Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
Description
The 2.4.13 RPM packages for RHEL-8 (and likely for other RHEL versions) got signed with a new key, previously only used on ES 10.5 and MaxScale 2.5.
This breaks all systems that rely on updates from the MariaDB repo, because we have not issued any kind of warning that we are going to change the signing key - worse, we have not specified which of the multitude of MariaDB signing keys is used for this release. Believe it or not, RPM does check if a package is signed with a trusted key.
While a new key may be imported, this is not normally done by a DBA and requires extra efforts.
All-in-all, such a change amidst a mainline without a pressing need (did we revoke the old key? Was it compromised?) is a very bad and quite useless thing to do (as if we don't break enough stuff for customers already).
YUM log:
The GPG keys listed for the "MaxScale 2.4" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: maxscale-2.4.13-1.x86_64