gpg signature is incorrect for fedora-flavored distros

[themoonisacheese]

Describe the bug Trying to update to 0.15.2, dnf informs me that the package is not properly signed.

To Reproduce Steps to reproduce the behavior:

1. have gum 15.1 installed from dnf
2. dnf update

Expected behavior the update happens without issue

Actual behavior the update fails with:

Charm                                                                                                                                                                                3.9 kB/s | 3.1 kB     00:00
La clé GPG https://repo.charm.sh/yum/gpg.key (0xD4DFD35C) est déjà installée
Les clés GPG listées pour le dépôt « Charm » sont déjà installées mais sont incorrectes pour ce paquet.
Vérifiez que les URL des clés pour ce dépôt soient correctes.. Le paquet en erreur est : gum-0.15.2-1.x86_64
 Les clés GPG sont configurées comme : https://repo.charm.sh/yum/gpg.key
Les paquets téléchargés ont été mis en cache jusqu’à la prochaine transaction réussie.
Vous pouvez supprimer les paquets en cache en exécutant « dnf clean packages ».
Erreur : La vérification GPG a ÉCHOUÉ

pardon my french, machine translation:

Charm  
3.9 kB/s | 3.1 kB     00:00  

The GPG key https://repo.charm.sh/yum/gpg.key (0xD4DFD35C) is already installed.  
The GPG keys listed for the "Charm" repository are already installed but are incorrect for this package.  
Check that the key URLs for this repository are correct. The problematic package is: gum-0.15.2-1.x86_64
The GPG keys are configured as: https://repo.charm.sh/yum/gpg.key  

The downloaded packages have been cached until the next successful transaction.  
You can remove cached packages by running "dnf clean packages".  

Error: GPG verification FAILED 

Desktop (please complete the following information):

• OS: Almalinux 8.10
• Version 0.15.1 -> 0.15.2

Additional context workaround: yum install --nogpgcheck gum works, but obviously it shouldn't be needed.

[ryanlafk]

microdnf complains about version 0.15.1 for me as well. i was able to tag back to version 0.15.0 in order to still use gum, albeit an older release: microdnf -y install --nodocs gum-0.15.0

[w00binda]

Almost the same error here.

Describe the bug. Trying to install gum, but yum informs me that the package is not properly signed.

Error message. The installation fails with:

Resolving Dependencies
--> Running transaction check
---> Package gum.x86_64 0:0.15.2-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================================================================================================
 Package                              Arch                                    Version                                    Repository                              Size
======================================================================================================================================================================
Installing:
 gum                                  x86_64                                  0.15.2-1                                   charm                                  4.4 M

Transaction Summary
======================================================================================================================================================================
Install  1 Package

Total download size: 4.4 M
Installed size: 12 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/charm/packages/gum-0.15.2-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 00000000: NOKEY              ] 3.3 MB/s | 2.8 MB  00:00:00 ETA
Public key for gum-0.15.2-1.x86_64.rpm is not installed
gum-0.15.2-1.x86_64.rpm                                                                                                                        | 4.4 MB  00:00:01
warning: /var/cache/yum/charm/packages/gum-0.15.2-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 00000000: NOKEY
Retrieving key from https://repo.charm.sh/yum/gpg.key
Importing GPG key 0xD4DFD35C:
 Userid     : "Charmbracelet Inc. (haters > /dev/null™) <[email protected]>"
 Fingerprint: ed92 7b38 be98 1e53 ca09 153d 03bb f595 d4df d35c
 From       : https://repo.charm.sh/yum/gpg.key
Is this ok [y/N]: y
warning: /var/cache/yum/charm/packages/gum-0.15.2-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 00000000: NOKEY


Public key for gum-0.15.2-1.x86_64.rpm is not installed


 Failing package is: gum-0.15.2-1.x86_64
 GPG Keys are configured as: https://repo.charm.sh/yum/gpg.key

