Unable to register an AlmaLinux 8 client into Foreman 3.17 server - Key import failed (code 2). Failing package is: katello-host-tools-4.5.0-2.el8.noarch

amg1127 · January 3, 2026, 1:33am

Problem: While registering an AlmaLinux 8 client into Foreman 3.17 server, the /pub/bootstrap.py script raises an error during the installation of katello-host-tools-4.5.0-2.el8.noarch package. The root cause of the error is the inability to import into the RPM database the GPG key that has signed Foreman 3.17 release (reference).

Expected outcome: The registration process of AlmaLinux 8 client into Foreman 3.17 succeeds. Currently, registration of AlmaLinux 9 and AlmaLinux 10 clients succeed.

Foreman and Proxy versions: A standalone Foreman 3.17.0 deployment.

Foreman and Proxy plugin versions: (unsure)

Distribution and version: The Foreman 3.17 server is running on CentOS Stream 9

Other relevant data:

The /pub/bootstrap.py script raises the below error during the installation of katello-host-tools-4.5.0-2.el8.noarch package:

[NOTIFICATION], [2026-01-02 18:06:14], [Installing the Katello Host Tools]
[RUNNING], [2026-01-02 18:06:14], [/usr/bin/yum -y install katello-host-tools]
Updating Subscription Management repositories.
AlmaLinux8ResilientStorage                      2.7 MB/s | 2.3 MB     00:00    
AlmaLinux8AppStream                              13 MB/s |  25 MB     00:01    
AlmaLinux8Extras                                 83 kB/s |  14 kB     00:00    
AlmaLinux8_BaseOS                                20 MB/s |  51 MB     00:02    
AlmaLinux8ForemanClient317                      6.4 kB/s | 7.3 kB     00:01    
AlmaLinux8PowerTools                             10 MB/s | 5.4 MB     00:00    
AlmaLinux8HighAvailability                      1.8 MB/s | 2.4 MB     00:01    
AlmaLinux8OpenVox8                              5.0 MB/s | 1.4 MB     00:00    
Dependencies resolved.
=======================================================================================================
 Package              Arch    Version     Repository                                               Size
=======================================================================================================
Installing:
 katello-host-tools   noarch  4.5.0-2.el8 AlmaLinux8ForemanClient   41 k

Transaction Summary
=======================================================================================================
Install  1 Package

Total download size: 41 k
Installed size: 43 k
Downloading Packages:
katello-host-tools-4.5.0-2.el8.noarch.rpm        30 kB/s |  41 kB     00:01    
--------------------------------------------------------------------------------
Total                                            30 kB/s |  41 kB     00:01     
AlmaLinux8ForemanClient317                       22 kB/s | 1.8 kB     00:00    
Importing GPG key 0xD6AB9AD1:
 Userid     : "Foreman Automatic Signing Key (3.17) <packages@theforeman.org>"
 Fingerprint: 2C21 9CE8 AC0A 3BA2 EDE8 B652 509E 3BD3 D6AB 9AD1
 From       : https://foreman/katello/api/v2/repositories/1549/gpg_key_content
Key import failed (code 2). Failing package is: katello-host-tools-4.5.0-2.el8.noarch
 GPG Keys are configured as: https://foreman/katello/api/v2/repositories/1549/gpg_key_content
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED
[ERROR], [2026-01-02 18:06:49], EXITING: [/usr/bin/yum -y install katello-host-tools] failed to execute properly.

Apparently, RHEL8 systems are unable to import the GPG key that has signed the Foreman 3.17 RPM packages, as per below log snippet:

[root@almalinux8-a ~]# rpm --import https://theforeman.org/static/keys/2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1.pub
error: https://theforeman.org/static/keys/2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1.pub: key 1 import failed.

The error message experienced during the registration process is similar to the one reported here: RPM GPG key on yum.theforeman.org seems to be incorrect - #4 by bhill

amg1127 · January 3, 2026, 1:57am

To register the AlmaLinux 8 client into my Foreman 3.17 server, I configured a different PGP public key block on my repository that mirrors Foreman 3.17 client packages.

The PGP public key block retrieved from https://theforeman.org/static/keys/2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1.pub contains an additional signature made by a third-party public key identified as C75C383DEACBF894.

[root@almalinux8-a ~]# curl https://theforeman.org/static/keys/2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1.pub | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1859  100  1859    0     0   7436      0 --:--:-- --:--:-- --:--:--  7436
gpg: key 509E3BD3D6AB9AD1: 1 signature not checked due to a missing key
gpg: key 509E3BD3D6AB9AD1: public key "Foreman Automatic Signing Key (3.17) <packages@theforeman.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

[root@almalinux8-a ~]# gpg --list-keys --keyid-format long
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096/509E3BD3D6AB9AD1 2025-11-10 [SCEA] [expires: 2026-11-10]
      2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1
uid                 [ unknown] Foreman Automatic Signing Key (3.17) <packages@theforeman.org>


[root@almalinux8-a ~]# gpg --list-sigs
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096 2025-11-10 [SCEA] [expires: 2026-11-10]
      2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1
uid           [ unknown] Foreman Automatic Signing Key (3.17) <packages@theforeman.org>
sig 3        509E3BD3D6AB9AD1 2025-11-10  Foreman Automatic Signing Key (3.17) <packages@theforeman.org>
sig          C75C383DEACBF894 2025-11-10  [User ID not found]

Apparently, the key that has signed Foreman 3.17 release can only be imported into the RPM database of RHEL8 systems if the third-party signature is removed from the PGP public key block.

