Zoom signature keys are not good for Fedora 44

Before I upgraded my Fedora 43 to Fedora 44 Zoom repo configured according to these instructions in Fedora Documentation worked properly. But in Fedora 44 the signature key of Zoom RPM repository isn’t recognized.

For example:

$ sudo dnf upgrade --refresh
Updating and loading repositories:
 Fedora 44 - x86_64 - Updates                                                                                                   100% |   2.2 KiB/s |   6.2 KiB |  00m03s
 RPM Fusion for Fedora 44 - Nonfree - Updates                                                                                   100% |   5.6 KiB/s |  14.9 KiB |  00m03s
 RPM Fusion for Fedora 44 - Nonfree tainted                                                                                     100% |   6.2 KiB/s |  14.8 KiB |  00m02s
 RPM Fusion for Fedora 44 - Nonfree                                                                                             100% |   9.2 KiB/s |  16.0 KiB |  00m02s
 RPM Fusion for Fedora 44 - Free - Updates                                                                                      100% |   7.9 KiB/s |  11.4 KiB |  00m01s
 RPM Fusion for Fedora 44 - Free                                                                                                100% |  10.3 KiB/s |  11.9 KiB |  00m01s
 Fedora 44 openh264 (From Cisco) - x86_64                                                                                       100% |   1.6 KiB/s | 986.0   B |  00m01s
 Fedora 44 - x86_64                                                                                                             100% |  54.0 KiB/s |  18.7 KiB |  00m00s
 Visual Studio Code                                                                                                             100% |  15.8 KiB/s |   1.5 KiB |  00m00s
 zoom (release)                                                                                                                 100% |   9.6 KiB/s |   3.8 KiB |  00m00s
>>> repomd.xml GPG signature verification error: Bad PGP signature: Verifying a signature using certificate 84C365D6CC9A4886CA926BCC4F2197399706AC24 (Zoom Communications, Inc. <CryptoOpsCodeSignProd@zoom.us>):
  Key 4F2197399706AC24 invalid: not signing capable
Repositories loaded.
Nothing to do.

According to the following Zoom’s site there two versions of the key - for versions below 6.7.5 and for versions 6.7.5 and higher: https://zoom.us/download?os=linux

The Zoom installation instructions in the Fedora Documentation still use the old key. I tried both versions but all are incorrect:

$ sudo rpmkeys --import https://zoom.us/linux/download/pubkey?version=6-3-10
warning: Certificate DDE0E6222047091F:
  Certificate does not have any usable signing keys

$ sudo rpmkeys --import https://zoom.us/linux/download/pubkey?version=6-7-5
warning: Certificate 4F2197399706AC24:
  Certificate does not have any usable signing keys

$ sudo rpmkeys --import https://zoom.us/linux/download/pubkey
warning: Certificate 4F2197399706AC24:
  Certificate does not have any usable signing keys

This seems to be a known issue, at least according to https://linuxcapable.com/install-zoom-on-fedora-linux/

Zoom documents RPM validation with its 2026 key, but Fedora 44 currently rejects the package signature as invalid and not signing-capable.

But It doesn’t explain what’s wrong with that public key of Zoom in Fedora 44 and what was changed between Fedora 43 and 44 that triggered this issue.

I’ve also found following key and its signature:

• https://repo.zoom.us/repo/rpm/release/repodata/repomd.xml.key
• https://repo.zoom.us/repo/rpm/release/repodata/repomd.xml.asc

The key file is a little bit different but the key itself seems to be the same, at least its certificate id:

$ sudo rpmkeys --import https://repo.zoom.us/repo/rpm/release/repodata/repomd.xml.key
warning: Certificate 4F2197399706AC24:
  Certificate does not have any usable signing keys

Could someone explain what happened and how should this be fixed properly? Should Zoom update their public key or should Fedora 44 be changed somehow to accept Zoom’s current public key of their RPM repo?

In general, I found zoom’s flatpak to work reliably on Fedora and be better isolated.

For the rpm key: Have you tried removing it (rpmkeys -e) and then importing it again? There is or was a bug where rpm would not update an existing key with new signatures, so it’s possible your copy of the key has expired signatures only.

For the rpm key: Have you tried removing it (rpmkeys -e) and then importing it again?

Yes I did it but got exactly the same result during importing the keys again.

