Gpg error mysql

If you are getting an error “GPG error and Duplicate sources.list” while configuring MySQL repository for installing MySQL server version 5.7, then here’s how you can udpate GPG key.

#apt-get update
 .....
 W: GPG error: http://repo.mysql.com jessie InRelease: The following signatures were invalid: KEYEXPIRED 1487236823 KEYEXPIRED 1487236823 KEYEXPIRED 1487236823
 W: Duplicate sources.list entry https://packages.sury.org/php/ jessie/main amd64 Packages (/var/lib/apt/lists/packages.sury.org_php_dists_jessie_main_binary-amd64_Packages)

Solution: Above error indicates that the MySQL APT GPG key has expired, making it impossible to install or upgrade Debian packages from the Oracle MySQL APT repository.

Find the expired keys of the repository in Debian/Ubuntu?

Step 1: List the expired key using the below command:

#apt-key list
/etc/apt/trusted.gpg
--------------------
pub 4096R/89DF5277 2010-07-11
uid Guillaume Plessis <gui@dotdeb.org>
sub 4096R/3D624A3B 2010-07-11
sub 4096R/A2098A6E 2010-07-11
pub 1024D/5072E1F5 2003-02-03 [expired: 2017-02-16]
uid MySQL Release Engineering <mysql-build@oss.oracle.com>

From the above expired key list, it’s clear that the MySQL repository GPG key expired on 16th Feb 2017.

How to update the GPG key for the MySQL APT repository?

Step 2: The simple solution is to update the GPG key for Oracle MySQL APT repository.

#apt-key adv --keyserver pgp.mit.edu --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5

Sample Output:

Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.z5SEIWWrbt --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/php.gpg --keyserver pgp.mit.edu --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5
gpg: requesting key 5072E1F5 from hkp server pgp.mit.edu
gpg: key 5072E1F5: "MySQL Release Engineering <mysql-build@oss.oracle.com>" 62 new signatures
gpg: Total number processed: 1
gpg: new signatures: 62

Step 3: The new key has been updated successfully and now you can update package manager

#apt-get update

MySQL runs their own package repositories for community editions of MySQL. They support both yum and apt package managers, separated by sub-directories.

So far so good, but it seems that the previous GPG (to sign the packages) was replaced. This leads to errors when running apt-get update (or apt update):

root@debian:~# apt-get update
Hit:1 http://security.debian.org buster/updates InRelease
Hit:2 https://artifacts.elastic.co/packages/7.x/apt stable InRelease
Hit:3 http://httpredir.debian.org/debian buster InRelease
Get:4 http://repo.mysql.com/apt/debian buster InRelease [22.1 kB]
Hit:5 https://packages.sury.org/php buster InRelease
Err:4 http://repo.mysql.com/apt/debian buster InRelease                                          
  The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29
Reading package lists… Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo.mysql.com/apt/debian buster InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29
W: Failed to fetch http://repo.mysql.com/apt/debian/dists/buster/InRelease  The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29
W: Some index files failed to download. They have been ignored, or old ones used instead.

When looking through the repository, no specific APT gpg key could be identified. These files usually end with a suffix of .gpg, .gnupg, .key or similar.

However there is one more intriguing file at the top-level directory of the repository: RPM-GPG-KEY-mysql-2022.

Why intriguing? Because the file starts with RPM, suggesting this key is only used for rpm packages (for the yum package manager). 

Let’s import that file with apt-key:

root@debian:~# curl -s http://repo.mysql.com/RPM-GPG-KEY-mysql-2022 | apt-key add —
OK

It worked, so it is a GPG key. But is it the right key for the signed deb packages in the apt repositories?

root@debian:~# apt-get update
Hit:1 http://security.debian.org buster/updates InRelease
Hit:2 http://httpredir.debian.org/debian buster InRelease
Hit:3 https://artifacts.elastic.co/packages/7.x/apt stable InRelease
Get:4 http://repo.mysql.com/apt/debian buster InRelease [22.1 kB]
Hit:5 https://packages.sury.org/php buster InRelease
Get:6 http://repo.mysql.com/apt/debian buster/mysql-8.0 Sources [941 B]
Get:7 http://repo.mysql.com/apt/debian buster/mysql-apt-config amd64 Packages [567 B]
Get:8 http://repo.mysql.com/apt/debian buster/mysql-8.0 amd64 Packages [8,421 B]
Get:9 http://repo.mysql.com/apt/debian buster/mysql-tools amd64 Packages [7,070 B]
Hit:10 https://packagecloud.io/varnishcache/varnish60lts/debian buster InRelease
Fetched 39.1 kB in 1s (35.9 kB/s)
Reading package lists… Done

No errors! Although RPM-GPG-KEY-mysql-2022 sounds confusing, it is indeed the right key for the MySQL APT repository.

Add a comment

Show form to leave a comment

Comments (newest first)

Peter from wrote on Jun 18th, 2022:

Thanks for this post and making the command where it can be copied. This is like the 5th time I’ve ran into this and finally somebody posted a short, coherent fix.

Claude LaBadie from Canada wrote on May 6th, 2022:

Thank you so much for sharing this.
Would creating a better named symlink a good approach?

Comments

MySQL changed key used to sign their apt packages. This caused
docker building failing for prod images as MySQL could not be
installed.

New Public Key is used instead.

Fixes: apache#20911

MySQL changed key used to sign their apt packages. This caused
docker building failing for prod images as MySQL could not be
installed.

New Public Key is used instead.

Fixes: #20911

MySQL changed key used to sign their apt packages. This caused
docker building failing for prod images as MySQL could not be
installed.

New Public Key is used instead.

Fixes: #20911
(cherry picked from commit 7e29506)

MySQL changed key used to sign their apt packages. This caused
docker building failing for prod images as MySQL could not be
installed.

New Public Key is used instead.

Fixes: #20911
(cherry picked from commit 7e29506)

MySQL changed key used to sign their apt packages. This caused
docker building failing for prod images as MySQL could not be
installed.

New Public Key is used instead.

Fixes: #20911
(cherry picked from commit 7e29506)

MySQL changed key used to sign their apt packages. This caused
docker building failing for prod images as MySQL could not be
installed.

New Public Key is used instead.

Fixes: #20911
(cherry picked from commit 7e29506)

MySQL changed key used to sign their apt packages. This caused
docker building failing for prod images as MySQL could not be
installed.

New Public Key is used instead.

Fixes: #20911
(cherry picked from commit 7e29506)

MySQL changed key used to sign their apt packages. This caused
docker building failing for prod images as MySQL could not be
installed.

New Public Key is used instead.

Fixes: #20911
(cherry picked from commit 7e29506)