How to Remove RPM Package GPG Keys

Posted on July 11, 2023 by Will Foster

I recently had two packages in Fedora whose package GPG keys had changed but dnf would error out and skip them.  After some searching I found a simple solution using RPM to remove the old package keys so upon next update I get prompted for the new keys.  I write this in hopes it will save others some time.

 

The Problem – Package Keys have Changed

Upon performing a dnf update I see the following error:

RPM: 1. Certificate FC430E26FACB00B1 invalid: certificate is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2021-04-09T16:34:09Z
RPM: 2. Key FC430E26FACB00B1 invalid: key is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2021-04-09T16:34:09Z
RPM: error: Verifying a signature using certificate 654D24A363159304787B8F9BFC430E26FACB00B1 (flatcap_NeoMutt (None) <flatcap#NeoMutt@copr.fedorahosted.org>):
RPM: 1. Certificate FC430E26FACB00B1 invalid: certificate is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2021-04-09T16:34:09Z
RPM: 2. Key FC430E26FACB00B1 invalid: key is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2021-04-09T16:34:09Z
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
package neomutt-6:20230517-1.fc38.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID facb00b1: NOTTRUSTED

Why does this Happen?
Occasionally software distributors will change signing keys or they expire and sometimes the new key needs to be manually replaced.

The Solution – Find and Remove RPM Package Key

First I obtained a list of all my package keys and found the offending one that dnf complained about.

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

Your output should look like this, you are looking for the gpg-pubkey filename to the left of the package you are trying to pull new keys for.

 

After this I removed just the one that was a problem (as root)

rpm --erase --allmatches gpg-pubkey-facb00b1-570a8081

Now you can proceed with dnf unhindered.  This will likely work for all Red Hat derivative distributions (Rocky, Alma. RHEL, CentOS Stream) too.

Unknown's avatar

About Will Foster

hobo devop/sysadmin/SRE
This entry was posted in open source, sysadmin and tagged , , , , . Bookmark the permalink.

4 Responses to How to Remove RPM Package GPG Keys

  1. Brian's avatar Brian says:
    November 7, 2023 at 9:08 am

    Thanks for the guide on how to deal with gpg key issues. Really helped me out. That slackware post looks interesting.

    Liked by 1 person

    Reply
  2. Louis's avatar Louis says:
    November 22, 2023 at 8:58 am

    Thank you!! Just what I needed.

    Liked by 1 person

    Reply
  3. Ralf's avatar Ralf says:
    February 20, 2024 at 8:04 am

    Thanks for your guide. This helped instantly and gave me an insight into rpm.

    Like

    Reply

Have a Squat, Leave a Reply ..

This site uses Akismet to reduce spam. Learn how your comment data is processed.