The GPG keys listed for the "ICINGA (stable release)" repository are arlready installed but they are not correct for this package

I’m trying to install icinga2 on an Oracle Linux 7 machine, and this is what I keep running into. Does anyone have a solution?

[oracle@server yum.repos.d]$ sudo yum install icinga2-bin
Loaded plugins: langpacks, ulninfo
Resolving Dependencies
→ Running transaction check
—> Package icinga2-bin.x86_64 0:2.14.2-1.el7 will be installed
→ Processing Dependency: libboost_date_time.so.1.69.0()(64bit) for package: icinga2-bin-2.14.2-1.el7.x86_64
→ Processing Dependency: libboost_filesystem.so.1.69.0()(64bit) for package: icinga2-bin-2.14.2-1.el7.x86_64
→ Processing Dependency: libboost_iostreams.so.1.69.0()(64bit) for package: icinga2-bin-2.14.2-1.el7.x86_64
→ Processing Dependency: libboost_program_options.so.1.69.0()(64bit) for package: icinga2-bin-2.14.2-1.el7.x86_64
→ Processing Dependency: libboost_regex.so.1.69.0()(64bit) for package: icinga2-bin-2.14.2-1.el7.x86_64
→ Running transaction check
—> Package boost169-date-time.x86_64 0:1.69.0-2.el7 will be installed
—> Package boost169-filesystem.x86_64 0:1.69.0-2.el7 will be installed
—> Package boost169-iostreams.x86_64 0:1.69.0-2.el7 will be installed
—> Package boost169-program-options.x86_64 0:1.69.0-2.el7 will be installed
—> Package boost169-regex.x86_64 0:1.69.0-2.el7 will be installed
→ Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================================================================================================
Package Arch Version Repository Size

Installing:
icinga2-bin x86_64 2.14.2-1.el7 icinga-stable-release 4.8 M
Installing for dependencies:
boost169-date-time x86_64 1.69.0-2.el7 ol7_developer_EPEL 21 k
boost169-filesystem x86_64 1.69.0-2.el7 ol7_developer_EPEL 41 k
boost169-iostreams x86_64 1.69.0-2.el7 ol7_developer_EPEL 30 k
boost169-program-options x86_64 1.69.0-2.el7 ol7_developer_EPEL 125 k
boost169-regex x86_64 1.69.0-2.el7 ol7_developer_EPEL 260 k

Transaction Summary

Install 1 Package (+5 Dependent packages)

Total size: 5.3 M
Installed size: 23 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7Server/icinga-stable-release/packages/icinga2-bin-2.14.2-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 34410682: NOKEY
Retrieving key from https://packages.icinga.com/icinga.key

The GPG keys listed for the “ICINGA (stable release)” repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

Failing package is: icinga2-bin-2.14.2-1.el7.x86_64
GPG Keys are configured as: https://packages.icinga.com/icinga.key

Did you notice the key exchange?

Can you delete the old key and install the new one`?

I’m not prompted to install the new keys, here’s how it looks:


Total download size: 6.1 M
Installed size: 8.2 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7Server/icinga-stable-release/packages/icinga2-doc-2.14.2-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 34410682: NOKEY
Public key for icinga2-doc-2.14.2-1.el7.x86_64.rpm is not installed
icinga2-doc-2.14.2-1.el7.x86_64.rpm | 6.1 MB 00:02
Retrieving key from https://packages.icinga.com/icinga.key

The GPG keys listed for the “ICINGA (stable release)” repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

Failing package is: icinga2-doc-2.14.2-1.el7.x86_64
GPG Keys are configured as: https://packages.icinga.com/icinga.key

How do I remove the existing key? I followed the instructions in the link and did a sudo yum makecache, and that completed without errors, but it also did not prompt to download new keys. Runing yum to install icinga2-doc results in the same message as above.

Is there something special that has to be done to remove the previous key? This is Oracle Linux Server release 7.9.

sorry there is something I missed:

Required Actions for Users of EOL Distribution Versions

We will not re-sign packages for distribution versions that have reached their End-of-Life (EOL). Since our GPG key applies universally, its rotation will impact these EOL distributions as well (e.g., CentOS 7). Consequently, the new trusted key will no longer match the old package signatures.

Required actions for all End-of-Life RPM distributions:
1. Download our old key as soon as possible or extract it via rpm(8).
2. In your ICINGA-release.repo file, let gpgkey=point to the old key.

Existing Debian and Ubuntu installations are not affected by this issue. However, for future installations, the old key will need to be imported instead of the current one.

How do we locate and save the old key? I don’t see it under https://packages.icinga.com

Header V4 DSA/SHA1 Signature, key ID 34410682

Here you are:

https://web.archive.org/web/20230204125218/https://packages.icinga.com/icinga.key

1 Like

For the record, for the upcoming Icinga 2 security release the repositories for some EOL distributions were resigned with the new singing key, as we are planning to release fixed Icinga 2 versions for distributions we have prior discontinued. RHEL 7 is one of these.

Thus, starting from this very moment, you should be able to use the new signing key and do not have to pin the old one anymore. More details are available in the pre-announcement blog post.

2 Likes