New percona-release package improperly signed?

I’ve got the percona-release RPM installed, which configures the YUM repository (https://www.percona.com/doc/percona-…um_repo.html):

rpm -qi percona-release

Name : percona-release Relocations: (not relocatable)
Version : 0.1 Vendor: (none)
Release : 3 Build Date: Mon 22 Sep 2014 04:09:02 AM EDT
Install Date: Thu 10 Jan 2019 09:52:07 AM EST Build Host: vps-centos5-x64-03.ci.percona.com
Group : System Environment/Base Source RPM: percona-release-0.1-3.src.rpm
Size : 5921 License: GPL-3.0+
Signature : DSA/SHA1, Mon 22 Sep 2014 04:09:07 AM EDT, Key ID 1c4cbdcdcd2efd2a
Summary : Package to install Percona GPG key and YUM repo
Description :
percona-release package contains Percona GPG public key and Percona repository configuration for YUM

But today, I noticed there’s an upgrade, but when I try to install, it complains that the package was signed by an untrusted key. I downloaded the RPM file and checked its key:

rpm -qip /tmp/percona-release-1.0-3.noarch.rpm

warning: /tmp/percona-release-1.0-3.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 8507efa5: NOKEY
Name : percona-release Relocations: (not relocatable)
Version : 1.0 Vendor: (none)
Release : 3 Build Date: Mon 24 Dec 2018 02:54:31 AM EST
Install Date: (not installed) Build Host: minimal-centos-7-x64-1316.ci.percona.com
Group : System Environment/Base Source RPM: percona-release-1.0-3.src.rpm
Size : 18261 License: GPL-3.0+
Signature : RSA/8, Mon 24 Dec 2018 02:54:33 AM EST, Key ID 9334a25f8507efa5
Summary : Package to install Percona GPG key and YUM repo
Description :
percona-release package contains Percona GPG public keys and Percona repository configuration for YUM

Sure enough, it doesn’t match. Is this percona-release-1.0.3 package legitimate? Why the different signing key?

Thanks

Norman

A little more googling indicates this key is legit, explained here: https://www.percona.com/blog/2016/10/13/new-signing-key-for-percona-debian-and-ubuntu-packages.

But I’m still not sure why this is appearing in the yum repository’s rpm files. The percona-release-1.0-1, released on Dec 20th, seems to have been signed by 8507efa5. The 1.0-2 package, released on Dec 24th, was signed by 8507efa5.

Any idea why?

Thanks!

Norman

You can fetch that package via HTTPS, which gives some credibility - https://repo.percona.com/yum/percona-release-1.0-3.noarch.rpm
It’s been a problem here too, and for some of our customers.

Okay, I installed 1.0-1, then upgraded to 1.0.3. Seems that 1.0-1 is the “lillypad” version you need to move forward. That worked.

Thanks

Norman