The GPG keys listed for the "packages for the GitHub CLI" repository are already installed but they are not correct for this package

Ask Fedora
1

I have no idea how to fix this. Please help!

2

Please do this:

curl -fsSL -o /var/tmp/githubcli-archive-keyring.gpg \
    https://cli.github.com/packages/githubcli-archive-keyring.gpg
gpg --keyring /var/tmp/githubcli-archive-keyring.gpg \
    --no-default-keyring --export --armor > /var/tmp/githubcli-archive-keyring.asc
sudo rpm --import /var/tmp/githubcli-archive-keyring.asc

and update again

Reported in upstream

https://github.com/cli/cli/issues/6175#issuecomment-1238495070

Aditional Information

1. The ROOT cause of the problem:

gpg-pubkey-b97541f0-5f4fcd75

Install key has expired → [ 3] b97541f0-5f4fcd75 Build date 2020-09-02 Expiration Date 2022-09-02

They original key is taken from this instruction in gh-cli.repo in /etc/yum.repos.d/

gpgkey=http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xc99b11deb97541f0

You can verify this key with the following two commands:

rpm -qi gpg-pubkey-b97541f0-5f4fcd75

or

rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'

This is a litlle Script to manage this kind of things and get more help of this, I’ve found credit go to the original writer:

Scripts

#!/bin/bash
#: Title : lskeys
#: Date Created : Thu Oct 27 22:44:20 PDT 2011
#: Last Edit : Fri Nov 18 23:17:02 PST 2011
#: Author : Agnelo de la Crotche (please_try_again)
#: Version : 2.0
#: Description : lists, exports, deletes RPM GPG keys
#: Syntax : lskeys [option]
#: Options : -e --export : exports selected key
#: : -d --delete : ereases selected key

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

declare -l linux dist
declare -a K E N T S

if ( which lsb_release &>/dev/null ) ; then
linux=$(lsb_release -si | tr -d " ")
else
linux=$(sudo find /etc ! -name “meta*” ! -name “lsb*” ! -name “system*” ! -name “jpackage*” -name “*-release” -exec basename “{}” -release “;” 2>/dev/null | sort | head -1)
fi

case $linux in
fedora|suse|suselinux|mandrivalinux) dist=rpm ;;
ubuntu|linuxmint|debian) dist=apt ;;
*) exec echo “unsupported distro” ;;
esac

[ “x$1” == “x-e” -o “x$1” == “x–export” ] && EXPORT=1
[ “x$1” == “x-d” -o “x$1” == “x–delete” ] && DELETE=1

i=0

function listkeys {
case $dist in
rpm)
for k in $(rpm -qa gpg-pubkey*) ; do
let i++ ; K[$i]=$k ; N[$i]=${k/gpg-pubkey-/}
eval $(LC_ALL=C rpm -qi $k | gpg --with-key-data 2>/dev/null | awk -F “:” ‘/^pub/ { gsub(/\x3/,“:”, $10) ; if ($6 ~ /-/ ) printf “%s;%s;”, $6, $10 ; else printf “%s;%s;”, strftime(“%Y-%m-%d”, $6), $10 ; if ( $7 ~ /-/ ) printf “%s” , $7 ; else if ( $7 ) printf “%s”, strftime(“%Y-%m-%d”, $7) ; printf “\n” }’ | sed "s|(.);(.);(.)|T[$i]="\1";S[$i]="\2";E[$i]="\3";|")
done
;;
apt)
eval $(LC_ALL=C apt-key list | sed -e ‘/^sub/d’ | sed -e :a -e '$!N;s/\nuid /; /;ta’ -e ‘P;D’ | sed -n 's/pub //p’ | sed 's/>;.//;s| |;|;s|(.) [expires: ([0-9-])]; (.)|\1;\3;\2|;s|; |;|g’ | awk -F “;” '{ K=$1 ; sub(/.//, “”, K) ; N=$1 ; sub(///, “-”, N) ; printf “K[%i]="%s";N[%i]="%s";T[%i]="%s";S[%i]="%s";\n”, NR, K, NR, N, NR, $2, NR, $3 ; if ($4) printf “E[%i]="%s";”, NR, $4 }’ 2>/dev/null)
;;
*) return 1 ;;
esac
}

function viewkey {
case $dist in
rpm) rpm -qi $1 ;;
apt) apt-key export $1 ;;
*) return 1 ;;
esac
}

function deletekey {
case $dist in
rpm) rpm -e $1 ;;
apt) apt-key del $1 ;;
*) return 1 ;;
esac
}

function isExpired {
keyTime=$(echo “${@//-/ } 00 00 00” | awk ’ { print mktime($0) }')
sysTime=$(awk ‘BEGIN { print systime()}’)
[ $keyTime -lt $sysTime ] && return 0 || return 1
}

listkeys

i=1
while [ $i -le ${#N[@]} ] ; do
KCL=$(tput setaf 7) ; TCL=$(tput sgr0) ; SCL=$(tput setaf 2)
[ “${E[$i]}” ] && isExpired ${E[$i]} && { KCL=$(tput setaf 1); TCL=$(tput setaf 1) ; SCL=$(tput setaf 1); }
printf “[%2s] %s%s%-20s%s%-13s%s%-13s%s%s%s\n” $i $(tput bold) $KCL ${N[$i]} $TCL “${T[$i]}” $(tput setaf 1) “${E[$i]}” $SCL “${S[$i]}” $(tput sgr0)
let i++
done
let i–

