Solved

NO_PUBKEY-Errors when Updating Centreon 23.10 on Debian 11

  • 16 April 2024
  • 8 replies
  • 85 views
T
Badge +6

Hi all, wanted to update to 23.10.11 from 23.10.10 and are getting the following Errors - pls advice.

 

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.centreon.com/apt-plugins-stable bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0395762573E50BC4
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.centreon.com/apt-standard-23.10-stable bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0395762573E50BC4
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.centreon.com/apt-connectors-stable bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0395762573E50BC4
W: Failed to fetch https://packages.centreon.com/apt-plugins-stable/dists/bullseye/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0395762573E50BC4
W: Failed to fetch https://apt.centreon.com/repository/22.10-plugin-packs/dists/bullseye/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0395762573E50BC4
W: Failed to fetch https://packages.centreon.com/apt-standard-23.10-stable/dists/bullseye/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0395762573E50BC4
W: Some index files failed to download. They have been ignored, or old ones used instead.
 

icon

Best answer by rchauvel 16 April 2024, 11:38

View original

8 replies

rchauvel
Rank
Userlevel 5
Badge +17

the keys have been rotated. Please check https://docs.centreon.com/docs/security/key-rotation/

T
Badge +6

FYI; Getting this error on all my debian11-Machines now

T
Badge +6

That was quick - Thank you @rchauvel  - site bookmarked for not forgetting

S

Hi,

A little error in documentation, there is an extra dash between names :

rpm -qi gpg-pubkey-3fc49c1b-6166eb52

Moreover I have question because I installed a 22.10 just a few weeks ago (to test the 23.10 upgrade precisely), and it seems I don’t have the right key installed, which is strange because I have been able to install and upgrade, and still am, without a problem :

$ rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

gpg-pubkey-fd431d51-4ae0493b    gpg(Red Hat, Inc. (release key 2) <security@redhat.com>)

gpg-pubkey-d4082792-5b32db75    gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>)

[…]

gpg-pubkey-3fc49c1b-651d4c25    gpg(Centreon Enterprise Server Official Signing Key <admin@centreon.com>)

[…]


May you help understand what’s I’m doing wrong? I plan to upgrade this platform to 23.10 during this week and if I have to do such action regarding the GPG keys during the upgrade to 23.10 I’ll appreciate knowing it first.

Is the old (how old?) key I have still valid only for the 22.10 repository?

The repository which is used is

[centreon-22.10-stable]

name=Centreon open source software repository.

baseurl=https://packages.centreon.com/rpm-standard/22.10/el8/stable/$basearch/

enabled=1

gpgcheck=1

gpgkey=https://yum-gpg.centreon.com/RPM-GPG-KEY-CES

module_hotfixes=1


The 22.10 doc about key rotation shows the same key that the doc for 23.10 is showing. The key at https://yum-gpg.centreon.com/RPM-GPG-KEY-CES is not the one which is present in the documentation (it is the one above). I followed https://docs.centreon.com/fr/docs/22.10/installation/installation-of-a-central-server/using-packages/ to install the 22.10, and https://docs.centreon.com/docs/upgrade/upgrade-from-22-10/ says nothing about GPG keys. So I really don’t get it.

Last thing: For security reasons, the keys used to sign Centreon RPMs or the Debian repository must be rotated occasionally.

Is it for security consideration that the period of rotation is so vaguely indicated?

Bonne journée.

 

 

 

C
Rank
Userlevel 3
Badge +4

Hello @Stéphane,

Can you clarify what the problem exacty is? What do you mean by “there is an extra dash between names”?
For your second question, you are on EL rather than Debian. The original post concerned only Debian, whose repo’s key has been rotated recently. As to the EL key, it was rotated in October 2021 and is still valid. Upgrading an EL8 from 22.10 to 23.10 will not result in a key error.

As to your 3rd question, maybe @rchauvel has information?

Regards

rchauvel
Rank
Userlevel 5
Badge +17

Well, the keys are regularly rotated because they come to expiry, or they could also occasionally rotate if a security event required so...

S

Hi,

No extra dash, I was doing something wrong and thought the command was “rpm -qi gpg-pubkey 3fc49c1b-6166eb52”. Sorry for the noise.

What I still do not understand is why do, according to the documentation, I don’t have the right key on a 22.10 I installed a couple of weeks ago. 
DNF does the GPG checks (gpgcheck=1 both at global and repository levels)   
 


After I looked again I think the problem is just in the documentation which refers to package gpg-pubkey-3fc49c1b-6166eb52

In fact I have the right key, but it is packaged as gpg-pubkey-3fc49c1b-651d4c25

Just a documentation issue I think (the 23.10 documentation is the same as the 22.10 for that matter).

Have a nice day.

C
Rank
Userlevel 3
Badge +4

@Stéphane This is now fixed. Thanks for pointing it out!

Reply


Terms & ConditionsCookie settings