More of a FYI really, as I came across this today whilst trying to install MariaDB from MariaDB’s own repositories now they’ve released EL10 builds.
TLDR; the new default crypto security level now causes old signing keys to fail, the only way I’ve found to get around it is to turn off gpgcheck on the repos affected.
Hit this error first:
MariaDB 187 kB/s | 15 kB 00:00
Importing GPG key 0x1BB943DB:
Userid : “”
Fingerprint: 1993 69E5 404B D5FC 7D2F E43B CBCB 082A 1BB9 43DB
From : https://mirrors.xtom.nl/mariadb/yum/RPM-GPG-KEY-MariaDB
Is this ok [y/N]: y
error: Certificate CBCB082A1BB943DB:
Policy rejects CBCB082A1BB943DB: No binding signature at time 2025-08-07T10:09:21Z
Key import failed (code 2). Failing package is: MariaDB-client-11.4.8-1.el10.x86_64
GPG Keys are configured as: https://mirrors.xtom.nl/mariadb/yum/RPM-GPG-KEY-MariaDB
So having found the cause tried switch to legacy crypto using this command:
update-crypto-policies --set LEGACY
Which changed the error to this:
MariaDB 239 kB/s | 15 kB 00:00
Importing GPG key 0x1BB943DB:
Userid : “”
Fingerprint: 1993 69E5 404B D5FC 7D2F E43B CBCB 082A 1BB9 43DB
From : https://mirrors.xtom.nl/mariadb/yum/RPM-GPG-KEY-MariaDB
Is this ok [y/N]: y
error: Certificate CBCB082A1BB943DB:
Policy rejects CBCB082A1BB943DB: Policy rejected asymmetric algorithm
Key import failed (code 2). Failing package is: MariaDB-client-11.4.8-1.el10.x86_64
GPG Keys are configured as: ``https://mirrors.xtom.nl/mariadb/yum/RPM-GPG-KEY-MariaDB
So no further forward. This RH blog from 2023 gives detailed information on the changes being implemented (that seem to have now arrived):
So we’ll have to wait and see how long it takes various repos to regenerate their signing keys. The MariaDB keys are dated 25-Oct-2022
Mark.