[INFRA-973] invalid GPG signatures on redhat stable packages

[jenkins-infra-bot]

I am unable to install packages on Centos 7 with gpgcheck enabled due to invalid GPG signatures on at least 2.7.4 and 2.19.2.

$ sudo yum install jenkins
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.symnds.com
 * epel: mirror.symnds.com
 * extras: mirror.cogentco.com
 * updates: mirror.net.cen.ct.gov
Resolving Dependencies
--> Running transaction check
---> Package jenkins.noarch 0:2.19.2-1.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================
 Package    Arch      Version       Repository  Size
=====================================================================================
Installing:
 jenkins    noarch    2.19.2-1.1    jenkins     66 M

Transaction Summary
=====================================================================================
Install  1 Package

Total download size: 66 M
Installed size: 67 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/jenkins/packages/jenkins-2.19.2-1.1.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID d50582e6: NOKEY
Public key for jenkins-2.19.2-1.1.noarch.rpm is not installed
jenkins-2.19.2-1.1.noarch.rpm |  66 MB  00:00:02     
Retrieving key from http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Importing GPG key 0xD50582E6:
 Userid     : "Kohsuke Kawaguchi "
 Fingerprint: 150f de3f 7787 e7d1 1ef4 e12a 9b7d 32f2 d505 82e6
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0x2376BFC7:
 Userid     : "Stephen Connolly (personal) "
 Fingerprint: 8a53 9937 85ef 0c35 634d 7a51 580e 8ad9 2376 bfc7
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0xDC743A19:
 Userid     : "Stephen Connolly (VCC Release Signing) "
 Fingerprint: 75b8 3534 d778 d292 05b7 9222 c03b 9eb0 dc74 3a19
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0xB7A2F5C0:
 Userid     : "Virtual Computer Control Project (java.net) "
 Fingerprint: e097 c9d2 18f8 7929 4da9 fbad 2834 45ba b7a2 f5c0
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0xAF5EC452:
 Userid     : "Dennis Lundberg (CODE SIGNING KEY) "
 Fingerprint: b920 d295 bf0e 61cb 4cf0 896c 33cd 6733 af5e c452
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0x4A2F92BB:
 Userid     : "CloudBees, Inc. "
 Fingerprint: 64fe 12b4 6343 4b13 fbb5 c187 b6a6 99a4 4a2f 92bb
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0xB620D787:
 Userid     : "Stephen Connolly "
 Fingerprint: 042b 29e9 2899 5b9d b963 c636 c7ca 19b7 b620 d787
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0x3F51E16F:
 Userid     : "R. Tyler Croy (Primary GnuPG key) "
 Fingerprint: 9062 865a 46e8 c749 2bf1 88d7 1426 c7dc 3f51 e16f
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0x6E33EEFA:
 Userid     : "Jenkins project CLA (Used to encrypt Jenkins CLA papers) "
 Fingerprint: 6700 1114 1555 fcf3 99f3 9b7b fc59 c362 6e33 eefa
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0x4B624311:
 Userid     : "Jesse Glick "
 Fingerprint: 618c a586 a048 52de 7bce 1c58 1dda 69d9 4b62 4311
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0xE8101D5A:
 Userid     : "Caleb Tennis "
 Fingerprint: 9941 3f98 1175 3c5e b28a 09ac 5ef1 d39c e810 1d5a
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0x47EAF7F3:
 Userid     : "Operating system distro security contacts "
 Fingerprint: b217 afa7 a294 9376 3c96 4330 d6ce 4cae 47ea f7f3
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0x68771A01:
 Userid     : "Jenkins Release Process (For signing Jenkins releases) "
 Fingerprint: e117 f441 30bf ecc8 172a ee9a ce90 5869 6877 1a01
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0xAF9AF9AC:
 Userid     : "MITRE CVE Numbering Authority "
 Fingerprint: 9f4d 81b7 60e2 20d7 8a86 fe9f a965 5407 af9a f9ac
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0x9CB33414:
 Userid     : "Ryan Campbell "
 Fingerprint: 824f 9b93 f9e5 07cc 449b 6763 b847 92a7 9cb3 3414
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0xEC8C9492:
 Userid     : "Keybase.io Merkle Signing (v1) "
 Fingerprint: 03e1 46cd af81 3668 0ad5 6691 2a32 340c ec8c 9492
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0xFFE2CC0B:
 Userid     : "Ben Walding "
 Fingerprint: 78db c03e a153 1ca3 7d79 e448 f610 8786 ffe2 cc0b
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y
Importing GPG key 0x2511645D:
 Userid     : "Seahorse "
 Fingerprint: 23ad 7aa3 19e8 09b4 b8ce 1f56 534f 9667 2511 645d
 From       : http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
Is this ok [y/N]: y

Public key for jenkins-2.19.2-1.1.noarch.rpm is not installed

 Failing package is: jenkins-2.19.2-1.1.noarch
 GPG Keys are configured as: http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key

---

Originally reported by jhoblitt, imported from: invalid GPG signatures on redhat stable packages

• assignee: rtyler
• status: Resolved
• priority: Blocker
• resolution: Fixed
• resolved: 2016-11-08T17:19:42+01:00
• imported: 2022/01/10

[jenkins-infra-bot]

rtyler:

Yep, I'm working on this right now, looks like the wrong set of keys were exported for me

[jenkins-infra-bot]

jhoblitt:

Is https://ci.jenkins-ci.org/ setup to use the docker pipeline plugin? Might be worth having a job to test installation from the yum repos.

[jenkins-infra-bot]

rtyler:

Joshua Hoblitt, fwiw, I've added some tests to jenkins-infra/acceptance-tests which are running hourly on ci.jenkins.io

[jenkins-infra-bot]

jhoblitt:

I looked briefly and they look reasonable to me. Prompt me next time to write the tests...

[jenkins-infra-bot]

[Is related to: WEBSITE-741]