Ad Widget

Collapse

zabbix-agent-3.2.4-2.el7.x86_64. GPG incorrect

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • misho
    Junior Member
    • May 2014
    • 4
    #1

    zabbix-agent-3.2.4-2.el7.x86_64. GPG incorrect

    Hi,

    When i try to update zabbix-agent-3.2.4-2.el7.x86_64 i see:

    The GPG keys listed for the "Zabbix Official Repository - x86_64" repository are already installed but they are not correct for this package.
    Check that the correct key URLs are configured for this repository.

    Thanks!
    Tags: None
    • jan.garaj
      Senior Member
      Zabbix Certified Specialist
      • Jan 2010
      • 506
      #2
      We’ll be back soon!
      https://www.zabbix.com/forum/showthread.php?p=196585#post196585
      Devops Monitoring Expert advice: Dockerize/automate/monitor all the things.
      My DevOps stack: Docker / Kubernetes / Mesos / ECS / Terraform / Elasticsearch / Zabbix / Grafana / Puppet / Ansible / Vagrant

        Comment

        • misho
          Junior Member
          • May 2014
          • 4
          #3
          OK,

          But is not good idea to mix 2 keys.. Can we trust the old key? Because we using automatic updates for servers.

            Comment

            • jan.garaj
              Senior Member
              Zabbix Certified Specialist
              • Jan 2010
              • 506
              #4
              OK, there is no old key. There are 2 keys (actually more):
              1st one is used to sign 3.2- packages.
              2nd one is used to sign 3.2+ packages.

              There is no info that any private key has been compromised. So from the security point both keys are valid and you can trust them.
              Only package maintainer has used 3.2- key to sign 3.2+ packages, (hopefully he will republish packages signed with correct 3.2+ key soon). I don't see any security problem. It's only administration problem - you need to import additional 3.2- key, to be able to verify 3.2+packages.
              Devops Monitoring Expert advice: Dockerize/automate/monitor all the things.
              My DevOps stack: Docker / Kubernetes / Mesos / ECS / Terraform / Elasticsearch / Zabbix / Grafana / Puppet / Ansible / Vagrant

                Comment

                • neonardo1
                  Junior Member
                  • Mar 2017
                  • 2
                  #5
                  The RPMs should be updated and signed with the correct key. Signing with the wrong key and then not fixing it only contributes to speculation of something potentially malicious.

                  Waiting until the next release to fix the packages isn't acceptable.

                    Comment

                    • vic
                      Member
                      • Jul 2013
                      • 58
                      #6
                      I just uninstalled the old RPM and then installed the new one.

                      Can't do this for CE6 unfortunately since there is no 3.2.4 release RPM for CE6 some reason. So I just disabled the gpg check and changed the version number on those.

                        Comment

                        Previous template Next
                        Working...