Opened 14 months ago

Closed 13 months ago

Last modified 13 months ago

#21599 closed defect (fixed)

In Fedora 38, can't import oracle_vbox.asc, so impossible to check package signature

Reported by: Andre Robatino Owned by:
Component: other Version: VirtualBox-7.0.8
Keywords: Cc:
Guest type: other Host type: Linux


In Fedora 38, the command "rpm --import oracle_vbox.asc" gives

warning: Certificate 54422A4B98AB5139:
  Policy rejects subkey B6748A65281DDC4B: Policy rejected asymmetric algorithm

Because of this, it's impossible to check the signature of a signed RPM. See . (This is NOT associated with a specific version of VirtualBox but I was forced to specify one.)

Change History (8)

comment:1 by Andre Robatino, 14 months ago

The oracle_vbox.asc file hasn't changed in years, so this is definitely due to a change in the OS. Presumably the .asc file needs to be updated to a newer format (and future VirtualBox RPMs signed with that).

Last edited 14 months ago by Andre Robatino (previous) (diff)

comment:2 by fth0, 14 months ago

According to the official download page Download VirtualBox for Linux Hosts, VirtualBox 6.1.44/7.0.8 started using the newer key named oracle_vbox_2016.asc, which has been used for Debian-based Linux distributions since 2016, also for RPM-based Linux distributions now.

Can you verify that using the right key works for you?

comment:3 by Andre Robatino, 14 months ago

The new file oracle_vbox_2016.asc does work, thanks! The .repo files at the bottom of the download page still need to be changed to contain the new file, if it's intended to provide a repo for new Fedora versions (37 and 38 are both missing right now).

comment:4 by fth0, 14 months ago

Check the .repo files again. ;)

PS: I didn't do anything!

Last edited 14 months ago by fth0 (previous) (diff)

comment:5 by galitsyn, 14 months ago

Hi robatino,

From 6.1.44/7.0.8 we started to sign RPMs and RPM repos using SHA-256. Key oracle_vbox_2016.asc should be used in order to verify new signatures. If you intend to attach official VBox repo for Fedora packages, please refer to (gpgkey was updated today).

Please let us know if it works for you, so ticket can be closed. Btw, this ticket is a duplicate of #21451.

comment:6 by Andre Robatino, 14 months ago

Yes, like I said above, the new key works for me in verifying the signature for 7.0.8. The repo files are also updated, as fth0 said, though there are still no 37/38 repos at . (They could just be copies of 36/ since the same RPM works in 36/37/38.) Sorry for the duplicate ticket.

comment:7 by galitsyn, 13 months ago

Resolution: fixed
Status: newclosed

Thank you. Closing ticket.

Note: See TracTickets for help on using tickets.

© 2023 Oracle
ContactPrivacy policyTerms of Use