Heads-up: GPG key for Duo Unix will be updated June 2, 2022

Hello!

On June 2, 2022, we will update the GPG key used to sign Duo Unix distribution packages to improve the strength and security of our package signatures. If you are currently using this application, the next time that you upgrade the Duo Unix package on or after June 6th via yum, dnf, apt, or apt-get, you will also have to update the key.

Depending on which distribution of Unix you are using, you will need to run the following command during the application upgrade process to update the GPG key.

CentOS, Fedora and Red Hat Enterprise Linux (RHEL)
rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc

Ubuntu 18.04 and 20.04 and Debian
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -

Ubuntu 22.04:
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/duo.gpg

These are the same commands that must be run to import Duo’s GPG signing keys for a new installation of Duo Unix.

This key change does not impact deprecated OS versions such as Debian 8 or CentOS 6.

If you are currently running Duo Unix and try to upgrade to the latest version without updating the GPG key, you will see an error similar to the following.

Example error when using apt update

W: GPG error: https://pkg.duosecurity.com/Debian jessie Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY …

Example error when using yum install duo_unix or dnf install duo_unix

Public key for duo_unix-1.12.1-0.el9.x86_64.rpm is not installed

The downloaded packages were saved in cache until the next successful transaction.

You can remove cached packages by executing 'yum clean packages'.

Error: GPG check FAILED

Let us know if you have any questions about this!

2 Likes

Good morning,

Just tried to install duo on a new server (RHEL8) after downloading the new GPG key and got a GPG check failed. Any thoughts?

Thanks,

Roger

1 Like

Thanks for bringing this to our attention. There was an issue with the RHEL8 packages where the key wasn’t updated yesterday during the latest release. That should now be fixed. Let us know if you have any other issues.

2 Likes

During a new install today, I received the same issue

Importing GPG key 0xFF696172:
 Userid     : "Duo Security Package Signing <dev@duosecurity.com>"
 Fingerprint: D8EC 4E20 5840 1AE5 578C 4B3F 4B44 CE3D FF69 6172
 From       : https://duo.com/DUO-GPG-PUBLIC-KEY.asc
Key imported successfully
Import of key(s) didn't help, wrong key(s)?
Public key for duo_unix-1.12.0-0.el8.x86_64.rpm is not installed. Failing package is: duo_unix-1.12.0-0.el8.x86_64
 GPG Keys are configured as: https://duo.com/DUO-GPG-PUBLIC-KEY.asc
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

What linux distribution are you attempting to install Duo Unix on?
If you’re using Centos 8 (non-stream) then you will have to use the old signing key (https://duo.com/DUO-GPG-PUBLIC-KEY-MAY-2030.asc)
For other older operating systems check out https://help.duo.com/s/article/5503?language=en_US for a list of keys.

2 Likes

This is an Oracle Linux 8 host, though we are using the CentOS 8 repo, so that makes sense. Thank you for the link!

Edit: I’ll look into moving us onto the RedHat repo going forward.

1 Like

This seems to be an issue on new AlmaLinux8 distributions as well, and not sure whats the logic using the “old signing key” - but definitely works with the MAY-2030.asc - Thanks!

Just had the GPG key update fail with this error:

[root@XXXXXX ~]# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc

error: https://duo.com/DUO-GPG-PUBLIC-KEY.asc: key 1 not an armored public key.

Not finding a solution online - anyone else seen it?

Could you provide more context for the error you’re seeing?
What OS are you on?
what version of RPM are you running?
How did you get the key onto your computer?
Does the file look correct when viewed with a text editor?

Whelp I was so busy searching I didn’t write down the hosts I was seeing this error on. While I try to find that - my servers are going to be RHEL 7 and/or RHEL 8.

I’m not sure how to provide more context - Duo is stopping “yum update” from running with the failed GPG key and when I try to run the rpm --import command - it’s failing

It’s pulling the file from the web as shown in the post. I’m never seeing the file as it’s downloaded with the rpm command and I never thought to look at it.

Some versions of RPM don’t like ASCII armored keys without a trailing newline. The key has been updated to have a trailing newline now. Please try re-importing the key.

1 Like