~]# md5sum Check_MK-pubkey.gpg
c0a986fa0bb0d9dfc5b29ef2cc93f962 Check_MK-pubkey.gpg
I am starting you think you have bad mojo. 
Is there any customization you are doing on your machine?
Are you running the import as root?
I used the vagrant box centos/stream8, as I have no time to install a complete server.
I don’t think so, vagrant and docker centos8 images are currently based on CentOS Linux 8, but CentOS Linux 8 is EOL since 31.12.2021 (see https://centos.org)
On CentOS Linux everything works fine.
But CentOS Stream 8 is ahead of CentOS Linux 8.5, it is somewhere between 8.5 and 8.6.
I don’t know if vagrant has CentOS Stream images, docker does not until now. I know the EOL of CentOS Linux is a more general problem and it will become harder to support this because it has become more a development distro now, it was just a matter of time that something like this happens after Red Hat acquired CentOS, because CentOS was direct competitor to RHEL subscriptions.
From CentOS homepage:
CentOS Stream - Continuously delivered distro that tracks just ahead of Red Hat Enterprise Linux (RHEL) development, positioned as a midstream between Fedora Linux and RHEL. For anyone interested in participating and collaborating in the RHEL ecosystem, CentOS Stream is your reliable platform for innovation.
I am aware of the major turmoil the announcement caused, but I think this is not a general problem, as my test box is CentOS Stream 8:
[root@localhost ~]# cat /etc/os-release
NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"
[root@localhost ~]# dnf check-update --refresh
CentOS Stream 8 - AppStream 3.8 kB/s | 4.4 kB 00:01
CentOS Stream 8 - BaseOS 7.9 kB/s | 3.9 kB 00:00
CentOS Stream 8 - Extras 4.8 kB/s | 3.0 kB 00:00
I think i found the problem, its not related to CentOS Stream, but to latest rpm updates from RHEL 8.5.
$ docker run -it almalinux bash
[root@3447b030526a /]# rpm -q rpm
rpm-4.14.3-19.el8.x86_64
[root@3447b030526a /]# rpm --import https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg && echo OK
OK
Running the same AlmaLinux 8.5 container but upgrade rpm:
$ docker run -it almalinux bash
[root@dea16e13f994 /]# dnf update rpm
AlmaLinux 8 - BaseOS 5.9 MB/s | 5.9 MB 00:00
AlmaLinux 8 - AppStream 7.7 MB/s | 9.1 MB 00:01
AlmaLinux 8 - Extras 20 kB/s | 12 kB 00:00
Dependencies resolved.
==========================================================================================================================
Package Architecture Version Repository Size
==========================================================================================================================
Upgrading:
python3-rpm x86_64 4.14.3-19.el8_5.2 baseos 153 k
rpm x86_64 4.14.3-19.el8_5.2 baseos 542 k
rpm-build-libs x86_64 4.14.3-19.el8_5.2 baseos 156 k
rpm-libs x86_64 4.14.3-19.el8_5.2 baseos 344 k
Transaction Summary
==========================================================================================================================
Upgrade 4 Packages
Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): rpm-build-libs-4.14.3-19.el8_5.2.x86_64.rpm 1.7 MB/s | 156 kB 00:00
(2/4): python3-rpm-4.14.3-19.el8_5.2.x86_64.rpm 1.5 MB/s | 153 kB 00:00
(3/4): rpm-4.14.3-19.el8_5.2.x86_64.rpm 4.1 MB/s | 542 kB 00:00
(4/4): rpm-libs-4.14.3-19.el8_5.2.x86_64.rpm 5.7 MB/s | 344 kB 00:00
--------------------------------------------------------------------------------------------------------------------------
Total 1.7 MB/s | 1.2 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : rpm-libs-4.14.3-19.el8_5.2.x86_64 1/8
