Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3308
Views
0
Helpful
0
Comments

Heads-up: GPG key for Duo Unix updated May 18, 2020

Kelly4
Level 1
Level 1

on ‎05-19-2020 06:06 AM

Hello!

As of May 18, 2020, we have updated the GPG key used to sign Duo Unix distribution packages to improve the strength and security of our package signatures. If you are currently using this application, the next time that you upgrade the Duo Unix package via yum, apt, or apt-get, you will also have to update the key.

Depending on which distribution of Unix you are using, you will need to run the following command during the application upgrade process to update the GPG key.

CentOS and Red Hat Enterprise Linux (RHEL)
rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc

Ubuntu and Debian
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -

These are the same commands that must be run to import Duo’s GPG signing keys for a new installation of Duo Unix.

If you are running Duo Unix on CentOS 5, RHEL 5, Debian 6 or 7, or Ubuntu 12.04, you do not need to update your GPG key as these distributions are no longer supported by Duo and the latest version packages of Duo Unix available on these distributions are signed using the deprecated GPG key. You can find the deprecated GPG public keys here:

Use these keys to verify the signature on these unsupported distributions. Note that the deprecated CentOS/RHEL/Debian GPG key expires in August 2020 and the deprecated Ubuntu key expires in October 2024, after which the GPG signature on these packages will fail to verify.

If you are currently running Duo Unix and try to upgrade to the latest version without updating the GPG key, you will see an error similar to the following.

Example error when using apt update

W: GPG error: https://pkg.duosecurity.com/Debian buster Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 01EF98E910448FDB
E: The repository 'https://pkg.duosecurity.com/Debian buster Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Possible errors when using yum install duo_unix

Example 1
warning: /var/cache/yum/x86_64/7/duosecurity/packages/duo_unix-1.11.3-0.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 15d32efc: NOKEYB/s | 0 B --:--:-- ETA
Public key for duo_unix-1.11.3-0.el7.x86_64.rpm is not installed duo_unix-1.11.3-0.el7.x86_64.rpm | 271 kB 00:00:00
Public key for duo_unix-1.11.3-0.el7.x86_64.rpm is not installed

Example 2
warning: /var/cache/dnf/duosecurity-5210dc72009e9f56/packages/duo_unix-1.11.3-0.el8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 10448fdb: NOKEY
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'. Error: GPG check FAILED

Let us know if you have any questions about this!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents