RHEL 8 key import error
Hi,
I'm having issues while installing Dovecot 2.4 on a Rocky Linux 8.10 server.
This server was running Dovecot 2.3 but I wanted to upgrade it to 2.4.
This is my repo file:
[dovecot-2.4-latest]
name=Dovecot 2.4 RHEL $releasever - $basearch
baseurl=https://repo.dovecot.org/ce-2.4-latest/rhel/$releasever/RPMS/$basearch
gpgkey=https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4
gpgcheck=1
enabled=1
When I run dnf update I get a GPG error:
Problem opening package dovecot-2.4.1-4.x86_64.rpm
Problem opening package dovecot-lua-2.4.1-4.x86_64.rpm
Problem opening package dovecot-mysql-2.4.1-4.x86_64.rpm
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
If I try to import the key manually with rpm --import https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 I get: error: https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4: key 1 import failed.
I also tried it on a fresh Rocky Linux 8.10 installation and I get the same exact error, but running it on Rocky Linux 9.6 works just fine.
This is my gpg --version on RHEL 8.10:
gpg (GnuPG) 2.2.20
libgcrypt 1.8.5
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Any help is appreciated. Thanks!
--
Gioele Pannetto
On Thu Aug 28, 2025 at 4:11 PM SAST, Gioele Pannetto via dovecot wrote:
Hi,
Hi!
I fired up a test VM with Rocky Linux 8.10 to see what's happening.
I'm having issues while installing Dovecot 2.4 on a Rocky Linux 8.10 serv=
er.
When I run dnf update I get a GPG error:
Problem opening package dovecot-2.4.1-4.x86_64.rpm
Error: GPG check FAILED
This happens here, too.
If I try to import the key manually with=C2=A0rpm --import https://repo.d=
ovecot.org/DOVECOT-REPO-GPG-2.4=C2=A0I get:=C2=A0error: https://repo.doveco= t.org/DOVECOT-REPO-GPG-2.4: key 1 import failed.
Same here.
The error I get:
$ rpm -vvv --checksig /var/cache/dnf/dovecot-2.4-latest-817d1236de55207c/= packages/dovecot-2.4.1-4.x86_64.rpm=20 ufdio: 1 reads, 17154 total bytes in 0.000003 secs D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key D: loading keyring from rpmdb D: opening db environment /var/lib/rpm cdb:0x401 D: opening db index /var/lib/rpm/Packages 0x400 mode=3D0x0 D: locked db index /var/lib/rpm/Packages D: opening db index /var/lib/rpm/Name 0x400 mode=3D0x0 D: read h# 377=20 Header SHA1 digest: OK D: added key gpg-pubkey-6d745a60-60287f36 to keyring D: read h# 615=20 Header SHA1 digest: OK D: added key gpg-pubkey-2f86d6a1-5cf7cefb to keyring D: Using legacy gpg-pubkey(s) from rpmdb /var/cache/dnf/dovecot-2.4-latest-817d1236de55207c/packages/dovecot-2.4.1= -4.x86_64.rpm: Header DSA signature: BAD (package tag 267: invalid OpenPGP signature= ) Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OK ufdio: 104 reads, 3297736 total bytes in 0.000344 secs D: closed db index /var/lib/rpm/Packages D: closed db index /var/lib/rpm/Name D: closed db environment /var/lib/rpm
The Dovecot 2.4 key appears to be an ed25119 key. Check with:
$ gpg --list-packets DOVECOT-REPO-GPG-2.4 | head
However, RPM 4.14.3, which is the version of RPM on Rocky 8.10, does not seem to support Ed25119 signatures.
This has nothing to do with OpenSSL, by the way. The GnuPG version does support Ed25519, but RPM does not seem to invoke it.
From the RPM release notes I gather that RPM introduced support for EdDSA signature in version 4.17.0 0.
RedHat, on the other hand, appears to have introduced that support with RHEL 9, though in RPM version 4.16 1.
The merge appears to have happened in March 2021 [2].
However that may be, EL8 does not seem to support Ed25519.
You could reach out to Dovecot and ask if they could also publish an older (RSA?) key for Dovecot 2.4.
Alternatively, you would have to disable the gpgcheck for this repo. That would not be ideal, but I am not sure what other options you have, other than sticking with Dovecot 2.3 or upgrading to EL9 or EL10.
The repo does not publish .sig files for the rpm's, so you can't manually check them via gpg, either.
I hope this helps.
Kind regards, Edmund Lodewijks (Just a hobbyist)
ml/9.0_release_notes/new-features?utm_source=3Dchatgpt.com [2]: https://github.com/rpm-software-management/rpm/pull/1202
Hi,
The problem is with the repo.dovecot.org web server, all keys are missing and web server return 404 https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 https://repo.dovecot.org/DOVECOT-REPO-GPG-2.3
I don't know who is managing the web server, there's no contact information available except this mailing list. I hope someone will read the list and fix the problem.
