K6 rpm package GPG key is no longer valid

Hi Team,
I am not sure when this stopped working (looks like the key expired in March), but I was updating my k6 package today via dnf and it failed with the error below:

$ sudo dnf install k6
Last metadata expiration check: 1:19:07 ago on Sat 06 May 2023 07:37:05 BST.
Dependencies resolved.
==================================================================================================================================================================================================================
 Package                                         Architecture                                        Version                                                Repository                                       Size
==================================================================================================================================================================================================================
Installing:
 k6                                              x86_64                                              0.44.0-1                                               k6                                               23 M

Transaction Summary
==================================================================================================================================================================================================================
Install  1 Package

Total size: 23 M
Installed size: 48 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] k6-v0.44.0-amd64.rpm: Already downloaded
error: Verifying a signature using certificate C5AD17C747E3415A3642D57D77C6C491D6AC1D69 (k6.io (key for signing binaries) <security@k6.io>):
  Key C780D0BDB1A69C86 invalid: key is not alive
      because: The subkey is not live
      because: Expired on 2023-03-12T10:49:15Z
error: Verifying a signature using certificate C5AD17C747E3415A3642D57D77C6C491D6AC1D69 (k6.io (key for signing binaries) <security@k6.io>):
  Key C780D0BDB1A69C86 invalid: key is not alive
      because: The subkey is not live
      because: Expired on 2023-03-12T10:49:15Z
k6                                                                                                                                                                                5.2 MB/s | 5.3 kB     00:00
GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-k6-io (0xD6AC1D69) is already installed
The GPG keys listed for the "k6" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: k6-0.44.0-1.x86_64
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-k6-io
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

I have tried removing the repo and removing the old gpg key and then reinstalling but I still get the same error (gpg key looks the same as well)

I wanted to raise this here in case it was not a known issue

Hi @apiguy

Thanks for reporting this. We are looking into it: fedora: package k6-0:0.44.0-1.x86_64 does not verify: Header V4 RSA/SHA512 Signature, key ID b1a69c86: NOTTRUSTED · Issue #3055 · grafana/k6 · GitHub, and there is a workaround there as well: fedora: package k6-0:0.44.0-1.x86_64 does not verify: Header V4 RSA/SHA512 Signature, key ID b1a69c86: NOTTRUSTED · Issue #3055 · grafana/k6 · GitHub.

We had this issue back in March (K6 rpm package GPG key is no longer valid) and something might have been missed.

I hope this helps. We’ll circle back here once this is fixed.

Cheers!

Thank @eyeveebe , Looks like there is now a fix posted in that issue you linked to. Thanks very much for replying, I did not initially think to check this repo for issues first, but I will from now on

1 Like

Hey @apiguy, sorry for the inconvenience. This should be fixed now.

Please remove the existing k6-rpm package and reinstall it:

sudo dnf remove k6-rpm
sudo dnf install https://dl.k6.io/rpm/repo.rpm
sudo dnf install k6
1 Like