It’s also interesting that a much shorter key of Microsoft’s VS Code RPM repo is still ok in Fedora 44.

Microsoft key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BSN Pgp v1.1.0.0

mQENBFYxWIwBCADAKoZhZlJxGNGWzqV+1OG1xiQeoowKhssGAKvd+buXCGISZJwT
LXZqIcIiLP7pqdcZWtE9bSc7yBY2MalDp9Liu0KekywQ6VVX1T72NPf5Ev6x6DLV
7aVWsCzUAF+eb7DC9fPuFLEdxmOEYoPjzrQ7cCnSV4JQxAqhU4T6OjbvRazGl3ag
OeizPXmRljMtUUttHQZnRhtlzkmwIrUivbfFPD+fEoHJ1+uIdfOzZX8/oKHKLe2j
H632kvsNzJFlROVvGLYAk2WRcLu+RjjggixhwiB+Mu/A8Tf4V6b+YppS44q8EvVr
M+QvY7LNSOffSO6Slsy9oisGTdfE39nC7pVRABEBAAG0N01pY3Jvc29mdCAoUmVs
ZWFzZSBzaWduaW5nKSA8Z3Bnc2VjdXJpdHlAbWljcm9zb2Z0LmNvbT6JATQEEwEI
AB4FAlYxWIwCGwMGCwkIBwMCAxUIAwMWAgECHgECF4AACgkQ6z6Urb4SKc+P9gf/
diY2900wvWEgV7iMgrtGzx79W/PbwWiOkKoD9sdzhARXWiP8Q5teL/t5TUH6TZ3B
ENboDjwr705jLLPwuEDtPI9jz4kvdT86JwwG6N8gnWM8Ldi56SdJEtXrzwtlB/Fe
6tyfMT1E/PrJfgALUG9MWTIJkc0GhRJoyPpGZ6YWSLGXnk4c0HltYKDFR7q4wtI8
4cBu4mjZHZbxIO6r8Cci+xxuJkpOTIpr4pdpQKpECM6x5SaT2gVnscbN0PE19KK9
nPsBxyK4wW0AvAhed2qldBPTipgzPhqB2gu0jSryil95bKrSmlYJd1Y1XfNHno5D
xfn5JwgySBIdWWvtOI05gw==
=zPfd
-----END PGP PUBLIC KEY BLOCK-----

