• Home

  • Custom Ecommerce
  • Application Development
  • Database Consulting
  • Cloud Hosting
  • Systems Integration
  • Legacy Business Systems
  • Security & Compliance
  • GIS

  • Expertise

  • About Us
  • Our Team
  • Clients
  • Blog
  • Careers

  • VisionPort

  • Contact
  • Our Blog

    Ongoing observations by End Point Dev people

    Google Chrome Yum/​RPM package update fails on RHEL/​CentOS 7

    Jon Jensen

    By Jon Jensen
    June 8, 2023

    Fantasy painting of a shipwreck in a jungle backlit by sunlight Painting by Willgard Krause, Pixabay license

    One of our clients uses the Chrome web browser running on their continuous integration server with Jenkins for automated e2e (end-to-end) testing of their website. That server runs Red Hat Enterprise Linux (RHEL) 7—actually the rebuild CentOS 7.

    Last month, in May 2023, Google started signing Chrome RPMs with a GnuPG subkey, where they before had signed with the main key. Now yum upgrade fails when trying to update Chrome, giving this error:

    warning: /var/cache/yum/x86_64/7/google-chrome/packages/google-chrome-stable-114.0.5735.106-1.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID a3b88b8b: NOKEY
    Retrieving key from https://dl.google.com/linux/linux_signing_key.pub
    
    
    The GPG keys listed for the "google-chrome" repository are already installed but they are not correct for this package.
    Check that the correct key URLs are configured for this repository.
    
    
     Failing package is: google-chrome-stable-114.0.5735.106-1.x86_64
     GPG Keys are configured as: https://dl.google.com/linux/linux_signing_key.pub
    

    To double-check, we tried to manually verify the signature on the downloaded RPM package with:

    # rpm -K /var/cache/yum/x86_64/7/google-chrome/packages/google-chrome-stable-114.0.5735.106-1.x86_64.rpm
    /var/cache/yum/x86_64/7/google-chrome/packages/google-chrome-stable-114.0.5735.106-1.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#a3b88b8b)
    

    That showed it is not just a Yum problem, but affects RPM too.

    Sweatin’ to the oldies

    Long ago (see reference below), people reported that RPM wasn’t working with GnuPG subkeys for signatures, and Red Hat confirmed this is the case for RHEL 7 and earlier. They added support, but that first appeared in RHEL 8.

    RHEL 7 has another year of support left, until end of June 2024. But it was released in 2014 and is so old that apparently Google isn’t testing the RPM packages it produces on RHEL 7 anymore.

    Our client is planning to move this system that runs tests with Chrome to Rocky Linux 9, but for the next few months they need it to keep working on CentOS 7.

    So to cope, we used scp to copy that RPM file to a RHEL 8 or 9 server, imported the Google signing public key, and used the newer version of rpm there to verify the signature:

    # rpm -K google-chrome-stable-114.0.5735.106-1.x86_64.rpm
    google-chrome-stable-114.0.5735.106-1.x86_64.rpm: digests signatures OK
    

    Then back on the RHEL 7 server we had no qualms skipping the signature check during upgrade because we had just manually checked it elsewhere:

    # rpm -Uvh --nosignature /var/cache/yum/x86_64/7/google-chrome/packages/google-chrome-stable-114.0.5735.106-1.x86_64.rpm
    Preparing...                          ################################# [100%]
    Updating / installing...
       1:google-chrome-stable-114.0.5735.1################################# [ 50%]
    Cleaning up / removing...
       2:google-chrome-stable-113.0.5672.6################################# [100%]
    

    Then we ran yum upgrade again to get the rest of that server’s pending package updates. Yum didn’t care about Chrome anymore since we had updated it already.

    References

    redhat sysadmin security linux


    Comments