The key seems to be correctly installed:

sudo rpm -qi gpg-pubkey-d4dfd35c-62d04775
Name        : gpg-pubkey
Version     : d4dfd35c
Release     : 62d04775
Architecture: (none)
Install Date: Mon 17 Feb 2025 11:55:02 AM CET
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Thu 14 Jul 2022 06:42:29 PM CEST
Build Host  : localhost
Relocations : (not relocatable)
Packager    : Charmbracelet Inc. (haters > /dev/null™) <[email protected]>
Summary     : gpg(Charmbracelet Inc. (haters > /dev/null™) <[email protected]>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.11.3 (NSS-3)

xsFNBGLQR3UBEADP68QtmQ83DXjOvFU/rXsN9qvkqbObHKy3UKKGn2Az/6kJxz7t
0ybFc4z61CirBFzi2ihk2NoIRGVmShiTUgXx5HL7hxIALRjddMYLRkwDuEF2Y05P
J5v2bRkQ02wnSYwRkkAkIHpIQC516OZTgOwejcWV7w2N0g2WW4AnhI8B6WP+XkSA
vGX5xW5jsgwDx6RTcAwRhXS7jR6xoH0hRNS5ixxjXjezORMOm+sAiaUZF7q0iIGf
gI+DBqMn8FRCWYIEZXxmSzw9+s1SjMaFwAmVlfmUSz38ykPhX7ih0njl862YWONH
quWhb66PEidvuWmpHQSYG+K2TJU+KLanlT1tRmcJYEeTEz4XKsen51rTAWS9ZtHq
eX8HEdWdqU7duejJr0VXk67ENhy3belVts+x+OxOt+bq1eySbZaRgDdnvbyUvojn
lBOlfZOhjGlkIao+JjQIU43K7dbToj/t1OWrnZFVxydM2+mWviytYw33q7aJKECR
PdxqCW3wNBuitpgIxFTl5yMm/1D9CgDdRGtJEmkxCk98TdUwf7+N78V3On/U8wlP
bxxnjdgMv6VoFhxBtX5KZnJK9wO7W1+UT/bsFps7gh9e72o78k38tM78lthbDI7x
yzSgPpNKPWhGOqUGeuMf/9ofK/sNvXCdbKAfQezxcNIB+ftrpAvVOenScwARAQAB
zTtDaGFybWJyYWNlbGV0IEluYy4gKGhhdGVycyA+IC9kZXYvbnVsbOKEoikgPHZ0
MTAwQGNoYXJtLnNoPsLBmAQTAQgAQhYhBO2Sezi+mB5TygkVPQO79ZXU39NcBQJi
0Ed1AhsDBQkJZgGABQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRADu/WV
1N/TXKm0EACyAAxPzdnqkqiqS4z8EuKzp18liXOdzh/ygbdQHaQeZ8FZffPwidKi
YYHRPiG2gg2i03IgIi57D572djy7pkacCw4o9xr7NoqTdxoRgU9aFRNV/yBoPP/L
LOU6fH5sCSYPwnQSgmGpSx5guiLU2XAMdoaDKnc3FyY8zpcOJdsSXPcO1KlnJBkO
v4Hm50O2ck9A3kIB2eSutgfmdOVrvKmmQokqdV70wQ8dBuIl3aLa/O3TIYENVAjY
ZclTa90qfk/WZ9DD9lJD49zei182j570oW1OpuzYWCWPY/tKQwJUbD4cX8uMm0Wr
hFTgIQmSUWKeJV4zZHAh6SpwPmbKgThFA3Sq/ULf8NSo4RRTl8i5KpFxz0ltgjYv
ua7p0/QLGph13LEM/mf2+ZTYQjn5a51IgEGZDHGAEm2VsmA2UmYhoWbspVWqWjgM
88S5OuREc4dPFk+DmFhMZbPVA3xduQIPg4FcffhZsUJ9Zm5o4pzCCxhXKG7XCOVk
8QvldhTnohPfPs7fXlQ6XPVoblrZgJ4G1rdpTboqP2Ivfl8hWDb0sc5IQw583Mb7
3+9xBe1i9ucHkaw8Pu9EQoqKzDNfIPEcfoB4+Qa1gi9qHp32ksN2bo1pd4m3zV00
fMMmSj49q/9ZcXrwOFKhRVEe5XHtbXPcAyBubOI8AmrWuDGPctNZfM7BTQRi0Ed1
ARAA02VHQ8w0qpnUDGX6CLLSkGsIb0xFTIhWmUEAU8L6H08zkJSuFEvPtwxzlS20
gM55fc15VmNW29w4NCrVVrqj1YB+AKJxFp6OnDk8Aud31GWOG8fX5eeRIbe1QOao
XYdde28kfdRjn/d/0wGgD34kSFLQIlSwFkD6EpoxMeLiYllV1BCvhRqaJMUsDtu5
B2YeBYWn6M1FzMn1aUH93UKn+67oCleRUciPmA06UgQPUGJvOFZozjcZOiIDULTe
NcefgxTh/MWDkC6DRhsq49J3wpf/Qat7Khu7nuHvQxjgVjHtRaZR5nS8SSdr/+qg
2GlucyQfvp/1WdIVzqxdsjPw4SJhTkeQ4XqNe0LoIjuVAcSoZDfavDiifGZ0vGoU
h408dJclJpqU34duiGKtq+wo7j+LhWOl6afB4QXmV0GhAsphcej+7MnJQQkCn+6s
Cs3CpTWGdEKSwILB2APd9ElYIljO3Ik1518Q7mWq1HHrbMk4i87sOhNoOv9RQkaB
FZGJUG0kgOcYwa9VZxCR1ryxZQ2r0TztqxsILNEEe4ZeA1Opp6HSrtQhCyM7yb8M
QoPJuIGsFm4+7epWmb4sa+1D7rgogLZZcMjnIP2R00BThuei75pB5sRsuBy2PZWc
YajU5U6N+xaLEuUzU2zx+u3QE3/cTvyHz0RKcukdHY50hQkAEQEAAcLBfAQYAQgA
JhYhBO2Sezi+mB5TygkVPQO79ZXU39NcBQJi0Ed1AhsMBQkJZgGAAAoJEAO79ZXU
39NcpokP/jhKGNew4eQLirNBa0o60Rnd6cSa5uZNqKgODXjVRJUFOEADCRTUHEU2
7lReOCmGcKG4mkNWoEQ8Y/0jXqRVxjpAWlG4wG/a24q8UzaST0F25Z1UgAXffjw4
I76+uMqkG1F+YeqiUKTLvEAKUTo18p6JQjtbbxut6u4W1+c0hqXc5dscqULVhf5/
JlJbavJW8KdDbqUcGueGs7KywILhOjc+AO4wcVr0L6wEVshWBP0h4XEfPUAnbQ0Y
dxgtcfPC/RxPzdxxv9fijK+p+5EbSnMzKzcMWRfTFmTxuN5GM8xa0xl9Xxg9b9Vv
GGV1nK7YnS/9r9+chejuLttBaNltjT0RR9Wr4Za8w2iqG/zm+uY8IkH+vJ6AIJ+l
77u/07d2ODzdaZZRaPlG2h81bvUe8oh521sJDrG4w5SlEh2rt+bOVzEUCPD760Xr
kKhe/dcj2eCtf6XNaczlsk41KqV6sBV8x1vef002qkU9o11DwTUnSXiZAFpA1ljY
etd9ZT6LP7CxdoO4INn4SiTb4xcRenPuZNVp7xPuN8/amlPhAhsFjWw6lW8qtbQM
9e7mJ7D1W7XvYrzSYtKrrO8fQbXeNzPiqQGTWHr8c0BK5qOGKflNAXQ/u+w1FQ4s
H87ZbYmcgwVHgjpDCGu4uUR1Q0YttBFUbrgRHzpDe7e5CsXCLMFB
=3cgt
-----END PGP PUBLIC KEY BLOCK-----