Zoom 6-7-5 key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGlpCqUBEACfRY5Qjdvl7bW2kMmc+pij2GUgE7QTIESTBOqkAm6yNjphNGWJ
g9a+tm04T6hgUqQt6bYQO/Ix3dJocLxkxeu6MMJTkJ2SjDRLtrtQkx8dboYP74Ik
fJWIBMck/mazppM0tic8KFloVwdfepX4UUWCZwTFCpjmL42pmFKL//AaPIyH3Act
DSE8Zzu7c9Ml23HYhAGiSk49jvfNQmbC7JrzrRg5cv0ElMFewOaAREULbwRvHvmy
lzwHThUBwancfiIw28/r8DvhhD//BaFYbEfxMpZTYULCXj3SjhotIzSpJ6wnVfQs
9yLTmDXj9Lyft15AmV3wUQ/vlA7GUSaFwGCmbCKLDLEC4b47TAjCSnzUeG4/1ys8
HTsfKV4/HrxbPGToT80SMN8WshbwilwYaYUbBw7w/6YZBj5JyWkh2RcVjuBagXEA
q6YsjVInBlnLWZJNrxxUM4ZyarKXDaF+0E5iLQxiBIhrW0Ki6zooekVYCtEIolGy
KUasTsBKKT90enqPuePJmO35lp+ULGIU5MDwT1rijnO3gBFAREM1Deu+672QMTna
KwBHnHe28CdRi6FsR4MciZs6akkVrqHOXVC5RPgDpvQNxEsu6UVQa64wwesNrXUZ
f4eLUDudj+JW2D9756PWpIlrE3pFYq9qaDdt2CdVyYNELiy6/Tfp5qDDOQARAQAB
tDlab29tIENvbW11bmljYXRpb25zLCBJbmMuIDxDcnlwdG9PcHNDb2RlU2lnblBy
b2RAem9vbS51cz6JAjcEEwEKACsJEE8hlzmXBqwkFiEEhMNl1syaSIbKkmvMTyGX
OZcGrCQFAmlpDAkDBQF4AACBmQ//agfw1qS07cVpK4LRxeUtu5S7qaMDQzcJbTuE
9hz13B/6v6LB1IRG14lo49+lr4eVC4J0wzQWtfii7+cFe9weXn0weFDW00ECpBrP
J4zTorUike0VAO5LQw/mYyolKNFGn3AoLrINpuXtMP2qaQXFsUoENZ7kjzhrKtVe
5AS4YiSIoQsjXPfOaDPQ8GNJ4cxd6RydqJ7K6QGbNPrjD4/zhSGmdCsoslD9ItyG
Xeg1yG/u5mVz/aiKxYn4jm4bhRE26kA16NJX31AaTGVrwIZEDkyVpUCtYxEfH/Nw
+R+pOo1+apJE5qPj2fxl8aS7V/SPQFdCnkm63ExAeXt0uT2OufQz2jYsZCoSpCBN
MRC9bnPVBhBf8RA9G0WkNAcr43BPgz75pATw0a5M3gYeakAy+1oN0Lr9NlvRrcQI
t0tBRydL2yN6XFkrH3oV3CE+XQgjcWAiRwRRRG9Tm9rLJBdsxzBc/JOMWjNyk+WN
ce4jYCg8Yjh1dZVv30NIy7B6fyCWInmQyiIxtJQgd6zeHTu454vjffdVeenJQNd2
xfabFidY+o69xMOpd0qGj0vRNiohJYiBM8viBMuqw3rl2yuN1l7EQpyS3mn9+gYi
xdqPUsSEHpbS0ng8DWsT5TMB3NOL0tZ7v7KRY7wKbHYiFA+XGYYPIrL6a8BjBQxb
Xat1Fxu5AQ0EaWkKqQEIALlT3AMnqcp+YwRaM4dCpFizpFQ60p79JnqhsoEligMJ
0j3zhIc2cpVNHP73imwm1yHCQqB2zZYrDeb9upfGLorEsdbfZRc+vTmGOLlCCY53
tudaz4AKR06p20T66PpAK+ngZj9FUbGw6KvJjDnopRA+zn46yKc6hrWJeCtiU82R
xW7qFtRzaLYfFolcWhcUSCqFMpa9o+RsKf3KGkRmk+rwYk9oEQ8ScFAIvY291kPB
rpASRiDjKmb4PMu8hS300zRG5Jr4/3J5IG0tVpLSbNXVxUM4IhS+anJRYVx4a+VO
qu+WExaNAbTfPojpJdqEIHCyj4EdAshJPS6d6EtWSusAEQEAAYkCOgQYAQoALgIb
IAkQTyGXOZcGrCQWIQSEw2XWzJpIhsqSa8xPIZc5lwasJAUCaWkMCQMFAXgAAFpO
D/9fixiG/JKHuPlCxrf0ZuX5/iPLRMZGg637tAQca2nxYNn7w2KJ6PThb7r1P44t
Mv2h/HnA686XPeiK1QYE4d/mc341bfk1fUXEGaNg8gMSa87zCW1QPQAmrzcfx7f0
LUsosmSCKzKsVldUedZokblKOFiYDEDv8DFjNlNcQWYEYPrQRgC6IPR0rqLMvQ8X
spB4V4vHtLlz9q7kU06cAzTTehEM4xFikZ20prEBRaCEdV7aAKyl2QJfnv5lRDKz
Wy53n2djJWnhmNzfcyy/+pOBE60yrvqBHdqI4vi25aecrgepvfTopH5NvfLlUIhb
+XqF6O/xFkhURqq2c1S2J4iZYCn17K3TLiuNmAquGDrnF99R+R7XFOzlupPO83R2
4rDlpFzUx+qEo52r1bhAgvULRms+K3rP1iUuJqz5/A1TQNuIBu4WJ2FOIi3x7rsF
kIyf89fPGh8YJC/dLLtUj9heqNOvN3tmkC7JRsA7diLdaa93QNiSqej3uzBVE0Vb
+zb4UxMb9KUw7hCtND1MYnQ9QFhEXbvznR32nNjzDTQVh2XMXbLEnQ73KZj2XnsI
lurkUiTguRoW+jblVvP0uAN/3W3/tRx139tLgMlxJP50SLyk4FKU0TeruiSJN3LD
+vrgFPny05jKNKG4JiByA6xepG+kN0h2P1eyxYYEEnNJc7kBDQRpaQqnAQgAsng9
zxza7p7tEX/3dli/NYNjVcfMIeLlyKo+knvuuaQonMiJrsjd8hcdyzQpn8xGDs3l
YRIaXgKEY57zodvQAVypg+HE6eJ4lV8GutmS5UrUMpTm7PyIsfb4SIyCZPQBh5Sz
t+7uRhg2+4teQj1ZkRJp934VwyEgTEGCqMuLTI3n7CbWQY4uZy3X16KfgDP74iNT
h6e8b+MfIhjXSoknKpngMeX/89jE+4eIk/3c52JPlefvxTSzqsaxwjnDp6kIXwZx
my1GA3SN80bjHB1FADpL/ttHLel7dJsE0jXZw7FB8tR18PuagtjRZ9JmOtauL/3r
SxwWYYmBLbSr+At/ywARAQABiQI6BBgBCgAuAhsMCRBPIZc5lwasJBYhBITDZdbM
mkiGypJrzE8hlzmXBqwkBQJpaQwJAwUBeAAAn04QAJD8giK2wSRnkH0y3ZHU86go
OyFVFJjry7JAZ8A15EO1xJhNr41aU+oOsSPGYicU8nc1tZcsboyXVmhwjIwt7XNV
79+RavuUIpOSV3nFgOAPMDnwpDjSrt2ymUMtye1GLxAZpC28oxmiTmEepe1EJGoA
WKukSH5BszGZWqlL0DDkZ7fUoHL2D3lMc+EPvzo1T4iSYjRPhA3AQaohJJFpWi3e
B2QkDTMlhiYbqmjNDjYI4hr2Pu0Vpq8feWNKhR6hx6UlcbtWsiGliAN21K+6VE67
qEYlnHQ1aGiLkSZ+G76XnGZrIzGQ8u+ywaiXtVaUtBC37hbBlZBNMJs5iDhyQlHz
8E0c78IRjrN+DLlP3H11pXKCuIgpbpJ9PdOGMa8S4D1DFAgNFSqA+N3ggRkX6w9u
PciRw4owTTtg5VBjAsuuZcYw5UG2Gl7SW+EwdC4q6Gqcwpi5jaPuF6lv72dqB/Hi
47ztdKG/sA4rUsLfQmvGxgEcYZCArAHymDUugtBlGbOux4lo1OumCO6jNwq0Z6cU
/AXJqXooMl3Obw9krPhLua2CZGqPUR1UmM/ITXNJBBa8lvta1i50GxT77X+Vd27I
N9POzjNun35rSf/5ThlLL80TkMzTCIPT7EYokRCGzdMkU5gJF20xdO4iV/mN8ozm
SleSdi4HgeM5f7grMRJ3
=Oaet
-----END PGP PUBLIC KEY BLOCK-----

