Virtualmin-install --setup on RedHat fails to import GPG key

my first attempt at installing Virtualmin on a RedHat 9 server !!

as we run SELinux in enforcing mode, and have a number of other local tweaks, I wanted to start really slow and small …

so I downloaded the install script with

wget https://software.virtualmin.com/gpl/scripts/virtualmin-install.sh

and did:

./virtualmin-install.sh --setup --verbose

just so I can see what happens at this early stage, and compare it to my production RedHat 8 servers …

I believe I have found a bug when using the --setup flag — or this is a matter of preference or point of view … and that is:

while the GPG key is stored in /etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin-7 … and the repo definition in /etc/yum.repos.d/virtualmin.repo correctly points to it, when doing the very minimum work via --setup the GPG key is NOT installed into the RPM keystore (?)

I suppose I need to run the full install from beginning to end, to see what happens.

of course I can make everything happy by manually doing

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin-7

Found this in virtualmin-repos-setup.log

[2025-03-20 17:15:40 EDT] [INFO] Spin pid is: 8269
warning: virtualmin-gpl-release.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID b9a0b8b7: NOKEY
error: can’t create transaction lock on /var/lib/rpm/.rpm.lock (Resource temporarily unavailable)
error: /etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin-7: key 1 import failed.
[2025-03-20 17:15:40 EDT] [INFO] Installing Virtualmin 7 release package: [2025-03-20 17:15:40 EDT] [INFO] Success.

I am at a loss as to why .rpm.lock is an issue – I made sure it was not there before trying this

maybe I don’t know really what I am doing in debugging this – in the install script I don’t see anything that would trigger the GPG import error message above.

thoughts?

I pulled this from the RPM file

rpm -qpR --scripts virtualmin-gpl-release.noarch.rpm
warning: virtualmin-gpl-release.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID b9a0b8b7: NOKEY
/bin/sh
config(virtualmin-gpl-release) = 7.1-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
postinstall scriptlet (using /bin/sh):
# Hopefully, only run this if this is our first installation
if [ "$1" -eq 1 ]; then
  # Import the Virtualmin 7 official gpg key if needed
  rpm -q gpg-pubkey-9d3152d3-895093ac >/dev/null 2>&1 || \
    rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin-7
fi

# We don't want a possible error to leave the previous package installed
exit 0

so … could the issue be, trying to run an RPM cmd “inside of” another run – as this scriptlet I assume is executed while the higher level RPM cmd is still running?

just guessing here – maybe the lock failure causes the IF and key import cmd inside the IF not to be executed?

I am out of my depth here

That hasn’t changed in years, so I don’t know why it would be a problem.

Is it possible rpm was running for some other reason at the time? Automatic updates or something?

I believe not.

I went ahead and did the full default LAMP install this afternoon, then in examining the log file, I see where the GPG key did get installed … so something somewhere along the way did do it.

I respectfully suggest the --setup option should load the GPG key as in my thoughts, loading the key is part of defining/installing a repo, as the repo definition as you know, points to the key

that is, when you run the install script and ONLY install the Virtualmin repo using that qualifier, I submit the resulting repo configuration on the system is not fully functional.

Using a release package has been the standard way to add third party repos and their keys for decades. If that’s changed, I’m unaware of it. But, I’ll look into how other folks are doing it today (I’ve been doing it this way for 20 years, the entire history of having Virtualmin repos, and I’m sure I used it before that for my prior projects/products).