RPM GPG key on yum.theforeman.org seems to be incorrect

stevenshockley · December 26, 2025, 3:44am

Problem:

Tried to upgrade from Foreman 3.16.2 to 3.17.0 on Alma 9.7. Ran dnf upgrade ``https://yum.theforeman.org/releases/3.17/el9/x86_64/foreman-release.rpm`` -y

Result:
Public key for foreman-release.rpm is not installed
Error: GPG check FAILED

Tried installing new key using rpm –import ``https://yum.theforeman.org/releases/3.17/RPM-GPG-KEY-foreman
No change

I noticed the key at https: //theforeman.org/security.html#GPGkeys didn’t match (why does discourse keep changing the links I paste?!). I imported that and it worked.

Am I doing something dumb, or should the gpg key in the 3.17 directory match the latest one at that url?

gvde · December 31, 2025, 11:10am

That works for me just fine. I can install the rpm on a system which doesn’t have it and I can upgrade as well. I guess you have the local gpgcheck enabled:

# dnf config-manager --dump | grep gpg
gpgcheck = 1
gpgkey_dns_verification = 0
localpkg_gpgcheck = 0
repo_gpgcheck = 0

JendaVodka · December 31, 2025, 7:53pm

For me gpg key does not work on Foreman 3.16

bhill · December 31, 2025, 8:09pm

I’ve noticed I’m getting GPG errors as well with the latest Foreman 3.17 signing key and some of the katello packages, for example…

Importing GPG key 0xD6AB9AD1:
 Userid     : "Foreman Automatic Signing Key (3.17) <packages@theforeman.org>"
 Fingerprint: 2C21 9CE8 AC0A 3BA2 EDE8 B652 509E 3BD3 D6AB 9AD1
 From       : https://REDACTED/katello/api/v2/repositories/22/gpg_key_content
Is this ok [y/N]: y
Key import failed (code 2). Failing package is: katello-host-tools-4.5.0-2.el8.noarch
 GPG Keys are configured as: https://REDACTED/katello/api/v2/repositories/22/gpg_key_content
Public key for katello-host-tools-tracer-4.5.0-2.el8.noarch.rpm is not installed. Failing package is: katello-host-tools-tracer-4.5.0-2.el8.noarch
 GPG Keys are configured as: https://REDACTED/katello/api/v2/repositories/22/gpg_key_content
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Verified that the 3.17 signing key is the one being served at https://REDACTED/katello/api/v2/repositories/22/gpg_key_content

REDACTED of course being the real host name of my proxy.

gvde · December 31, 2025, 8:16pm

Sorry, but given the information you have given, it’s virtually impossible to say anything…

gvde · December 31, 2025, 8:21pm

That’s a different error message. Please start a new thread…

JendaVodka · December 31, 2025, 8:23pm

Sorry when I upgraded to foreman to 3.16 several weeks ago, the RPM-GPG-KEY-foreman was not correct for foreman and I noticed that in foreman.repo file there was gpgcheck=0. Now there is gpgcheck=1 so maybe it’s working now but it was not working then. So it may be the same type of error. Nothing less nothing more

gvde · December 31, 2025, 8:32pm

Sorry, but I still don’t see the point. It could be anything.

JendaVodka · December 31, 2025, 8:38pm

Let it be after the new year. You are not in the mood.

gvde · December 31, 2025, 9:00pm

I don’t know what your problem is, but seriously, you didn’t give any technical details to go on. Your problem might have been anything and what you wrote before is even contradictory as gpgcheck was off anyway.

It doesn’t help to say “I had some problem with a GPG key” without any technical details and without the exact errors and output. What’s the point? It doesn’t help anyone. It’s impossible to say if it is in any way related to the problem in this thread.

bhill · December 31, 2025, 10:39pm

Will do.

ogajduse · January 14, 2026, 1:21pm

Apologies, this is due to a mistake on my side. I provided a statement about it in another thread:

stevenshockley · January 23, 2026, 2:07am

Thanks for the update!