RPM Temurin 21 JRE/JDK 21.0.6.0.0.7-0 package is not signed

[daniel-phage]

Same issue as #962 but a newer release. AArch64 package is fine:

21.62 Rocky Linux 9 - BaseOS                          1.7 MB/s | 1.7 kB     00:00    
21.66 Importing GPG key 0x350D275D:
21.66  Userid     : "Rocky Enterprise Software Foundation - Release key 2022 <[email protected]>"
21.66  Fingerprint: 21CB 256A E16F C54C 6E65 2949 702D 426D 350D 275D
21.66  From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9
21.66 Key imported successfully
22.44 Package temurin-21-jre-21.0.6.0.0.7-0.x86_64.rpm is not signed
22.44 The downloaded packages were saved in cache until the next successful transaction.
22.44 You can remove cached packages by executing 'yum clean packages'.
22.46 Error: GPG check FAILED

Can you please look into this? We don't want to bypass GPG checks. Thank you,

[JasonMathison]

We are having this same issue with the latest Java 17 release.

[greszter]

+1 on Java 17

[ndbarber]

We're seeing the same thing. The Java 17 package (among others) is also not signed.

All of the latest releases of the LTS jdk's are all missing their signatures, at least in aarch64. I haven't verified the same behavior in x86

dnf install temurin-8-jdk -y 
<< SNIP FOR CONCISENESS >>
Package temurin-8-jdk-8.0.442.0.0.6-0.aarch64.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED


dnf install temurin-11-jdk -y
<< SNIP FOR CONCISENESS >>
Package temurin-11-jdk-11.0.26.0.0.4-0.aarch64.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED


dnf install temurin-17-jdk -y
<< SNIP FOR CONCISENESS >>
Package temurin-17-jdk-17.0.14.0.0.7-0.aarch64.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED


dnf install temurin-21-jdk -y 
<< SNIP FOR CONCISENESS >>
Package temurin-21-jdk-21.0.6.0.0.7-0.aarch64.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

[daniel-phage]

@ndbarber we are now seeing this across x86 and aarch64. Earlier today, aarch64 was still working.

[piotrminkina]

Same problem on Fedora Workstation 41 with temurin-11-jdk, temurin-17-jdk and temurin-21-jdk

$ sudo dnf upgrade -yq
Package                                                 Arch       Version                                                 Repository                                      Size
Upgrading:
 temurin-11-jdk                                         x86_64     11.0.26.0.0.4-0                                         adoptium-temurin-java-repository           310.0 MiB
   replacing temurin-11-jdk                             x86_64     11.0.25.0.0.9-1                                         adoptium-temurin-java-repository           310.0 MiB
 temurin-17-jdk                                         x86_64     17.0.14.0.0.7-0                                         adoptium-temurin-java-repository           314.5 MiB
   replacing temurin-17-jdk                             x86_64     17.0.13.0.0.11-2                                        adoptium-temurin-java-repository           314.4 MiB
 temurin-21-jdk                                         x86_64     21.0.6.0.0.7-0                                          adoptium-temurin-java-repository           343.1 MiB
   replacing temurin-21-jdk                             x86_64     21.0.5.0.0.11-1                                         adoptium-temurin-java-repository           343.1 MiB

Transaction Summary:
 Upgrading:          3 packages
 Replacing:          3 packages

Transaction failed: Signature verification failed.
OpenPGP check for package "temurin-11-jdk-11.0.26.0.0.4-0.x86_64" (/var/cache/libdnf5/adoptium-temurin-java-repository-0e713be9a6fcb3be/packages/temurin-11-jdk-11.0.26.0.0.4-0.x86_64.rpm) from repo "adoptium-temurin-java-repository" has failed: The package is not signed.

$ sudo dnf upgrade -yq temurin-17-jdk
Package                                                 Arch       Version                                                 Repository                                      Size
Upgrading:
 temurin-17-jdk                                         x86_64     17.0.14.0.0.7-0                                         adoptium-temurin-java-repository           314.5 MiB
   replacing temurin-17-jdk                             x86_64     17.0.13.0.0.11-2                                        adoptium-temurin-java-repository           314.4 MiB

Transaction Summary:
 Upgrading:          1 package
 Replacing:          1 package

Transaction failed: Signature verification failed.
OpenPGP check for package "temurin-17-jdk-17.0.14.0.0.7-0.x86_64" (/var/cache/libdnf5/adoptium-temurin-java-repository-0e713be9a6fcb3be/packages/temurin-17-jdk-17.0.14.0.0.7-0.x86_64.rpm) from repo "adoptium-temurin-java-repository" has failed: The package is not signed.

$ sudo dnf upgrade -yq temurin-21-jdk
Package                                                 Arch       Version                                                 Repository                                      Size
Upgrading:
 temurin-21-jdk                                         x86_64     21.0.6.0.0.7-0                                          adoptium-temurin-java-repository           343.1 MiB
   replacing temurin-21-jdk                             x86_64     21.0.5.0.0.11-1                                         adoptium-temurin-java-repository           343.1 MiB

Transaction Summary:
 Upgrading:          1 package
 Replacing:          1 package

Transaction failed: Signature verification failed.
OpenPGP check for package "temurin-21-jdk-21.0.6.0.0.7-0.x86_64" (/var/cache/libdnf5/adoptium-temurin-java-repository-0e713be9a6fcb3be/packages/temurin-21-jdk-21.0.6.0.0.7-0.x86_64.rpm) from repo "adoptium-temurin-java-repository" has failed: The package is not signed.

[steelhead31]

All the packages for the current release cycle are being published with a bump to the spec version, this process will likely take a few hours, this thread in slack will have updates.. https://adoptium.slack.com/archives/CLCFNV2JG/p1737736480878769 ,

[steelhead31]

I'll also keep this issue up to date, as I republish correctly signed packages. .. I may look into removing the unsigned versions once I've completed the republish.

[steelhead31]

Rebuilds of JDK8 x64 linux, aarch64 linux and ppc64le linux are underway - COMPLETE

Rebuilds of JDK23 x64 linux & aarch64 linux are underway - COMPLETE

Rebuilds of JDK11, x64 , aarch64, ppc64le & arm32 are underway - COMPLETE

Rebuilds of JDK17 x64 , aarch64 , ppc64le, arm32, s390x are underway - COMPLETE

Rebuilds of JDK21 x64 , aarch64 , ppc64le , and s390x are underway - COMPLETE

Will update once all of these complete, probably in 3 or so hours time.

[steelhead31]

Should all be sorted now... More details on #1110

Updated packages for everything currently published for the release are now available, these can be identified by the -1.rpm suffix

rpm -qpi temurin-21-jre-21.0.6.0.0.7-1.x86_64.rpm
Name : temurin-21-jre
Version : 21.0.6.0.0.7
Release : 1
Architecture: x86_64
Install Date: (not installed)
Group : java
Size : 164378375
License : GPLv2 with exceptions
Signature : RSA/SHA256, Fri 24 Jan 2025 06:23:32 PM GMT, Key ID 843c48a565f8f04b

[steelhead31]

Unsigned packages have been removed.