declare -u j=0

while [ $j -lt 1 -o $j -gt $i ] ; do
read -p “view key [1-$i or Q to quit]: " j
[ “$j” == “Q” ] && break
j=$(($j*1))
echo
[ “${K[$j]}” ] && viewkey ${K[$j]}
if [ “$EXPORT” ] ; then
GPG=”$(echo $dist | tr “[:lower:]” “[:upper:]”)GPG-${N[$j]}.key"
echo $GPG
viewkey ${K[$j]} | sed -n ‘/BEGIN/,/END/p’ > $GPG && printf “\nKey %s%s%s%s successfully written in %s%s/%s%s\n” $(tput bold) $(tput setaf 3) ${N[$j]} $(tput sgr0) $(tput bold) $(pwd) $GPG $(tput sgr0)
elif [ “$DELETE” ] ; then
declare -u YN
YN=“”
while [ “x$YN” != “xY” -a “x$YN” != “xN” ] ; do
read -p "Delete key ${K[$j]}? [y/n] " YN
[ “$YN” == “Y” ] && deletekey ${K[$j]} && printf “\nKey %s%s%s%s successfully deleted.\n” $(tput bold) $(tput setaf 3) ${K[$j]} $(tput sgr0)
done
fi
done

This is Why every package should be signed:

2. Code Comments

Download the new GPG in a tmeporal directory:

curl -fsSL -o /var/tmp/githubcli-archive-keyring.gpg \
    https://cli.github.com/packages/githubcli-archive-keyring.gpg

Create the new GPG key as a .asc file:

gpg --keyring /var/tmp/githubcli-archive-keyring.gpg \
    --no-default-keyring --export --armor > /var/tmp/githubcli-archive-keyring.asc

Imported to the RPM system the new key:

sudo rpm --import /var/tmp/githubcli-archive-keyring.asc

The new key is :

gpg-pubkey-75716059-63172e8a

3. Solve the problem or will have to be reapplied at the next gh update

This aproach solve the problem because the new GPG key has a new expiration day which is 2024-09-06.

4. different actions (if any) gh users will have to take once the bug is fixed

Users will have do nothing after the bug is fixed, but at the time this I’ve write this lines the git-cli.repo was updated fixed with the new key, see Important Note below…

5. What action the $USER needs to do if it happened again?

  1. Do a research where is the new key stored and do the step before.
  2. Wait until github update the cli repo.
  3. ask the same question here.

Important Note

The gh-cli.repo for fedora has changed so is a good practice to update it, and I suppose the new key is updated there:

[gh-cli]
name=packages for the GitHub CLI
baseurl=https://cli.github.com/packages/rpm
enabled=1
gpgkey=https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x23F3D4EA75716059

Regards.,

8 Likes
3

Thanks so very much! It worked well. If you ever find yourself in Canada, I owe you some beers.

Peter

| Héctor Louzao hhlp Q&A Regular
September 8 |

  • | - |

Please do this:

curl -fsSL -o /var/tmp/githubcli-archive-keyring.gpg \
    https://cli.github.com/packages/githubcli-archive-keyring.gpg
gpg --keyring /var/tmp/githubcli-archive-keyring.gpg \
    --no-default-keyring --export --armor > /var/tmp/githubcli-archive-keyring.asc
sudo rpm --import /var/tmp/githubcli-archive-keyring.asc

and update again

Reported in upstream

github.com/cli/cli

GPG key used to sign debian packages is expired

opened 05:18PM - 02 Sep 22 UTC
closed 09:57AM - 07 Sep 22 UTC
matt-allanmatt-allan

bug p1

Describe the bug You can’t install the CLI from the .deb package on Ubu

Regards.,

1 Like
4

Thank you very much for adding your expertise to solve this. This answer helped me solve the same issue that I’ve lived through during the past 2 gh updates.

There’s nothing wrong with your answer - it solves it for now - but it would be additionally helpful to know as/if your time allows:

  1. The root cause of the problem,
  2. A summary of what the commands you’ve given do to address the root cause (code comments),
  3. Whether executing these commands solve the problem indefinitely or will have to be reapplied at the next gh update, and
  4. Since you’ve linked to a gh cli bug report, different actions (if any) gh users will have to take once the bug is fixed.

I apologize for being a PITA inspired by my technical training and related profession. I’ll pursue answers on my own, but I doubt that I have the depth of knowledge that you have in these topics to get to correct answers.

Thanks,

Greg.

5

No problem at all, I will add a check list, and I will update the original solutions in the POST details when I Will be available:

The root cause of the problem
code comments
solve the problem or will have to be reapplied at the next gh update
different actions (if any) gh users will have to take once the bug is fixed.

Regards.,

6

I’m trying to update the github package but I’m getting an error. I would appreciate a pointer on how to resolve this

sudo dnf install gh-2.16.0-1.x86_64
Last metadata expiration check: 0:28:13 ago on Thu Sep 22 06:20:59 2022.
Dependencies resolved.
========================================================================================================================
 Package                 Architecture                Version                          Repository                   Size
========================================================================================================================
Upgrading:
 gh                      x86_64                      2.16.0-1                         gh-cli                      7.7 M

Transaction Summary
========================================================================================================================
Upgrade  1 Package

Total size: 7.7 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] gh_2.16.0_linux_amd64.rpm: Already downloaded
packages for the GitHub CLI                                                             5.1 kB/s | 2.5 kB     00:00
GPG key at https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xc99b11deb97541f0 (0xB97541F0) is already installed
The GPG keys listed for the "packages for the GitHub CLI" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: gh-2.16.0-1.x86_64
 GPG Keys are configured as: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xc99b11deb97541f0
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
7

Many thanks, fix worked well