RPM repo: GPG check FAILED on old installs due to expired key

[oldsadsongs]

It seems like the GPG keys expired last month. Please see below:

➜ dnf upgrade zrepl                                       
Last metadata expiration check: 0:03:45 ago on Sun 08 Oct 2023 12:06:09 PM MDT.
Dependencies resolved.
=====================================================================================================================================================================================================================================================
 Package                                                   Architecture                                               Version                                                        Repository                                                 Size
=====================================================================================================================================================================================================================================================
Upgrading:
 zrepl                                                     x86_64                                                     v0.6.1-2                                                       zrepl                                                      15 M

Transaction Summary
=====================================================================================================================================================================================================================================================
Upgrade  1 Package

Total size: 15 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] zrepl-v0.6.1-2.x86_64.rpm: Already downloaded                                                                                                                                                                                             
error: Verifying a signature using certificate F6F6E8EA6F2F14622878B5DE50E34417826E2CE6 ([email protected]):
  1. Certificiate 50E34417826E2CE6 invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-09-01T15:59:36Z
  2. Key 50E34417826E2CE6 invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-09-01T15:59:36Z
zrepl                                                                                                                                                                                                                5.2 kB/s | 2.1 kB     00:00    
GPG key at https://zrepl.cschwarz.com/rpm/rpm-key.asc (0x826E2CE6) is already installed
The GPG keys listed for the "zrepl" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: zrepl-v0.6.1-2.x86_64
 GPG Keys are configured as: https://zrepl.cschwarz.com/rpm/rpm-key.asc
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

[problame]

Hm, cannot reproduce.

In a fedora:latest docker container, the install instruction from the website work without errors.

Looking at my signing machine

cs@zrepl-1:~/package-repo-ops$ gpg --edit-key F6F6E8EA6F2F14622878B5DE50E34417826E2CE6
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/50E34417826E2CE6
     created: 2020-09-01  expires: never       usage: SC  
     trust: unknown       validity: unknown
ssb  rsa2048/A99BE12ED4C8BEED
     created: 2020-09-01  expires: never       usage: E   
[ unknown] (1). [email protected]

Maybe you have an old copy of the key cached somewhere?
I changed the keys to never expiration ~2 years ago.

[oldsadsongs]

Thanks for the quick reply!

The key's expiration changing would explain this because this is a 3+ year-old install.

If anybody else stumbles upon this.

Check your installed gpg keys using the command sudo rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

Then remove the expired key with sudo rpm -e [insert-name-of-key] and sudo dnf update.

[problame]

(I think dnf clean all would have done the same job)

[awehrfritz]

Check your installed gpg keys using the command sudo rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

Then remove the expired key with sudo rpm -e [insert-name-of-key] and sudo dnf update.

Thanks, @oldsadsongs, for the hint. I ran into the same issue on a Fedora installation that was upgraded from Fedora 36 to 37, and eventually 38. So just about 1.5 years since I added this key initially.

(I think dnf clean all would have done the same job)

@problame, unfortunately, this did not resolve the issue for me. One of the first things I tried when I encountered the issue a couple of days ago. I really had to remove the GPG key manually, as described above.