RPM GPG key is not accepted by new RPM versions

The directions for getting started on Linux instruct you to run the command:

sudo rpm --import https://downloads.1password.com/linux/keys/1password.asc

However this no longer works on Fedora 35, with the following error:

error: https://downloads.1password.com/linux/keys/1password.asc: key 1 import failed.

After going through rpm's git history to bisect the cause, it turned out to be this commit:

commit f22499a05d0a01e35dd10d7644f8d74391ba4222 (HEAD, refs/bisect/bad)
Author: Panu Matilainen <REDACTED>
Date:   Tue Jun 15 14:18:23 2021 +0300

    Reject unimplemented critical PGP packets as per RFC-4880

        Bit 7 of the subpacket type is the "critical" bit.  If set, it
        denotes that the subpacket is one that is critical for the evaluator
        of the signature to recognize.  If a subpacket is encountered that is
        marked critical but is unknown to the evaluating software, the
        evaluator SHOULD consider the signature to be in error.

    We only implement creation time and issuer keyid, everything else is
    unimplemented and should be flagged as an error if critical as per above.

    Initial patch by Demi Marie Obenour.

In other words, RPM has become more strict in how it interprets GPG keys, and thus 1password's GPG key is now invalid.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Fedora Silverblue 35


  • PeterG_1PPeterG_1P

    Team Member

    Hi @refi64, many thanks for the heads-up on this. I understand that we've reproduced and confirmed the issue on our end, and it's on our developers' list to fix. We do appreciate you highlighting this for us, and for the wonderful specificity you've provided here. Thanks from our team! 😀

    ref: dev/core/core#9858

  • SavanniSavanni

    Team Member

    @refi64 Oh, wow, thank you for this. I've been banging my head against this problem where my only clues were that our key and one other company's keys aren't working. You've given me the hint that may let me get this fixed.

  • SavanniSavanni

    Team Member

    @refi64 Again, thank you. Yesterday we published a fixed version of the PGP key that now works with the newer version of RPM. It's the same key, but we were able to remove the packets that RPM no longer supports.

  • Great to hear it was helpful! I've tested it locally, and the GPG key definitely seems to work.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file