Describe the bug
These two packages are not signed (!) http://packages.redis.io/rpm/rockylinux9/arm64/redis-8.4.0-1.aarch64.rpm http://packages.redis.io/rpm/rockylinux9/amd64/redis-8.4.0-1.x86_64.rpm Installation fails and it's a security issue!
To reproduce
Download either of them and run e.g.: $ rpm -qpi redis-8.4.0-1.x86_64.rpm | grep Signature Signature : (none) $
trying to install (dnf install redis) will yield e.g.: Package redis-8.4.0-1.x86_64.rpm is not signed The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: GPG check FAILED
(the install is blocked by gpgcheck=1 in the installed yum repository)
Expected behavior
Like previous package, I expect to see the signature: $ rpm -qpi redis-8.2.3-1.x86_64.rpm | grep Signature Signature : RSA/SHA512, Sun Nov 2 14:38:21 2025, Key ID 5f4349d6bf53aa0c $
Additional information
- VECTOR OF ATTACK in case someone manages to change the contents of the package during the download
- Failing installations because the documentation mentions that the yum source should have gpgcheck=1 (and since there is no signature, installation fails)
(if you don't have the gpg key imported you also get this warning: warning: redis-8.0.1-1.aarch64.rpm: Header V4 RSA/SHA512 Signature, key ID bf53aa0c: NOKEY )
Comment From: elliotnev27
I'm having the same issue today on a fresh install of Rocky 9 using the repo documented here... https://redis.io/docs/latest/operate/oss_and_stack/install/install-stack/rpm/