It makes no difference , the rpm import does not work. Other key import like rpm --import https://rpms.remirepo.net/RPM-GPG-KEY-remi2018 work without any problems.
I am starting you think you have bad mojo.
Is there any customization you are doing on your machine?
Are you running the import as root?
I used the vagrant box centos/stream8, as I have no time to install a complete server.
I don’t think so, vagrant and docker centos8 images are currently based on CentOS Linux 8, but CentOS Linux 8 is EOL since 31.12.2021 (see https://centos.org)
On CentOS Linux everything works fine.
But CentOS Stream 8 is ahead of CentOS Linux 8.5, it is somewhere between 8.5 and 8.6.
I don’t know if vagrant has CentOS Stream images, docker does not until now. I know the EOL of CentOS Linux is a more general problem and it will become harder to support this because it has become more a development distro now, it was just a matter of time that something like this happens after Red Hat acquired CentOS, because CentOS was direct competitor to RHEL subscriptions.
From CentOS homepage:
CentOS Stream - Continuously delivered distro that tracks just ahead of Red Hat Enterprise Linux (RHEL) development, positioned as a midstream between Fedora Linux and RHEL. For anyone interested in participating and collaborating in the RHEL ecosystem, CentOS Stream is your reliable platform for innovation.
This problem is on every linux which is based on RHEL 8.5 which has latest rpm updates installed (RockLinux, AlmaLinux, CentOS Stream). It think CentOS Linux 8.5 is not affected because this updated reached not CentOS Linux before the EOL on 31.12.2021.
I think the problem is related to the following change in rpm-4.14.3-19.el8_5.2.x86_64:
* Thu Jan 06 2022 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-19.1
- Validate and require subkey binding sigs on PGP pubkeys (#2022537)
- Fixes CVE-2021-3521
Any news on this? in the meantime we have upgraded from 2.0.0p19.cre to 2.0.0p20.cee, but still the same error. Is there a new gpg key needed to sign rpms ?
It seems that 1password was also impacted by the same change in rpm, they were able to resolve it by stripping some of the expired signatures out of their key and publishing a new copy:
Thank you all for sharing your input! As said, we are looking into it.
Please be aware, that you of course can technically install the package without verification, or you could verify the package on another system and copy it to the target system afterwards.
Those are workarounds however, and we will make sure to fix the issue at hand eventually.