Skip to Content

fix GPG signature verification error: Bad GPG signature in Linux

By: Author David Cao

Posted on Last updated:

0 Comments

Categories Cloud, DevOps, Linux

Understanding GPG Signature Verification Error

The error “GPG signature verification error: Bad GPG signature” typically occurs during package installation or repository metadata retrieval in systems like Red Hat Enterprise Linux (RHEL) or CentOS when the GPG signature of a package or repository metadata fails to verify successfully.

  • GPG signature verification error: This indicates that the process of verifying the digital signature of a package or repository metadata has encountered an issue.
  • Bad GPG signature: This specifies the nature of the error encountered during signature verification. “Bad GPG signature” implies that the GPG signature associated with the package or repository metadata is invalid or corrupted.

Reasons Behind GPG Signature Verification Error

When you encounter this error, it’s crucial to take action to address it, as it can compromise the security and integrity of the software being installed or updated.

Here are some common reasons and potential solutions:

Corrupted or Invalid GPG Key: The GPG key used to sign the package or repository metadata might be outdated, corrupted, or invalid. In this case, you should update the GPG key or import a new one from a trusted source.

Network Issues: Sometimes, network interruptions or connectivity issues during the package download process can result in corrupted files, including GPG signatures. Ensure that your network connection is stable and retry the operation.

Repository Configuration: If the repository configuration is incorrect or outdated, it might cause GPG signature verification errors. Check the repository configuration files (/etc/yum.repos.d/ in RHEL/CentOS) to ensure they are correctly set up with the correct GPG key URLs and other relevant settings.

Software Corruption: In rare cases, software corruption on the system itself could lead to GPG signature verification errors. Perform integrity checks on the system’s filesystem and verify that the package management tools and libraries are functioning correctly.

Package Integrity: If the error occurs during package installation, it’s possible that the package itself is corrupt or has been tampered with. Try re-downloading the package from a trusted source or using a different mirror.

How to fix GPG signature verification error: Bad GPG signature

In the context of yum repository configuration, gpgcheck and repo_gpgcheck are directives that control the verification of GPG signatures for packages and repository metadata, respectively.

gpgcheck:

  • This directive, when set to 1 (true), instructs yum to verify the GPG signatures of individual packages before installing them.
  • When set to 0 (false), yum will not perform GPG signature verification for packages, potentially leaving the system vulnerable to the installation of unsigned or tampered packages.
  • It’s generally recommended to keep gpgcheck enabled (set to 1) to ensure the authenticity and integrity of packages being installed from the repository.

repo_gpgcheck:

  • This directive, on the other hand, controls the verification of GPG signatures for repository metadata, such as repodata/repomd.xml.
  • When set to 1, yum verifies the GPG signatures of repository metadata files before downloading and using them.
  • If set to 0, yum does not perform GPG signature verification for repository metadata, which could potentially expose the system to the risk of using compromised or tampered repository metadata.
  • Similar to gpgcheck, it’s generally advisable to enable repo_gpgcheck (set to 1) to ensure the authenticity and integrity of repository metadata.

Here’s an example of how these directives might appear in a yum repository configuration file (/etc/yum.repos.d/example.repo):

[example-repo]
name=Example Repository
baseurl=http://example.com/repo
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=http://example.com/repo/RPM-GPG-KEY-example

In this example:

Both gpgcheck and repo_gpgcheck are enabled (1), indicating that both package signatures and repository metadata signatures will be verified.
The gpgkey directive specifies the URL from which to retrieve the GPG key used to sign the repository metadata and packages.

You can change gpgcheck to 0 and repo_gpgcheck to 0 to fix this issue temporarily.  In this way, yum will not perform GPG signature verification for packages.

FAQ about GPG

What is GPG?

GPG, short for GNU Privacy Guard, is a free and open-source software tool used for secure communication and data encryption. It provides cryptographic privacy and authentication for data and communication over networks.

How does GPG work?

GPG uses a combination of symmetric-key cryptography and public-key cryptography to encrypt and decrypt data. It generates a pair of cryptographic keys: a public key, which is used for encryption, and a private key, which is used for decryption. Users share their public keys with others to encrypt messages, while keeping their private keys secure for decryption.

Is GPG secure?

GPG is considered to be a secure encryption tool when used correctly. However, like any cryptographic system, its security depends on the strength of the keys, the randomness of the key generation process, and the protection of the private keys. It’s essential to follow best practices for key management and encryption to ensure the security of your data.