Running scriptlet: rpm-libs-4.14.3-19.el8_5.2.x86_64 1/8
Upgrading : rpm-4.14.3-19.el8_5.2.x86_64 2/8
Upgrading : rpm-build-libs-4.14.3-19.el8_5.2.x86_64 3/8
Running scriptlet: rpm-build-libs-4.14.3-19.el8_5.2.x86_64 3/8
Upgrading : python3-rpm-4.14.3-19.el8_5.2.x86_64 4/8
Cleanup : python3-rpm-4.14.3-19.el8.x86_64 5/8
Cleanup : rpm-build-libs-4.14.3-19.el8.x86_64 6/8
Running scriptlet: rpm-build-libs-4.14.3-19.el8.x86_64 6/8
Cleanup : rpm-4.14.3-19.el8.x86_64 7/8
Cleanup : rpm-libs-4.14.3-19.el8.x86_64 8/8
Running scriptlet: rpm-libs-4.14.3-19.el8.x86_64 8/8
Verifying : python3-rpm-4.14.3-19.el8_5.2.x86_64 1/8
Verifying : python3-rpm-4.14.3-19.el8.x86_64 2/8
Verifying : rpm-4.14.3-19.el8_5.2.x86_64 3/8
Verifying : rpm-4.14.3-19.el8.x86_64 4/8
Verifying : rpm-build-libs-4.14.3-19.el8_5.2.x86_64 5/8
Verifying : rpm-build-libs-4.14.3-19.el8.x86_64 6/8
Verifying : rpm-libs-4.14.3-19.el8_5.2.x86_64 7/8
Verifying : rpm-libs-4.14.3-19.el8.x86_64 8/8
Upgraded:
python3-rpm-4.14.3-19.el8_5.2.x86_64 rpm-4.14.3-19.el8_5.2.x86_64 rpm-build-libs-4.14.3-19.el8_5.2.x86_64
rpm-libs-4.14.3-19.el8_5.2.x86_64
Complete!
[root@dea16e13f994 /]# rpm --import https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg && echo OK
error: https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg: key 1 import failed.
[root@dea16e13f994 /]#
This problem is on every linux which is based on RHEL 8.5 which has latest rpm updates installed (RockLinux, AlmaLinux, CentOS Stream). It think CentOS Linux 8.5 is not affected because this updated reached not CentOS Linux before the EOL on 31.12.2021.
I think the problem is related to the following change in rpm-4.14.3-19.el8_5.2.x86_64:
* Thu Jan 06 2022 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-19.1
- Validate and require subkey binding sigs on PGP pubkeys (#2022537)
- Fixes CVE-2021-3521
Thanks for your research @uleodolter! We will take a look and give an update here once information is available.
Yes, same here for OL 8.5:
rpm -q rpm
rpm-4.14.3-19.el8_5.2.x86_64
rpm --import Check_MK-pubkey.gpg
error: Check_MK-pubkey.gpg: key 1 import failed.
Any news on this? in the meantime we have upgraded from 2.0.0p19.cre to 2.0.0p20.cee, but still the same error. Is there a new gpg key needed to sign rpms ?
We are looking into it, but as CentOS 8 Stream not officially supported yet, this has lower priority.
But we will keep you posted here.
Ok thank you, but latest Red Hat Enterprise Linux 8.5 is also affected.
[root@adrenaline ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.5 (Ootpa)
[root@adrenaline ~]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.5"
[root@adrenaline ~]# rpm --import https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg
error: https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg: key 1 import failed.
Same here, not able to install checkmk on RHEL 8.5.
I’m another with the problem, so when you can update I’ll be listening.
+1 affected by this issue.
It seems that 1password was also impacted by the same change in rpm, they were able to resolve it by stripping some of the expired signatures out of their key and publishing a new copy:
Thank you all for sharing your input! As said, we are looking into it.
Please be aware, that you of course can technically install the package without verification, or you could verify the package on another system and copy it to the target system afterwards.
Those are workarounds however, and we will make sure to fix the issue at hand eventually.