ABRT logs messages with "Package <packagename> isn't signed with proper key."

Follow

Issue

On a RHEL 6 / CentOS 6 system, the main system log file contains the error "Package <packagename> isn't signed with proper key."  The following example was caused by a manual segmentation fault on zsd.

Oct 20 14:33:34 centos6base abrt[2241]: Can't open 'core.821': Permission denied
Oct 20 14:33:35 centos6base abrtd: Directory 'ccpp-2014-10-20-14:33:34-821' creation detected Oct 20 14:33:35 centos6base abrt[2241]: Saved core dump of pid 821 (/usr/local/zend/bin/zsd) to /var/spool/abrt/ccpp-2014-10-20-14:33:34-821 (87408640 bytes) Oct 20 14:33:35 centos6base abrtd: Package 'zend-server-php-5.5-common' isn't signed with proper key Oct 20 14:33:35 centos6base abrtd: 'post-create' on '/var/spool/abrt/ccpp-2014-10-20-14:33:34-821' exited with 1 Oct 20 14:33:35 centos6base abrtd: Deleting problem directory '/var/spool/abrt/ccpp-2014-10-20-14:33:34-821'

Environment

Zend Server

RHEL 6 / CentOS 6

Resolution

There are two ways to remedy this.

Method 1: Alter the default abrt behavior.  This may be best if you have multiple third-party packages installed and want to ensure all associated application cores are caught.

  1. Edit the file /etc/abrt/abrt-action-save-package-data.conf
  2. Set OpenGPGCheck = no
  3. Reload abrtd with the command: service abrtd reload.

Method 2: Add Zend's GPG key to the rpm and abrtd key caches.

# wget -O /etc/pki/rpm-gpg/zend.key http://repos.zend.com/zend.key
# rpm --import /etc/pki/rpm-gpg/zend.key
# echo '/etc/pki/rpm-gpg/zend.key' >> /etc/abrt/gpg_keys
# service abrtd reload

Testing:  The effectiveness of the methods can be evaluated by manually triggering a segmentation fault with signal 11. The message log should no longer generate errors regarding the package key.  This may interrupt service temporarily and is not advised on production systems.

# pgrep zsd
2310
# kill -11 2310

Details

The ABRT daemon is responsible for handling the application cores created by segmentation faults. By default it will reject cores from applications that don't have a known GPG signature. 

Have more questions? Submit a request

Comments

Powered by Zendesk