Google-chrome failed update due to "SIGNATURE: NOT OK"

Upstream ticket against rpm here:

You go to Google website, download .rpm package and install with su/sudo rpm -i google*.rpm that installs a specific repository and choose on the fly stable or other always updated using dnf … simple …

There are workarounds for mutable Fedora installs but that’s not useful for Silverblue users. Google will have use a standard configuration for their packaging while rpm addresses this edge case upstream.

I rolled up to silverblue 39 beta this morning and tried to use the built in chrome third party repo in software. Got the same error. Downloaded .rpm from google, rpm-ostree installed liberation-fonts, then rpm-ostree installed their .rpm and that landed it.
user@fedora ~/Downloads> ls
google-chrome-stable_current_x86_64.rpm
user@fedora ~/Downloads> sudo rpm-ostree install google-chrome-stable_current_x86_64.rpm…Writing OSTree commit… done
Staging deployment… done
Freed: 67.9 MB (pkgcache branches: 0)
Added:
google-chrome-stable-117.0.5938.88-1.x86_64

1 Like

So, what exactly is the solution here ?
I’m using Fedora 38 (Workstation) and have been installing Chrome via the .rpm package on Google’s website.
Whenever there is an update on available via the “Software” app, I’m unable to proceed with any system or other updates as long as Chrome is in the way. (Getting the “signature not ok” error message).

Are you downloading the rpm then attempting to install it? Or are you installing from the google chrome repo with normal updates.

I have never had an issue with google chrome, but I have the google-chrome repo enabled which is available thru the ‘hamburger menu’ in the gnome software app. Chrome is automatically updated and properly signed when I update in that manner.

You can check if the google-chrome repo is enabled with dnf repolist

I’m downloading and installing Chrome via the .rpm package on Google Chrome’s website everytime a new version becomes available, as the one initially available on the Software app is out of date I believe.

I do have the google-chrome repo enabled as well via the hamburger menu. “dnf repolist” shows it as well.

Not true.
The currently installed chrome on my system is

$ dnf list installed google-chrome-stable
Installed Packages
google-chrome-stable.x86_64                                      117.0.5938.92-1                                      @google-chrome

Trying to install something newer has the potential of installing an unstable version.

That was initially installed using sudo dnf install google-chrome-stable and then is automatically kept up to date with each system upgrade. Installing with rpm-ostree should do the same.

Ah yes you’re right. It does have the latest version on the Software app.

I see what happened. The reason I turned to installing Chrome from outside the Software app via downloading a .rpm package was because I get the “Unable to install “Google Chrome” as not supported” error message whenever I do try to install it through the Software app.

I have the Google Chrome repositories enabled in the hamburger menu.

What would be the reason for this error message ?

I had the same issue and error trying to install Chrome from Gnome software in Fedora 39. I also downloaded Chrome from the website and it installed with no issues.

But do you encounter the “signature not ok” error now whenever there are updates for Chrome via the software app ?

No in software it only showed it wasn’t supported.I’m guessing it was an issue that Gnome 45 was still in beta.I have not tried to remove Chrome and try and reinstall it with software now that Gnome 45 has been released.

There seems to be an issue in the way the software manager (gnome software) handles keys.

I just installed google-chrome-stable on my F39 VM with dnf, and other than some messages about expired keys it was able to do the install.

$ sudo dnf install google-chrome-stable
Last metadata expiration check: 0:18:54 ago on Fri 29 Sep 2023 10:04:02 AM CDT.
Dependencies resolved.
====================================================================================================================================
 Package                              Architecture           Version                          Repository                       Size
====================================================================================================================================
Installing:
 google-chrome-stable                 x86_64                 117.0.5938.132-1                 google-chrome                   104 M
Installing dependencies:
 liberation-fonts                     noarch                 1:2.1.5-7.fc39                   updates-testing                 7.5 k

Transaction Summary
====================================================================================================================================
Install  2 Packages

Total download size: 104 M
Installed size: 324 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): liberation-fonts-2.1.5-7.fc39.noarch.rpm                                                      72 kB/s | 7.5 kB     00:00    
(2/2): google-chrome-stable-117.0.5938.132-1.x86_64.rpm                                              49 MB/s | 104 MB     00:02    
------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                41 MB/s | 104 MB     00:02     
google-chrome                                                                                       969  B/s |  14 kB     00:15    
Importing GPG key 0xD38B4796:
 Userid     : "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>"
 Fingerprint: EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
 From       : https://dl.google.com/linux/linux_signing_key.pub
Is this ok [y/N]: y
warning: Certificate 7721F63BD38B4796:
  Subkey 1397BC53640DB551 is expired: The subkey is not live
  Subkey 78BD65473CB3BD13 is expired: The subkey is not live
  Subkey 6494C6D6997C215E is expired: The subkey is not live
Key imported successfully
Importing GPG key 0x7FAC5991:
 Userid     : "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>"
 Fingerprint: 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991
 From       : https://dl.google.com/linux/linux_signing_key.pub
Is this ok [y/N]: y
warning: Certificate A040830F7FAC5991:
  Policy rejects subkey 4F30B6B4C07CB649: Policy rejected asymmetric algorithm
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                            1/1 
  Installing       : liberation-fonts-1:2.1.5-7.fc39.noarch                                                                     1/2 
  Running scriptlet: google-chrome-stable-117.0.5938.132-1.x86_64                                                               2/2 
  Installing       : google-chrome-stable-117.0.5938.132-1.x86_64                                                               2/2 
  Running scriptlet: google-chrome-stable-117.0.5938.132-1.x86_64                                                               2/2 
  Verifying        : liberation-fonts-1:2.1.5-7.fc39.noarch                                                                     1/2 
  Verifying        : google-chrome-stable-117.0.5938.132-1.x86_64                                                               2/2 

Installed:
  google-chrome-stable-117.0.5938.132-1.x86_64                        liberation-fonts-1:2.1.5-7.fc39.noarch                       

Complete!

Install : OK, fine but does it work, synchronizing same account on other devices, Google Workspace, Drive cloud ressources … otherwise you’re just lost in space …

Thanks a lot — that helped with Fedora 39 and Google Chrome update error

Fixed it for me:

  1. download latest rpm
  2. sudo rpm -U google-chrome-stable_current_x86_64.rpm

something interesting i found on online and it actually works so this is something to share on upstream and others to see/check and test since i found that there is difrent URL and GPG key paths on Fedora repo file than what i found online and editing the google-chrome.repo on details down i can layer google chrome and dont get any gpg signature errors and this is tested on F39 silverblue and F40 beta silverblue

[google-chrome]
name=google-chrome
baseurl=http://dl.google.com/linux/chrome/rpm/stable/$basearch
enabled=1
gpgcheck=1
gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub

there is also at first installation i edit the repo file and take gpg check 0 install chrome and then put gpg check back to 1 and again all works so i guess using default repo files are still valid, but on first install gpg check need to be off and after that seems fine again to use

Using kinoite 39, setting gpgcheck=0 made it possible to install chrome but after restoring it to 1, upgrades fail with a signature error.

1 Like