Heads-up: GPG Key Update for Duo Unix

mkorovesisduo · ‎11-04-2019

Hi everyone.

Today, we updated the GPG key used to sign Duo Unix distribution packages to improve the strength and security of our package signatures. If you are currently using this application, the next time that you upgrade the Duo Unix package via yum, apt, or apt-get, you will also have to update the key.

Depending on which distribution of Unix you are using, you will need to run the following command during the application upgrade process to update the GPG key.

CentOS and Red Hat Enterprise Linux (RHEL)

rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc

Ubuntu and Debian

curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -

These are the same commands that must be run to import Duo’s GPG signing keys for a new installation of Duo Unix. If you are running Duo Unix on CentOS5, RHEL 5, Debian 6, or Debian 7, you do not need to update your GPG key as these distributions are no longer supported by Duo and the latest version of Duo Unix available on these distributions are signed using the deprecated GPG key. You can find the deprecated RPM GPG public key here and the deprecated APT GPG public key here if you need to verify the signature on these unsupported distributions. Note that the deprecated GPG key expires in August 2020, after which the GPG signature on these packages will fail to verify.

If you are currently running Duo Unix and try to upgrade to the latest version without updating the GPG key, you will see an error similar to the following.

Example error when using apt update

W: GPG error: https://pkg.duosecurity.com/Debian buster Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 01EF98E910448FDB
E: The repository 'https://pkg.duosecurity.com/Debian buster Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Possible errors when using yum install duo_unix

Example 1

warning: /var/cache/yum/x86_64/7/duosecurity/packages/duo_unix-1.11.3-0.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 15d32efc: NOKEYB/s |    0 B  --:--:-- ETA
Public key for duo_unix-1.11.3-0.el7.x86_64.rpm is not installed
duo_unix-1.11.3-0.el7.x86_64.rpm                                                                                                                | 271 kB  00:00:00


Public key for duo_unix-1.11.3-0.el7.x86_64.rpm is not installed

Example 2

warning: /var/cache/dnf/duosecurity-5210dc72009e9f56/packages/duo_unix-1.11.3-0.el8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 10448fdb: NOKEY
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Let us know if you have any questions about this!

KevinSiddique · ‎05-19-2020

Hi there,

The GPG key changed again without any heads up (I checked my email and this forum). The knowledge base was updated (https://help.duo.com/s/article/5503?language=en_US) but that didn’t help with a bunch of machines spitting out error messages this morning. Was this announced somewhere else that I’m not subscribed to?

On May 18, 2020 we updated the GPG key used to sign Duo Unix distribution packages to improve the strength and security of our package signatures.

Kelly4 · ‎05-19-2020

Apologies for the delay! I just published more comprehensive information about this change, available here: Heads-up: GPG key for Duo Unix updated May 18, 2020

KevinSiddique · ‎05-19-2020

Thanks for the quick response!!