We are trying to update to the new version of mod_security from the Atomic repository on some CentOS 6.5 boxes, but are getting the following error:



Have tried removing the key from the RPM database and re-adding it, as well as reinstalling the atomic-release package - this results in the following:



Anyone have any suggestions how to get this to work? I'm guessing the key has changed due to Heartbleed.

Thanks in advance.

Cheers,
Chris

We're seeing this as well, and only on the mod_security-2.7.7-18.el6.art RPM.

The key used to sign the other RPMs in the repository is 5ebd2744 (which gets installed from https://www.atomicorp.com/RPM-GPG-KEY.art.txt when you install the Atomic repository), but the one on the mod_security-2.7.7-18.el6.art RPM is 4520afa9.

I'm not sure what that key is, but it's mentioned in a couple of threads from 2012 on here, so AtomiCorp have pushed RPMs into the atomic repository using this key before and it caused similar problems. Perhaps it's a testing key or someone's personal key which was used accidentally.

If you want to skip the GPG signature checks (not recommended) when installing/updating the mod_security-2.7.7-18.el6.art RPM, you can use yum's "--nogpgcheck" option.

We're consolidating under the atomicorp key, you can define multple keys in the .repo file like:



We'll do a updated atomic-release with it soon.

Thanks guys - that works. For anyone else experiencing this, you therefore need to do:



And then modify your /etc/yum.repos.d/atomic.repo file with the following:

Finall i fixed that. Worth sharing.
poikilothermiahyperthymesiadorsalgia

You should definitely not use that version of modsecurity. There are both bugs and limitations in 2.7.7, you should use 2.9.2 or 2.9.3.