Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4082
Views
9
Helpful
17
Comments

Heads-up: GPG key for Duo Unix will be updated June 2, 2022

timshores1
Level 1
Level 1

on ‎06-01-2022 12:48 PM

Hello!

On June 2, 2022, we will update the GPG key used to sign Duo Unix distribution packages to improve the strength and security of our package signatures. If you are currently using this application, the next time that you upgrade the Duo Unix package on or after June 6th via yum, dnf, apt, or apt-get, you will also have to update the key.

Depending on which distribution of Unix you are using, you will need to run the following command during the application upgrade process to update the GPG key.

CentOS, Fedora and Red Hat Enterprise Linux (RHEL)
rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc

Ubuntu 18.04 and 20.04 and Debian
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -

Ubuntu 22.04:
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/duo.gpg

These are the same commands that must be run to import Duo’s GPG signing keys for a new installation of Duo Unix.

This key change does not impact deprecated OS versions such as Debian 8 or CentOS 6.

If you are currently running Duo Unix and try to upgrade to the latest version without updating the GPG key, you will see an error similar to the following.

Example error when using apt update

W: GPG error: https://pkg.duosecurity.com/Debian jessie Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY …

Example error when using yum install duo_unix or dnf install duo_unix

Public key for duo_unix-1.12.1-0.el9.x86_64.rpm is not installed

The downloaded packages were saved in cache until the next successful transaction.

You can remove cached packages by executing 'yum clean packages'.

Error: GPG check FAILED

Let us know if you have any questions about this!

Comments
Roger_Facer
Level 1
Level 1
‎06-03-2022 04:56 AM

Good morning,

Just tried to install duo on a new server (RHEL8) after downloading the new GPG key and got a GPG check failed. Any thoughts?

Thanks,

Roger

mbishop1
Level 1
Level 1
‎06-03-2022 09:16 AM

Thanks for bringing this to our attention. There was an issue with the RHEL8 packages where the key wasn’t updated yesterday during the latest release. That should now be fixed. Let us know if you have any other issues.

tewalden
Level 1
Level 1
‎06-08-2022 08:57 AM

During a new install today, I received the same issue

Importing GPG key 0xFF696172:
 Userid     : "Duo Security Package Signing <dev@duosecurity.com>"
 Fingerprint: D8EC 4E20 5840 1AE5 578C 4B3F 4B44 CE3D FF69 6172
 From       : https://duo.com/DUO-GPG-PUBLIC-KEY.asc
Key imported successfully
Import of key(s) didn't help, wrong key(s)?
Public key for duo_unix-1.12.0-0.el8.x86_64.rpm is not installed. Failing package is: duo_unix-1.12.0-0.el8.x86_64
 GPG Keys are configured as: https://duo.com/DUO-GPG-PUBLIC-KEY.asc
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
mbishop1
Level 1
Level 1
‎06-08-2022 12:52 PM

What linux distribution are you attempting to install Duo Unix on?
If you’re using Centos 8 (non-stream) then you will have to use the old signing key (https://duo.com/DUO-GPG-PUBLIC-KEY-MAY-2030.asc)
For other older operating systems check out https://help.duo.com/s/article/5503?language=en_US for a list of keys.

tewalden
Level 1
Level 1
‎06-08-2022 01:48 PM

This is an Oracle Linux 8 host, though we are using the CentOS 8 repo, so that makes sense. Thank you for the link!

Edit: I’ll look into moving us onto the RedHat repo going forward.

gladia2r
Level 1
Level 1
‎06-20-2022 04:27 AM

This seems to be an issue on new AlmaLinux8 distributions as well, and not sure whats the logic using the “old signing key” - but definitely works with the MAY-2030.asc - Thanks!

geob-mda
Level 1
Level 1
‎06-20-2022 07:18 AM

Just had the GPG key update fail with this error:

[root@XXXXXX ~]# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc

error: https://duo.com/DUO-GPG-PUBLIC-KEY.asc: key 1 not an armored public key.

Not finding a solution online - anyone else seen it?

mbishop1
Level 1
Level 1
‎06-24-2022 07:03 AM

Could you provide more context for the error you’re seeing?
What OS are you on?
what version of RPM are you running?
How did you get the key onto your computer?
Does the file look correct when viewed with a text editor?

geob-mda
Level 1
Level 1
‎06-27-2022 12:34 PM

Whelp I was so busy searching I didn’t write down the hosts I was seeing this error on. While I try to find that - my servers are going to be RHEL 7 and/or RHEL 8.

I’m not sure how to provide more context - Duo is stopping “yum update” from running with the failed GPG key and when I try to run the rpm --import command - it’s failing

It’s pulling the file from the web as shown in the post. I’m never seeing the file as it’s downloaded with the rpm command and I never thought to look at it.

mbishop1
Level 1
Level 1
‎06-28-2022 06:24 AM

Some versions of RPM don’t like ASCII armored keys without a trailing newline. The key has been updated to have a trailing newline now. Please try re-importing the key.

amiguel
Level 1
Level 1
‎09-14-2022 11:37 AM

Anyone got a resolution to this issue? I am trying to install DUO Unix as well on RHEL 8.5, and after running the command rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc, I get the following error. See below. I don’t know if this is more of RHEL issue or not, but just wanted to see if anyone out there have any thoughts. I do have a case open with DUO, but have not heard back.

Error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
error: https://duo.com/DUO-GPG-PUBLIC-KEY.asc: import read failed(2).

DuoKristina
Cisco Employee
Cisco Employee
‎09-15-2022 06:28 AM

@amiguel Your issue looks different. Does your RHEL server trust the full Amazon Root CA 1 issuer chain?

ETA you can see the chain used by our site here.

amiguel
Level 1
Level 1
‎09-15-2022 07:21 AM

how can I check that or would you have a command I can run to validate this?

DuoKristina
Cisco Employee
Cisco Employee
‎09-15-2022 07:24 AM

I found some pages on the internet which might help you:

amiguel
Level 1
Level 1
‎09-15-2022 08:08 AM

I do not believe this has to do with Amazon cert chain. Other RHEL 8 servers that is working with the same installation do not have the Amazon cert chain. It seems to be something else.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents