YUM repository not signed with Percona's key (key change?)

I’m seeing trouble in our CI system when we test that it’s possible to install the latest percona-toolkit package using YUM.

Dependencies Resolved

========================================================================================================================
Package Arch Version Repository Size
========================================================================================================================
Installing:
percona-toolkit x86_64 3.0.13-1.el7 percona-release-x86_64 7.4 M
Installing for dependencies:
perl-DBD-MySQL x86_64 4.023-6.el7 base 140 k
perl-DBI x86_64 1.627-4.el7 base 802 k
perl-Net-Daemon noarch 0.48-5.el7 base 51 k
perl-PlRPC noarch 0.2020-14.el7 base 36 k

Transaction Summary
========================================================================================================================
Install 1 Package (+4 Dependent packages)

Total download size: 8.4 M
Installed size: 9.8 M
Is this ok [y/d/N]: y
Downloading packages:
(1/5): perl-DBD-MySQL-4.023-6.el7.x86_64.rpm | 140 kB 00:00:00 
(2/5): perl-Net-Daemon-0.48-5.el7.noarch.rpm | 51 kB 00:00:00 
(3/5): perl-PlRPC-0.2020-14.el7.noarch.rpm | 36 kB 00:00:00 
(4/5): perl-DBI-1.627-4.el7.x86_64.rpm | 802 kB 00:00:00 
warning: /var/cache/yum/x86_64/7/percona-release-x86_64/packages/percona-toolkit-3.0.13-1.el7.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8507efa5: NOKEY
Public key for percona-toolkit-3.0.13-1.el7.x86_64.rpm is not installed
(5/5): percona-toolkit-3.0.13-1.el7.x86_64.rpm | 7.4 MB 00:00:07 
------------------------------------------------------------------------------------------------------------------------
Total 1.2 MB/s | 8.4 MB 00:00:07 
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Percona


The GPG keys listed for the "Percona-Release YUM repository - x86_64" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.


Failing package is: percona-toolkit-3.0.13-1.el7.x86_64
GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Percona

According to what I’m seeing here, the signature on the Percona-Release YUM repository doesn’t match the key that signed percona-toolkit. I tried using the PGP key from https://www.percona.com/downloads/RPM-GPG-KEY-percona to validate the package instead, and that doesn’t work either.

Where can I find a trustworthy source for the PGP key that Percona is signing packages with?

Tim

Hello Tim, I think there was a temporary glitch with this update. Could you check again for me please?

There are PGP keys inside https://repo.percona.com/yum/percona-release-1.0-3.noarch.rpm

If we extract these keys and validate against those, we can make the tests pass. I’d hoped there’d be a different way to verify that these are the genuine public keys for Percona.
Am I right to guess that fetching https://repo.percona.com/yum/percona-release-1.0-3.noarch.rpm via HTTPS is the official way to verify those keys?

Tim

To get the Percona keys you have to use the percona-release package, there’s a report here about the issue and we believe it to be fixed https://jira.percona.com/browse/PT-1685

If you need more info though I can ask one of the engineers to check in with you. I think that you/your company might have found a similar issue with/for us a few months back so it might be that I am misunderstanding what you’re seeing. So please do shout out if you still need more info?