I suppose there's always the wayback machine:
https://web.archive.org/web/20250126114657/https://repo.dovecot.org/DOVECOT-...
Although having to use it in this way does not exactly inspire confidence.
BTW, why isn't there a proper -release package to help automate the repository install?
Peter
On 6/09/25 08:05, Daniel Toma via dovecot wrote:
Hi,
The problem is with the repo.dovecot.org web server, all keys are missing and web server return 404 https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 https://repo.dovecot.org/DOVECOT-REPO-GPG-2.3
I don't know who is managing the web server, there's no contact information available except this mailing list. I hope someone will read the list and fix the problem.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Fixed. There was small deployment mishap.
Aki
On 06/09/2025 05:40 EEST Peter via dovecot <dovecot@dovecot.org> wrote:
I suppose there's always the wayback machine:
https://web.archive.org/web/20250126114657/https://repo.dovecot.org/DOVECOT-...
Although having to use it in this way does not exactly inspire confidence.
BTW, why isn't there a proper -release package to help automate the repository install?
Peter
On 6/09/25 08:05, Daniel Toma via dovecot wrote:
Hi,
The problem is with the repo.dovecot.org web server, all keys are missing and web server return 404 https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 https://repo.dovecot.org/DOVECOT-REPO-GPG-2.3
I don't know who is managing the web server, there's no contact information available except this mailing list. I hope someone will read the list and fix the problem.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On Thu Aug 28, 2025 at 4:11 PM SAST, Gioele Pannetto via dovecot wrote:
Hi,
Hi!
I fired up a test VM with Rocky Linux 8.10 to see what's happening.
I'm having issues while installing Dovecot 2.4 on a Rocky Linux 8.10 serv=
er.
When I run dnf update I get a GPG error:
Problem opening package dovecot-2.4.1-4.x86_64.rpm
Error: GPG check FAILED
This happens here, too.
If I try to import the key manually with=C2=A0rpm --import https://repo.d= ovecot.org/DOVECOT-REPO-GPG-2.4=C2=A0I get:=C2=A0error: https://repo.doveco= t.org/DOVECOT-REPO-GPG-2.4: key 1 import failed.
Same here.
The error I get:
$ rpm -vvv --checksig /var/cache/dnf/dovecot-2.4-latest-817d1236de55207c/= packages/dovecot-2.4.1-4.x86_64.rpm=20 ufdio: 1 reads, 17154 total bytes in 0.000003 secs D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key D: loading keyring from rpmdb D: opening db environment /var/lib/rpm cdb:0x401 D: opening db index /var/lib/rpm/Packages 0x400 mode=3D0x0 D: locked db index /var/lib/rpm/Packages D: opening db index /var/lib/rpm/Name 0x400 mode=3D0x0 D: read h# 377=20 Header SHA1 digest: OK D: added key gpg-pubkey-6d745a60-60287f36 to keyring D: read h# 615=20 Header SHA1 digest: OK D: added key gpg-pubkey-2f86d6a1-5cf7cefb to keyring D: Using legacy gpg-pubkey(s) from rpmdb /var/cache/dnf/dovecot-2.4-latest-817d1236de55207c/packages/dovecot-2.4.1= -4.x86_64.rpm: Header DSA signature: BAD (package tag 267: invalid OpenPGP signature= ) Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OK ufdio: 104 reads, 3297736 total bytes in 0.000344 secs D: closed db index /var/lib/rpm/Packages D: closed db index /var/lib/rpm/Name D: closed db environment /var/lib/rpm
The Dovecot 2.4 key appears to be an ed25119 key. Check with:
$ gpg --list-packets DOVECOT-REPO-GPG-2.4 | head
However, RPM 4.14.3, which is the version of RPM on Rocky 8.10, does not seem to support Ed25119 signatures.
This has nothing to do with OpenSSL, by the way. The GnuPG version does support Ed25519, but RPM does not seem to invoke it.
From the RPM release notes I gather that RPM introduced support for EdDSA signature in version 4.17.0 0.
RedHat appears to have introduced that support with RHEL 9, though in RPM version 4.16 1.
The merge appears to have happened in March 2021 [2].
However that may be, EL8 does not seem to support Ed25519.
You could reach out to Dovecot and ask if they could also publish an older (RSA?) key for Dovecot 2.4.
Alternatively, you would have to disable the gpgcheck for this repo. That would not be ideal, but I am not sure what other options you have, other than sticking with Dovecot 2.3 or upgrading to EL9 or EL10.
The repo does not publish .sig files for the rpm's, so you can't manually check them via gpg, either.
I hope this helps.
Kind regards, Edmund Lodewijks (Just a hobbyist)
ml/9.0_release_notes/new-features?utm_source=3Dchatgpt.com [2]: https://github.com/rpm-software-management/rpm/pull/1202
On 06/09/2025 12:21 EEST Edmund Lodewijks via dovecot
<[1]dovecot@dovecot.org> wrote:
On Thu Aug 28, 2025 at 4:11 PM SAST, Gioele Pannetto via dovecot wrote:
Hi,
Hi!
