How to Remove RPM Package GPG Keys

Posted on July 11, 2023 by Will Foster

I recently had two packages in Fedora whose package GPG keys had changed but dnf would error out and skip them.  After some searching I found a simple solution using RPM to remove the old package keys so upon next update I get prompted for the new keys.  I write this in hopes it will save others some time.

 

The Problem – Package Keys have Changed

Upon performing a dnf update I see the following error:

RPM: 1. Certificate FC430E26FACB00B1 invalid: certificate is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2021-04-09T16:34:09Z
RPM: 2. Key FC430E26FACB00B1 invalid: key is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2021-04-09T16:34:09Z
RPM: error: Verifying a signature using certificate 654D24A363159304787B8F9BFC430E26FACB00B1 (flatcap_NeoMutt (None) <flatcap#NeoMutt@copr.fedorahosted.org>):
RPM: 1. Certificate FC430E26FACB00B1 invalid: certificate is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2021-04-09T16:34:09Z
RPM: 2. Key FC430E26FACB00B1 invalid: key is not alive
RPM: because: The primary key is not live
RPM: because: Expired on 2021-04-09T16:34:09Z
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
package neomutt-6:20230517-1.fc38.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID facb00b1: NOTTRUSTED

Why does this Happen?
Occasionally software distributors will change signing keys or they expire and sometimes the new key needs to be manually replaced.

The Solution – Find and Remove RPM Package Key

First I obtained a list of all my package keys and found the offending one that dnf complained about.

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

Your output should look like this, you are looking for the gpg-pubkey filename to the left of the package you are trying to pull new keys for.

 

After this I removed just the one that was a problem (as root)

rpm --erase --allmatches gpg-pubkey-facb00b1-570a8081

Now you can proceed with dnf unhindered.  This will likely work for all Red Hat derivative distributions (Rocky, Alma. RHEL, CentOS Stream) too.

About Will Foster

hobo devop/sysadmin/SRE
This entry was posted in open source, sysadmin and tagged , , , , . Bookmark the permalink.

4 Responses to How to Remove RPM Package GPG Keys

  1. Brian says:
    November 7, 2023 at 9:08 am

    Thanks for the guide on how to deal with gpg key issues. Really helped me out. That slackware post looks interesting.

    Liked by 1 person

    Reply
  2. Louis says:
    November 22, 2023 at 8:58 am

    Thank you!! Just what I needed.

    Liked by 1 person

    Reply
  3. Ralf says:
    February 20, 2024 at 8:04 am

    Thanks for your guide. This helped instantly and gave me an insight into rpm.

    Like

    Reply

Have a Squat, Leave a Reply ..

This site uses Akismet to reduce spam. Learn how your comment data is processed.