[bd5872]

Some further information, it looks like the package has potentially has been signed with some sort of null key?

The last RPM package that did not have the error was 0.15.0-1, signed with Key ID 03bbf595d4dfd35c

RPM packages for releases 0.15.1, 0.15.2 and 0.16.0 all show the same issue.

[root@test ~]# rpm -vK gum-0.16.0-1.x86_64.rpm
gum-0.16.0-1.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 00000000: NOKEY
    Header SHA256 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, key ID 00000000: NOKEY
[root@test ~]#

[root@test ~]# rpm -qpi gum-0.16.0-1.x86_64.rpm
warning: gum-0.16.0-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 00000000: NOKEY
Name        : gum
Version     : 0.16.0
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : (none)
Size        : 13400635
License     : MIT
Signature   : RSA/SHA256, Thu 01 Jan 1970 01:00:00 BST, Key ID 0000000000000000
Source RPM  : gum-0.16.0-1.src.rpm
Build Date  : Tue 11 Mar 2025 19:56:49 GMT
Build Host  : fv-az1335-420
Packager    : Maas Lalani <[email protected]>
Vendor      : charmbracelet
URL         : https://charm.sh/
Summary     : A tool for glamorous shell scripts
Description :
A tool for glamorous shell scripts
[root@test ~]# 

[craigrileyuk]

Same. Trying to install on AlmaLinux9 via dnf and the GPG key is always invalid.

[dmd]

I suspect this project is either dead, or compromised.

[meowgorithm]

Hi everyone. We’ll plan on looking into this next week. Thanks for your patience on this one.

[MarioNoll]

@meowgorithm Any chance you could look into this? Thank you.