The removal of the third-party signature can be performed by modifying the signing key via an interactive GPG session:

Invoke the gpg --edit-key 509E3BD3D6AB9AD1 command line
Pass the clean and save commands to GPG.

[root@almalinux8-a ~]# gpg --edit-key 509E3BD3D6AB9AD1
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/509E3BD3D6AB9AD1
     created: 2025-11-10  expires: 2026-11-10  usage: SCEA
     trust: unknown       validity: unknown
[ unknown] (1). Foreman Automatic Signing Key (3.17) <packages@theforeman.org>

gpg> clean
User ID "Foreman Automatic Signing Key (3.17) <packages@theforeman.org>": 1 signature removed

pub  rsa4096/509E3BD3D6AB9AD1
     created: 2025-11-10  expires: 2026-11-10  usage: SCEA
     trust: unknown       validity: unknown
[ unknown] (1). Foreman Automatic Signing Key (3.17) <packages@theforeman.org>

gpg> save


[root@almalinux8-a ~]# gpg --list-sigs
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096 2025-11-10 [SCEA] [expires: 2026-11-10]
      2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1
uid           [ unknown] Foreman Automatic Signing Key (3.17) <packages@theforeman.org>
sig 3        509E3BD3D6AB9AD1 2025-11-10  Foreman Automatic Signing Key (3.17) <packages@theforeman.org>

Without the third-party signature, the PGP public key block can be imported into the RPM database.

[root@almalinux8-a ~]# gpg --export --armor 509E3BD3D6AB9AD1 > /tmp/2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1.pub 

[root@almalinux8-a ~]# rpm --import /tmp/2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1.pub

I configured the modified PGP public key block created above on my repository that mirrors Foreman 3.17 client packages.

bhill · January 3, 2026, 3:02am

Nice! Thank you for the info. I was about to create a topic concerning this, but you preempted!

Only other thing I had done to investigate this further was utilize Sequoia GPG’s “sq” (https://book.sequoia-pgp.org/) utility to inspect the Foreman 3.17 vs the Foreman 3.16 GPG keys. I came up with the same determination stumbling around….pretty much.

bhill$ sq inspect --certifications --cert-file 2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1.pub 
OpenPGP Certificate.

      Fingerprint: 2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1
  Public-key algo: RSA
  Public-key size: 4096 bits
    Creation time: 2025-11-10 21:43:29 UTC
  Expiration time: 2026-11-10 21:43:29 UTC (creation time + 11months 30days 3h 50m 24s)
        Key flags: certification, signing, authentication, transport encryption, data-at-rest encryption

           UserID: Foreman Automatic Signing Key (3.17) <packages@theforeman.org>
    Certification: Creation time: 2025-11-10 23:27:50 UTC
                   Alleged certifier: signer's cert not found
                       BAE35EA68216E1569DD5DC5CC75C383DEACBF894
                       (signature subkey)
                   Hash algorithm: SHA512
             Note: Certifications have NOT been verified!

bhill$ sq inspect --certifications --cert-file 4EF094BBD6C43ADA8E4190BD18357B59AD173208.pub 
OpenPGP Certificate.

      Fingerprint: 4EF094BBD6C43ADA8E4190BD18357B59AD173208
  Public-key algo: RSA
  Public-key size: 4096 bits
    Creation time: 2025-08-07 12:15:56 UTC
  Expiration time: 2026-08-07 12:15:56 UTC (creation time + 11months 30days 3h 50m 24s)
        Key flags: certification, signing, authentication, transport encryption, data-at-rest encryption

           UserID: Foreman Automatic Signing Key (3.16) <packages@theforeman.org>

bhill$

The Foreman 3.17 cert perhaps showing showing that third-party identifier?

           UserID: Foreman Automatic Signing Key (3.17) <packages@theforeman.org>
    Certification: Creation time: 2025-11-10 23:27:50 UTC
                   Alleged certifier: signer's cert not found
                       BAE35EA68216E1569DD5DC5CC75C383DEACBF894
                       (signature subkey)
                   Hash algorithm: SHA512
             Note: Certifications have NOT been verified!

Regardless, thanks for that fix!

Bryan

ogajduse · January 14, 2026, 1:20pm

Hello,
BAE35EAis actually my key. I may not followed the release procedure, and I seem to have signed the key even though I should not.

Here is a PR to fix that: Remove external signature from Foreman 3.17 GPG key by ogajduse · Pull Request #2272 · theforeman/theforeman.org · GitHub

Apologies for the issues caused.

ogajduse · January 14, 2026, 1:52pm

I have also updated the signing key on yum.theforeman.org.

https://yum.theforeman.org/releases/3.17/RPM-GPG-KEY-foreman