Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-3278

2.4.13 RPM packages for RHEL signed with a new key



    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • 2.4.13, 2.5.5
    • Packaging
    • None


      The 2.4.13 RPM packages for RHEL-8 (and likely for other RHEL versions) got signed with a new key, previously only used on ES 10.5 and MaxScale 2.5.

      This breaks all systems that rely on updates from the MariaDB repo, because we have not issued any kind of warning that we are going to change the signing key - worse, we have not specified which of the multitude of MariaDB signing keys is used for this release. Believe it or not, RPM does check if a package is signed with a trusted key.

      While a new key may be imported, this is not normally done by a DBA and requires extra efforts.

      All-in-all, such a change amidst a mainline without a pressing need (did we revoke the old key? Was it compromised?) is a very bad and quite useless thing to do (as if we don't break enough stuff for customers already).

      YUM log:
      The GPG keys listed for the "MaxScale 2.4" repository are already installed but they are not correct for this package.
      Check that the correct key URLs are configured for this repository.. Failing package is: maxscale-2.4.13-1.x86_64




            tturenko Timofey Turenko
            assen.totin Assen Totin (Inactive)
            0 Vote for this issue
            4 Start watching this issue



              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.