Page 1 of 1

Public key error when updating mod_security RPM

Posted: Sat Apr 12, 2014 11:27 am
by cmaxwell
We are trying to update to the new version of mod_security from the Atomic repository on some CentOS 6.5 boxes, but are getting the following error:

Code: Select all

The GPG keys listed for the "CentOS / Red Hat Enterprise Linux 6 - atomicrocketturtle.com" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.
Have tried removing the key from the RPM database and re-adding it, as well as reinstalling the atomic-release package - this results in the following:

Code: Select all

Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID 4520afa9: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
Importing GPG key 0x5EBD2744:
 Userid : Atomic Rocket Turtle <admin@atomicrocketturtle.com>
 Package: atomic-release-1.0-18.el6.art.noarch (installed)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
Is this ok [y/N]: y


Public key for mod_security-2.7.7-18.el6.art.x86_64.rpm is not installed
Anyone have any suggestions how to get this to work? I'm guessing the key has changed due to Heartbleed.

Thanks in advance.

Cheers,
Chris

Re: Public key error when updating mod_security RPM

Posted: Sun Apr 13, 2014 11:54 am
by freethought
We're seeing this as well, and only on the mod_security-2.7.7-18.el6.art RPM.

The key used to sign the other RPMs in the repository is 5ebd2744 (which gets installed from https://www.atomicorp.com/RPM-GPG-KEY.art.txt when you install the Atomic repository), but the one on the mod_security-2.7.7-18.el6.art RPM is 4520afa9.

I'm not sure what that key is, but it's mentioned in a couple of threads from 2012 on here, so AtomiCorp have pushed RPMs into the atomic repository using this key before and it caused similar problems. Perhaps it's a testing key or someone's personal key which was used accidentally.

If you want to skip the GPG signature checks (not recommended) when installing/updating the mod_security-2.7.7-18.el6.art RPM, you can use yum's "--nogpgcheck" option.

Re: Public key error when updating mod_security RPM

Posted: Sun Apr 13, 2014 6:55 pm
by scott
We're consolidating under the atomicorp key, you can define multple keys in the .repo file like:

Code: Select all

gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt    
         file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
We'll do a updated atomic-release with it soon.

Re: Public key error when updating mod_security RPM

Posted: Mon Apr 14, 2014 7:35 am
by cmaxwell
Thanks guys - that works. For anyone else experiencing this, you therefore need to do:

Code: Select all

rpm --import https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt
And then modify your /etc/yum.repos.d/atomic.repo file with the following:

Code: Select all

gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt    
         file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt

Re: Public key error when updating mod_security RPM

Posted: Sun Feb 05, 2017 11:54 am
by lucy albert
Finall i fixed that. Worth sharing.
poikilothermiahyperthymesiadorsalgia

Re: Public key error when updating mod_security RPM

Posted: Fri Mar 01, 2019 4:07 pm
by mikeshinn
You should definitely not use that version of modsecurity. There are both bugs and limitations in 2.7.7, you should use 2.9.2 or 2.9.3.