When you encounter a “GPG check FAILED” error while trying to install an RPM package with yum, it typically means that the GPG signature of the package does not validate against the known public keys on your system. This can be due to missing keys, or issues with the repository configuration.
Keys imported using rpm –import are only used to verify RPM packages, not YUM repos. yum stashes its own keys deep in yum directory. It keeps a separate keyring for each repo.
Table of Contents
Understanding GPG Check in Linux
GPG (GNU Privacy Guard) is a tool that provides cryptographic functionality, including digital signatures, for data integrity and authentication.
Here’s how GPG checks work when validating RPM packages in Linux:
-
Package Signature
RPM packages can be signed by their creators using a private GPG key. This signature is stored within the package itself.
-
Public Key Import
To verify the signature, the corresponding public GPG key must be available on the system. Users or system administrators import this public key, often obtained from a trusted source or the package repository itself. Imported GPG keys are stored in the RPM or YUM database.
-
Signature Verification
When a user attempts to install an RPM package, the rpm or yum command can be used with options to verify the signature (-K with rpm, or gpgcheck=1 with yum in the repository configuration).
-
GPG Verification Process
The rpm or yum command uses the GPG keys in the database to check the signature against the package’s data, ensuring that the package has not been tampered with since it was signed.
-
Repository Metadata
YUM repositories often include metadata that specifies the URL to the public key used for signing the packages in that repository. yum can automatically import the key if it’s not already in the YUM database.
-
GPG Check Result
If the GPG check passes, it means the signature is valid, and the package is considered trustworthy and authentic. If the GPG check fails, it indicates that the signature does not match, the key is not available, or the package has been altered.
-
Manual Key Import and Trust
Users can manually import keys and establish trust for specific entities. This is important for systems that are not connected to the internet and cannot automatically retrieve keys.
-
Package Integrity
The purpose of GPG checks is to ensure the integrity and authenticity of the software packages, providing assurance that the packages have not been modified by unauthorized parties.
By using GPG checks, Linux systems can maintain a high level of security, ensuring that only verified and authentic software is installed. It’s a best practice to keep GPG checks enabled to protect against potentially malicious software.
How to fix GPG check FAILED error with DNF Package Installations
Check Repository Configuration
Ensure that your repository configuration is correct. The repository’s .repo files, usually located in /etc/yum.repos.d/, should have the correct information about the GPG key.
In the yum repo configuration file, the line gpgcheck=1 indicates that GPG checking should be done for all packages in this repository.
For instance, here is a good example of repo file.
[webserver]
name=Web Server Repository
baseurl=https://repo.example.com/webserver/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=https://repo.example.com/webserver/RPM-GPG-KEY-webserver
enabled=1
- [webserver]: The name of the repository, which is used internally by YUM.
- name: A human-readable name for the repository.
- baseurl: The base URL to the directory where the repository’s package index (and packages themselves) are located.
$releasever and $basearch are variables that YUM will replace with your CentOS release version and architecture, respectively. - gpgcheck=1: This enables GPG signature checking for the packages from this repository. It’s set to 1, which means it’s enabled.
- gpgkey: The URL to the GPG key used to verify the packages. This key should be the public key that corresponds to the private key used to sign the packages.
- enabled=1: This makes the repository enabled, so YUM will use it when searching for packages. If you want to disable the repository without deleting the configuration file, change this to 0.
Import GPG Key
The gpgkey=URI line specifies the source of the key to be imported. This source can be any URI, including a local file or a remote web link.
If the GPG public key has not yet been imported to RPM when a package installation begins, then the yum (or dnf) utility can initiate an import of the key.
The yum or dnf utility will pause and ask for confirmation to import the key after showing the key ID and fingerprint.
warning: /var/cache/dnf/epel-fafd94c310c51e1e/packages/zsh-syntax-highlighting-0.7.1-1.el8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Extra Packages for Enterprise Linux 8 - x86_64 1.6 MB/s | 1.6 kB 00:00
Importing GPG key 0x2F86D6A1:
Userid : "Fedora EPEL (8) <[email protected]>"
Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Is this ok [y/N]: y
Reinstall the Package
If the GPG key is already present, but the package is still failing the GPG check, try reinstalling the package. This can sometimes resolve issues where the package’s metadata is outdated or corrupted.
sudo yum clean all
sudo yum makecache
sudo yum install package-nameContact the Repository Maintainer
If you’re unable to resolve the issue, consider reaching out to the maintainer of the repository. They may be able to provide further assistance or update the repository to resolve the issue.
Use a Different Repository
If the problem is specific to a particular repository, you might consider using a different repository that hosts the same packages. Switching to an alternative repository can bypass issues with a specific repository’s GPG keys or configuration.
Remember that GPG checks are an essential security feature, and bypassing them can expose your system to potential risks. Always ensure that you trust the source of the public key and the RPM package itself.
Note:
Yum has a GPG keyring for repos that support GPG metadata signing. On RHEL6/7 system, the relevant paths for this particular repo were:
/var/lib/yum/repos/x86_64/7/artifactory/gpgdir/var/lib/yum/repos/x86_64/7/artifactory/gpgdir-ro
if you need to remove the keys, you can use the following command
sudo gpg --homedir /var/lib/yum/repos/x86_64/7/artifactory/gpgdir --delete-key 12345678
sudo gpg --homedir /var/lib/yum/repos/x86_64/7/artifactory/gpgdir-ro --delete-key 12345678With RHEL/CentOS 8 and repos managed by DNF, the keys are now stored in
/var/cache/dnf/*/pubring
Here are the commands to remove the gpg keys.
sudo gpg --homedir /var/cache/dnf/postgres-dba-3698324c78783512/pubring --delete-key 0x230C0099
sudo gpg --homedir /var/cache/dnf/postgres-dba-3698324c78783512/pubring --delete-key 0x52370CDB
Disable GPG Checks for the Repository
If you cannot resolve the GPG check issue, you can disable it for a specific repository. Edit the repository configuration file (usually located in /etc/yum.repos.d/) and add gpgcheck=0 to the repository section.
How to fix GPG check FAILED error with rpm Package Installations
Import the Public Key
If the error specifies that a public key is missing, you’ll need to import it. Download the key and import it using:
sudo rpm --import /path/to/public/key
Or, if the key is available online, you can import it directly:
sudo rpm --import https://url/to/public/key.gpg
Since the metadata for the key is stored in the RPM database, you can query and delete keys the same as any package.
Use the following command to list the keys:
$ rpm -qa gpg-pubkey*
gpg-pubkey-7fac5991-4615767f
gpg-pubkey-2f86d6a1-5cf7cefb
If that is not possible, because the package is not signed or the public key is not available, you may need to specify the --nogpgcheck option to skip this step.