I wonder if you’re running into, Calling rpmKeyringAddKey on a subkey should not error out · Issue #3954 · rpm-software-management/rpm · GitHub

That seems to be another issue from Fedora 43. But I had no problem in Fedora 43 with Zoom keys. Troubles with Zoom keys started from Fedora 44.

I think this New RPM doesn't like Amazon Linux 2023 signing key · Issue #58 · rpm-software-management/rpm-sequoia · GitHub can shed some light…

Zoom needs to issue new keys with the Key Flags subpacket set correctly. It doesn’t appear to be:

rpm -q --qf '%{DESCRIPTION}' gpg-pubkey-84c365d6cc9a4886ca926bcc4f2197399706ac24-69690aa5 | sq inspect
-: OpenPGP Certificate.

      Fingerprint: 84C365D6CC9A4886CA926BCC4F2197399706AC24
  Public-key algo: RSA
  Public-key size: 4096 bits
    Creation time: 2026-01-15 15:41:25 UTC

           Subkey: 5AE265F6505CEB377671836D9D5658825B26F672
  Public-key algo: RSA
  Public-key size: 2048 bits
    Creation time: 2026-01-15 15:41:27 UTC
        Key flags: transport encryption, data-at-rest encryption

           Subkey: 8119C5033BF03E48D0F90B192737658E7F827242
  Public-key algo: RSA
  Public-key size: 2048 bits
    Creation time: 2026-01-15 15:41:29 UTC
        Key flags: authentication

           UserID: Zoom Communications, Inc. <CryptoOpsCodeSignProd@zoom.us>

I guess disable the repo gpg options in /etc/yum.repos.d/zoom_release.repo?

