In the wake of the CircleCI breach, we have been reviewing policies and updating keys and tokens used in our automation for anything that could potentially be affected.

While we have no evidence of any of specific credentials being leaked, we've needed to document procedures for rotating keys anyway, so now was the perfect time to put it into practice.

On February 27, 2023, we will be rotating our GPG keys used to sign packages and repositories. To be prepared for the change in keys and avoid errors when updating packages, perform the following steps:

OpenNMS Meridian

All Meridian users should already be configured to use the updated OPENNMS-GPG-KEY by URL. After we start using the new key for signing, you will be asked to confirm it when you run a yum or dnf update.

If you'd like to import the new key now, run:

sudo rpm --import https://yum.opennms.org/OPENNMS-GPG-KEY

OpenNMS Horizon (RPM-Based)

For Red Hat Enterprise Linux and CentOS, re-run the instructions to add the repository and import the key, like so (where X is your version number):

sudo yum -y install https://yum.opennms.org/repofiles/opennms-repo-stable-rhelX.noarch.rpm

sudo rpm --import https://yum.opennms.org/OPENNMS-GPG-KEY

These repo files have been updated to contain the new key. After we start using the new key for signing, you'll be asked to confirm when you run a yum of dnf update.

OpenNMS Horizon (Debian-Based)

For Debian distributions, re-run the instructions to save the key for apt-get and apt:

curl -fsSL https://debian.opennms.org/OPENNMS-GPG-KEY | sudo gpg --dearmor -o /usr/share/keyrings/opennms.gpg

If it asks whether to overwrite the opennms.gpg file, say yes.

Questions?

If you have any issues, please reach out to us or visit the support portal.