I fired up a test VM with Rocky Linux 8.10 to see what's happening.
I'm having issues while installing Dovecot 2.4 on a Rocky Linux 8.10
serv=
er.
When I run dnf update I get a GPG error:
Problem opening package dovecot-2.4.1-4.x86_64.rpm
Error: GPG check FAILED
This happens here, too.
If I try to import the key manually with=C2=A0rpm --import
[2]https://repo.d=
ovecot.org/DOVECOT-REPO-GPG-2.4=C2=A0I get:=C2=A0error:
[3]https://repo.doveco=
t.org/DOVECOT-REPO-GPG-2.4: key 1 import failed.
Same here.We are looking into resigning 2.4.1 RHEL8 with the RSA key for 2.3.
Aki
References
Visible links
- mailto:dovecot@dovecot.org
- https://repo.d=/
- https://repo.doveco=/
On 6/09/25 22:03, Aki Tuomi via dovecot wrote:
We are looking into resigning 2.4.1 RHEL8 with the RSA key for 2.3.
Suggestion: Rather than have a separate key for each major release of Dovecot instead you could have a separate key for each major release of EL. This also has the advantage that you can time the expiration of your key to correspond with the EOL of that EL release, so:
An EL8 key that expires on or after May 31 2029.
An EL9 key that expires on or after May 31 2032.
An EL10 key that expires on or after May 31 2035.
You could also do something similar for other distros.
Peter
On Thu Aug 28, 2025 at 4:11 PM SAST, Gioele Pannetto via dovecot wrote:
Hi,
Hi!
I fired up a test VM with Rocky Linux 8.10 to see what's happening.
I'm having issues while installing Dovecot 2.4 on a Rocky Linux 8.10 server.
When I run dnf update I get a GPG error:
Problem opening package dovecot-2.4.1-4.x86_64.rpm
Error: GPG check FAILED
This happens here, too.
If I try to import the key manually with=C2=A0rpm --import https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4=C2=A0I get:=C2=A0error: https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4: key 1 import failed.
Same here.
The error I get:
$ rpm -vvv --checksig /var/cache/dnf/dovecot-2.4-latest-817d1236de55207c/= packages/dovecot-2.4.1-4.x86_64.rpm=20 ufdio: 1 reads, 17154 total bytes in 0.000003 secs D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key D: loading keyring from rpmdb D: opening db environment /var/lib/rpm cdb:0x401 D: opening db index /var/lib/rpm/Packages 0x400 mode=3D0x0 D: locked db index /var/lib/rpm/Packages D: opening db index /var/lib/rpm/Name 0x400 mode=3D0x0 D: read h# 377=20 Header SHA1 digest: OK D: added key gpg-pubkey-6d745a60-60287f36 to keyring D: read h# 615=20 Header SHA1 digest: OK D: added key gpg-pubkey-2f86d6a1-5cf7cefb to keyring D: Using legacy gpg-pubkey(s) from rpmdb /var/cache/dnf/dovecot-2.4-latest-817d1236de55207c/packages/dovecot-2.4.1= -4.x86_64.rpm: Header DSA signature: BAD (package tag 267: invalid OpenPGP signature= ) Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OK ufdio: 104 reads, 3297736 total bytes in 0.000344 secs D: closed db index /var/lib/rpm/Packages D: closed db index /var/lib/rpm/Name D: closed db environment /var/lib/rpm
The Dovecot 2.4 key appears to be an ed25119 key. Check with:
$ gpg --list-packets DOVECOT-REPO-GPG-2.4 | head
However, RPM 4.14.3, which is the version of RPM on Rocky 8.10, does not seem to support Ed25119 signatures.
This has nothing to do with OpenSSL, by the way. The GnuPG version does support Ed25519, but RPM does not seem to invoke it.
From the RPM release notes I gather that RPM introduced support for EdDSA signature in version 4.17.0 0.
RedHat appears to have introduced that support with RHEL 9, though in RPM version 4.16 1.
The merge appears to have happened in March 2021 [2].
However that may be, EL8 does not seem to support Ed25519.
You could reach out to Dovecot and ask if they could also publish an older (RSA?) key for Dovecot 2.4.
Alternatively, you would have to disable the gpgcheck for this repo. That would not be ideal, but I am not sure what other options you have, other than sticking with Dovecot 2.3 or upgrading to EL9 or EL10.
The repo does not publish .sig files for the rpm's, so you can't manually check them via gpg, either.
I hope this helps.
Kind regards, Edmund Lodewijks (Just a hobbyist)
ml/9.0_release_notes/new-features?utm_source=3Dchatgpt.com [2]: https://github.com/rpm-software-management/rpm/pull/1202
participants (6)
-
Aki Tuomi
-
dt@webdev.ro
-
Edmund Lodewijks
-
Edmund Lodewijks
-
Gioele Pannetto
-
Peter