Ad Widget

**Atsushi** · 03-03-2017, 09:18

Is the version of the package that caused the error not 3.2.4-1?
3.2.4-2 seems to be released, please retry.

**japicka** · 03-03-2017, 12:41

Not for Centos/RHEL 6

3.2.4-1 is the latest release for RHEL/CENTOS 6, and it's still a problem.

**barmaleyka** · 03-03-2017, 18:30

both rhel7 and rhel6 packages are signed with the same key

Code:

# rpm -qip zabbix-agent-3.2.4-1.el6.x86_64.rpm zabbix-agent-3.2.4-1.el7.x86_64.rpm | grep -i sign
Signature   : DSA/SHA1, Thu 02 Mar 2017 12:38:32 AM EST, Key ID d13d58e479ea5ed4
Signature   : DSA/SHA1, Thu 02 Mar 2017 12:38:57 AM EST, Key ID d13d58e479ea5ed4

zabbix-release package for both rhel7 and rhel6 uses

Code:

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-A14FE591

previous version of the rhel6 package was signed by the correct key

Code:

# rpm -qip zabbix-agent-3.2.3-1.el6.x86_64.rpm | grep -i sign
Signature   : RSA/10, Thu 22 Dec 2016 01:29:18 AM EST, Key ID 082ab56ba14fe591

Currently I can't install the package on the fresh server without manually importing the correct key -
it can be downloaded, or just the key for the unsupported repo can be imported.

On the servers with some history, where previous versions were installed before upgrading to the 3.2 branch,
the correct key is imported. I can only assume that the packages before 3.2 were signed by ZABBIX-79EA5ED4,
that's how it got imported. 3.2 switched to the new key ZABBIX-A14FE591 for whatever reason and was using it
up to 3.2.4 release.

**jan.garaj** · 03-03-2017, 23:30

Zabbix uses another GPG key from 3.2 version. Just use correct one:
Old one: http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX
New one (3.2+): http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591

**japicka** · 03-03-2017, 23:34

Ok, but don't you think the repo RPM should be fixed

Ok that's great, shouldn't the repo RPM be updated accordingly?

**jan.garaj** · 04-03-2017, 10:10

Probably old key has been used for 3.2.4 packages: https://support.zabbix.com/browse/ZBX-11868

Workaround: import both keys

Code:

rpm --import http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-79EA5ED4
rpm --import http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591

**neonardo1** · 06-03-2017, 16:16

The RPMs should be updated and signed with the correct key. Signing with the wrong key and then not fixing it only contributes to speculation of something potentially malicious.

Waiting until the next release to fix the packages isn't acceptable.

**japicka** · 09-03-2017, 22:24

Problem also exists on RHEL 7

Just verified that it is also a issue in RHEL 7 as well as 6.

Where I somewhat agree with another poster that changing the key is probably not the best idea, the Key they are changing to is installed with the REPO rpm.

So all you are really doing is changing to a different key that has been verified. However, I would like to see the zabbix people FIX the repo RPM or update it accordingly.

For now I am doing what the other poster said, changing it the the RPM-GPG-KEY-ZABBIX instead of RPM-GPG-KEY-ZABBIX-A14FE591. They are both installed by the repo RPM and they are both valid signing keys.

**Atsushi** · 15-03-2017, 07:30

The update procedure is as follows.

Code:

# yum update http://repo.zabbix.com/zabbix/3.2/rhel/7/x86_64/zabbix-release-3.2-1.el7.noarch.rpm
# yum clean all
# yum update zabbix-agent

You can upgrade the package if you import KEY for Zabbix 3.2 packages.

Ad Widget

With update to 3.24 yum fails GPG checks

With update to 3.24 yum fails GPG checks

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment