Zoom RPM signing key changed Nov 1, 2022

I got this error when doing sudo dnf update today:

$ sudo dnf update -y
[...]
zoom                                            3.6 kB/s | 1.8 kB     00:00    
GPG key at https://zoom.us/linux/download/pubkey (0x61A7C71D) is already installed
The GPG keys listed for the "zoom" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: zoom-5.12.6.173-1.x86_64
 GPG Keys are configured as: https://zoom.us/linux/download/pubkey
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

(Note: I have a daily script that updates a local yum repo with any new Zoom release. Zoom doesn’t offer a yum repo itself.)

The gpg key at https://zoom.us/linux/download/pubkey doesn’t match the key that the latest zoom rpm package (v5.12.6) was signed with.

Fingerprint of https://zoom.us/linux/download/pubkey :

$ gpg --show-keys <(curl -s https://zoom.us/linux/download/pubkey)
pub   rsa2048 2015-06-07 [SC]
      396060CADD8A75220BFCB369B903BF1861A7C71D
uid                      Zoom Video Communcations, Inc. Linux Package Signing Key <linux-package-signing-key@zoom.us>
sub   rsa2048 2015-06-07 [E]

Key ID (last 16 hex chars of fingerprint) of the key that was used to sign the zoom package:

$ rpm -qi ./zoom-5.12.6.173-1.rpm | grep -E '^Signature'
warning: ./zoom-5.12.6.173-1.rpm: Header V4 RSA/SHA512 Signature, key ID dd79b481: NOKEY
Signature   : RSA/SHA512, Mon 07 Nov 2022 01:22:58 AM HST, Key ID 7b04a1b8dd79b481

The fingerprints don’t match, hence the error I received.

Zoom has updated their RPM signing key on November 1, 2022:

In November 2022, Zoom is retiring the current key pair used to sign the Zoom desktop client for Linux, which customers can use to validate the Zoom desktop client. Users must download the new public key before attempting to upgrade to version 5.12.6, otherwise they will be unable to install this update. Prior versions (before 5.12.6) will not be impacted.

For versions 5.12.6 and higher, the Linux and Docker GPG signature thumbprint will change from “Key fingerprint: 3960 60CA DD8A 7522 0BFC B369 B903 BF18 61A7 C71D” to “Key fingerprint: 59C8 6188 E22A BB19 BD55 4047 7B04 A1B8 DD79 B481”.

Downloading the public key for Linux | Zoom Support

The new key has a different URL:

Fingerprint of new key:

$ gpg --show-keys <(curl -s https://zoom.us/linux/download/pubkey?version=5-12-6)
pub   rsa4096 2022-08-18 [SC]
      59C86188E22ABB19BD5540477B04A1B8DD79B481
uid                      Zoom Video Communications, Inc. <CryptoOpsCodeSignProd@zoom.us>
sub   rsa2048 2022-08-18 [A]
sub   rsa2048 2022-08-18 [E]

The last 16 hex chars of the fingerprint match the key id of the zoom-5.12.6.173-1.rpm package.

My dnf update was successful after importing the new key.

sudo rpm --import https://zoom.us/linux/download/pubkey?version=5-12-6
sudo dnf update

Should remove the old key:

rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} %{summary}\n' | grep -F zoom
sudo rpm --erase gpg-pubkey-61a7c71d-55740c4b
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} %{summary}\n' | grep -F zoom
1 Like