Recently I received a report about a flaw in RPM's signature check functionality when reading a package file.
To fix this issue, I built and released new repository RPMs for the following platforms:
To fix this issue, I built and released new repository RPMs for the following platforms:
- RHEL/Rocky Linux/CentOS/Oracle Linux 8 - x86_64 (42.0.17)
- RHEL/CentOS/Oracle Linux 7 - x86_64 (42.0.17.1)
- Fedora 34, 33 and 32 (42.0.15)
Basically the repo config files now include the
repo_gpgcheck = 1
parameter, per the information above. I also used this opportunity to update the email address in the GPG key file.
However, this update may require manual changes to the repo config files. If you have edited the config file before, the new config file won’t overwrite the existing file, and instead will create a new configuration file with .rpmnew extension:
In this case, please merge your changes in the old configuration file to the new one, and move the new file to the old file:
- For RHEL/Rocky Linux/CentOS/Oracle Linux:
mv /etc/yum.repos.d/pgdg-redhat-all.repo.rpmnew /etc/yum.repos.d/pgdg-redhat-all.repo
- Fedora:
mv /etc/yum.repos.d/pgdg-fedora-all.repo.rpmnew /etc/yum.repos.d/pgdg-fedora-all.repo
You will not need this step if you have not edited the config file.
When you run dnf/yum without -y parameter, you’ll be asked to confirm the GPG key for PGDG repos:
If you specify -y, you won’t have to type y at each prompt. This is a one-time operation, and won’t be needed in the future (hopefully)!
If you have any questions, please report to us.
- RHEL/CentOS/Oracle Linux 7 - x86_64 (42.0.17.1)
- Fedora 34, 33 and 32 (42.0.15)
Basically the repo config files now include the
repo_gpgcheck = 1
parameter, per the information above. I also used this opportunity to update the email address in the GPG key file.
However, this update may require manual changes to the repo config files. If you have edited the config file before, the new config file won’t overwrite the existing file, and instead will create a new configuration file with .rpmnew extension:
In this case, please merge your changes in the old configuration file to the new one, and move the new file to the old file:
- For RHEL/Rocky Linux/CentOS/Oracle Linux:
mv /etc/yum.repos.d/pgdg-redhat-all.repo.rpmnew /etc/yum.repos.d/pgdg-redhat-all.repo
- Fedora:
mv /etc/yum.repos.d/pgdg-fedora-all.repo.rpmnew /etc/yum.repos.d/pgdg-fedora-all.repo
You will not need this step if you have not edited the config file.
When you run dnf/yum without -y parameter, you’ll be asked to confirm the GPG key for PGDG repos:
If you specify -y, you won’t have to type y at each prompt. This is a one-time operation, and won’t be needed in the future (hopefully)!
If you have any questions, please report to us.
No comments