I recently had two packages in Fedora whose package GPG keys had changed but dnf would error out and skip them. After some searching I found a simple solution using RPM to remove the old package keys so upon next update I get prompted for the new keys. I write this in hopes it will save others some time.
The Problem – Package Keys have Changed
Upon performing a dnf update I see the following error:
RPM: 1. Certificate FC430E26FACB00B1 invalid: certificate is not alive RPM: because: The primary key is not live RPM: because: Expired on 2021-04-09T16:34:09Z RPM: 2. Key FC430E26FACB00B1 invalid: key is not alive RPM: because: The primary key is not live RPM: because: Expired on 2021-04-09T16:34:09Z RPM: error: Verifying a signature using certificate 654D24A363159304787B8F9BFC430E26FACB00B1 (flatcap_NeoMutt (None) <flatcap#NeoMutt@copr.fedorahosted.org>): RPM: 1. Certificate FC430E26FACB00B1 invalid: certificate is not alive RPM: because: The primary key is not live RPM: because: Expired on 2021-04-09T16:34:09Z RPM: 2. Key FC430E26FACB00B1 invalid: key is not alive RPM: because: The primary key is not live RPM: because: Expired on 2021-04-09T16:34:09Z The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: Transaction test error: package neomutt-6:20230517-1.fc38.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID facb00b1: NOTTRUSTED
Why does this Happen?
Occasionally software distributors will change signing keys or they expire and sometimes the new key needs to be manually replaced.
The Solution – Find and Remove RPM Package Key
First I obtained a list of all my package keys and found the offending one that dnf complained about.
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
Your output should look like this, you are looking for the gpg-pubkey filename to the left of the package you are trying to pull new keys for.
After this I removed just the one that was a problem (as root)
rpm --erase --allmatches gpg-pubkey-facb00b1-570a8081
Now you can proceed with dnf unhindered. This will likely work for all Red Hat derivative distributions (Rocky, Alma. RHEL, CentOS Stream) too.
Thanks for the guide on how to deal with gpg key issues. Really helped me out. That slackware post looks interesting.
LikeLiked by 1 person
That was really helpful, had lots of outdated GPG keys in my db
LikeLike
Thank you!! Just what I needed.
LikeLiked by 1 person
Thanks for your guide. This helped instantly and gave me an insight into rpm.
LikeLike