Heads-up: GPG key for Duo Unix will be updated June 2, 2022

Hello!

On June 2, 2022, we will update the GPG key used to sign Duo Unix distribution packages to improve the strength and security of our package signatures. If you are currently using this application, the next time that you upgrade the Duo Unix package on or after June 6th via yum, dnf, apt, or apt-get, you will also have to update the key.

Depending on which distribution of Unix you are using, you will need to run the following command during the application upgrade process to update the GPG key.

CentOS, Fedora and Red Hat Enterprise Linux (RHEL)
rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc

Ubuntu 18.04 and 20.04 and Debian
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -

Ubuntu 22.04:
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/duo.gpg

These are the same commands that must be run to import Duo’s GPG signing keys for a new installation of Duo Unix.

This key change does not impact deprecated OS versions such as Debian 8 or CentOS 6.

If you are currently running Duo Unix and try to upgrade to the latest version without updating the GPG key, you will see an error similar to the following.

Example error when using apt update

W: GPG error: https://pkg.duosecurity.com/Debian jessie Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY …

Example error when using yum install duo_unix or dnf install duo_unix

Public key for duo_unix-1.12.1-0.el9.x86_64.rpm is not installed

The downloaded packages were saved in cache until the next successful transaction.

You can remove cached packages by executing 'yum clean packages'.

Error: GPG check FAILED

Let us know if you have any questions about this!

2 Likes

Good morning,

Just tried to install duo on a new server (RHEL8) after downloading the new GPG key and got a GPG check failed. Any thoughts?

Thanks,

Roger

1 Like

Thanks for bringing this to our attention. There was an issue with the RHEL8 packages where the key wasn’t updated yesterday during the latest release. That should now be fixed. Let us know if you have any other issues.

2 Likes

During a new install today, I received the same issue

Importing GPG key 0xFF696172:
 Userid     : "Duo Security Package Signing <dev@duosecurity.com>"
 Fingerprint: D8EC 4E20 5840 1AE5 578C 4B3F 4B44 CE3D FF69 6172
 From       : https://duo.com/DUO-GPG-PUBLIC-KEY.asc
Key imported successfully
Import of key(s) didn't help, wrong key(s)?
Public key for duo_unix-1.12.0-0.el8.x86_64.rpm is not installed. Failing package is: duo_unix-1.12.0-0.el8.x86_64
 GPG Keys are configured as: https://duo.com/DUO-GPG-PUBLIC-KEY.asc
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

What linux distribution are you attempting to install Duo Unix on?
If you’re using Centos 8 (non-stream) then you will have to use the old signing key (https://duo.com/DUO-GPG-PUBLIC-KEY-MAY-2030.asc)
For other older operating systems check out https://help.duo.com/s/article/5503?language=en_US for a list of keys.

2 Likes

This is an Oracle Linux 8 host, though we are using the CentOS 8 repo, so that makes sense. Thank you for the link!

Edit: I’ll look into moving us onto the RedHat repo going forward.

1 Like

This seems to be an issue on new AlmaLinux8 distributions as well, and not sure whats the logic using the “old signing key” - but definitely works with the MAY-2030.asc - Thanks!

Just had the GPG key update fail with this error:

[root@XXXXXX ~]# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc

error: https://duo.com/DUO-GPG-PUBLIC-KEY.asc: key 1 not an armored public key.

Not finding a solution online - anyone else seen it?

Could you provide more context for the error you’re seeing?
What OS are you on?
what version of RPM are you running?
How did you get the key onto your computer?
Does the file look correct when viewed with a text editor?

Whelp I was so busy searching I didn’t write down the hosts I was seeing this error on. While I try to find that - my servers are going to be RHEL 7 and/or RHEL 8.

I’m not sure how to provide more context - Duo is stopping “yum update” from running with the failed GPG key and when I try to run the rpm --import command - it’s failing

It’s pulling the file from the web as shown in the post. I’m never seeing the file as it’s downloaded with the rpm command and I never thought to look at it.

Some versions of RPM don’t like ASCII armored keys without a trailing newline. The key has been updated to have a trailing newline now. Please try re-importing the key.

1 Like

Anyone got a resolution to this issue? I am trying to install DUO Unix as well on RHEL 8.5, and after running the command rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc, I get the following error. See below. I don’t know if this is more of RHEL issue or not, but just wanted to see if anyone out there have any thoughts. I do have a case open with DUO, but have not heard back.

Error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
error: https://duo.com/DUO-GPG-PUBLIC-KEY.asc: import read failed(2).

@amiguel Your issue looks different. Does your RHEL server trust the full Amazon Root CA 1 issuer chain?

ETA you can see the chain used by our site here.

how can I check that or would you have a command I can run to validate this?

I found some pages on the internet which might help you:

I do not believe this has to do with Amazon cert chain. Other RHEL 8 servers that is working with the same installation do not have the Amazon cert chain. It seems to be something else.

We been able to get around this issue I have, by downloading the rpm manually, disabling /etc/yum.repos.d/duosecurity.repo and running the install with the downloaded rpm. I still would like to maybe know why doing the install with the repo does not work.

There seems to be still an issue with the GPG key. We are also getting this error " error: https://duo.com/DUO-GPG-PUBLIC-KEY.asc: key 1 not an armored public key" in doing installs on RHEL 6. Any thoughts?