@rosti ,

You can get around this by downgrading rpm-sequoia from 1.10.2-2 to 1.10.1-1. Then the install works:

prompt> sudo dnf install zoom
Updating and loading repositories:
Repositories loaded.
Package                                     Arch        Version
Repository                  Size
Installing:
 zoom                                       x86_64      0:7.0.5.3034-1
zoom-release           937.9 MiB

Transaction Summary:
 Installing:         1 package

Total size of inbound packages is 281 MiB. Need to download 281 MiB.
After this operation, 938 MiB extra will be used (install 938 MiB,
remove 0 B).
Is this ok [y/N]: Y
[1/1] zoom-0:7.0.5.3034-1.x86_64
100% |  45.8 MiB/s | 281.3 MiB |  00m06s
-----------------------------------------------------------------------
-------------------------------------------------------------
[1/1] Total
100% |  45.8 MiB/s | 281.3 MiB |  00m06s
Running transaction
[1/3] Verify package files
100% |   2.0   B/s |   1.0   B |  00m00s
[2/3] Prepare transaction
100% |  10.0   B/s |   1.0   B |  00m00s
[3/3] Installing zoom-0:7.0.5.3034-1.x86_64
100% |  76.5 MiB/s | 938.2 MiB |  00m12s
>>> Running %post scriptlet: zoom-0:7.0.5.3034-1.x86_64
>>> Finished %post scriptlet: zoom-0:7.0.5.3034-1.x86_64
>>> Scriptlet output:
>>> run post install script, action is 1...
>>>
Complete!

and here’s the details:

prompt> rpm -qa | grep -E '^fedora-release|^rpm-sequoia|^zoom'
fedora-release-identity-kde-desktop-44-18.noarch
fedora-release-common-44-18.noarch
fedora-release-kde-desktop-44-18.noarch
rpm-sequoia-1.10.1-1.fc44.x86_64
zoom-7.0.5.3034-1.x86_64
prompt> cat /etc/yum.repos.d/zoom_release.repo 
[zoom-release]
name=zoom (release)
baseurl=https://repo.zoom.us/repo/rpm/release/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://zoom.us/linux/download/pubkey
skip_if_unavailable=True
prompt> rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep -i zoom
gpg-pubkey-84c365d6cc9a4886ca926bcc4f2197399706ac24-69690aa5    Zoom Communications, Inc. <CryptoOpsCodeSignProd@zoom.us> public key

Best of Luck!

P.S. it looks like this issue is going to land in Fedora 43 at some point:

Very well! So somebody will report this issue to Zoom eventually and ask them to regenerate signing key properly. I’m unable to do so because support of Zoom is a useless disaster with a completely useless AI chat that can’t create an issue report or do anything helpful besides talking. Either I can’t do it manually by myself because I use a free account without any rights. And I need Zoom just for interviews. I would prefer that Zoom Communications goes bankrupt and all people stop using this bloatware application, just like everybody already stopped using Skype.

Well, I hope you have Zoom installed now so you can use it.

You can pin rpm-sequoia with dnf versionlock if you want/need to. Or just don’t forget that you had to downgrade to install it. I guess you can also disable the gpg options for the Zoom repository (and remove the Zoom gpg key).

I have reported my findings to the e-mail on the key, but I don’t expect to hear anything back from them or even a reply asking for more details or questions. That just isn’t Zoom these days. And to be honest, I don’t think they really care about Linux. There use to be a time when they did, but that’s been a long time ago… Heck, they may like that it’s broken on Linux distros using the new RPM gpg back-end. The goal: get rid of Zoom Linux users.

I suspect that this will be an issue with many 3rd party repos. Many (most?) of the 3rd party gpg keys I have inspected over the years aren’t/weren’t created correctly. It seems there is a real “issue” with 3rd party repos and gpg keys. They can package correctly, but they can’t sign stuff correctly. (IMHO)

ciao!

Yes it was always installable from the manually download RPM file. I just wanted to use RPM repo to get Zoom updates automatically, together with other Fedora updates.