-
Notifications
You must be signed in to change notification settings - Fork 505
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better OpenPGP keys handling for signing the repository packages #3840
Comments
Update: I just discovered rpm-software-management/dnf5#1192 so it looks like there's hope on the horizon. I guess we could consider closing this issue then, given that https://github.com/fedora-copr/copr apparently also doesn't rotate the keys and that rpm-software-management/rpm#3083 already got merged (apparently that PR alone isn't sufficient though: rpm-software-management/dnf5#1192 (comment)). That said, all (perhaps with some exceptions for rolling releases, etc.?) current RPM based distributions are still affected by this and will likely remain affected for their lifetime (so LTS users remain affected until their distro hits EOL and they upgrade to a newer LTS release). The updated key expires 2026-12-29: $ curl -sL https://pkgs.k8s.io/core:/stable:/v1.31/rpm/repodata/repomd.xml.key | gpg --show-key
pub rsa2048 2022-08-25 [SC] [expires: 2026-12-29]
DE15B14486CD377B9E876E1A234654DA9A296436
uid isv:kubernetes OBS Project <isv:[email protected]> |
Hi there, I noticed the reference to DNF5 🙂 We plan to deliver this functionality in Q1 2025, following acceptance of the behavior change in our primary Fedora environment.
If that's all that's required, it will be addressed once the ticket is implemented. If you have additional use cases or requirements, please add them to the DNF5 ticket. Thanks! |
Thanks everyone for following up on this! My understanding is that this is up to DNF to implement, over which we don't have control. I don't see that there's anything that we can do about this, especially given that the GPG key is controlled by OpenBuildService (OBS). We should probably update our docs to reflect how to update the GPG key once needed, but let's track that as part of #3878 I'll go ahead and close this issue, but if there's anything else that we can do, please let us know! |
@xmudrii: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
I also ran into #3818 but on Fedora 40. The additional issue here is that updating
gpgkey
in/etc/yum.repos.d/kubernetes.repo
isn't enough here as the Package manager (dnf
) has already downloaded the key and, at least in my case, will not try to re-fetch it (even if I disable the repo, rundnf clean all
, and enable it again). I didn't have such issues with other repos and the problem here seems to be that only the expiration date of the key was extended instead of rotating the entire key. I'm not adnf
expert but I think most repos are switching to new keys instead of extending the experiation date. AFAIK it should also be possible to fetch/import multiple keys from a single URL so that should help with supporting older and newer packages (in this case only relevant when using an olderbaseurl
with a newergpgkey
URL).What happened:
I updated the repository:
And I can fetch the current version of the key from the
gpgkey
URL:But updating still fails:
Workarounds:
I can use the following manual workaround to remove the key so that
dnf
will have to import it again:There should be other workarounds available but this is the easiest one I came up with as there doesn't seem to be a good
dnf
command for it yet.What you expected to happen:
dnf update
will prompt to (re)import/update the key. This doesn't seem possible so the repo key should be rotated entirely instead of only extending the expiration date.How to reproduce it (as minimally and precisely as possible):
Install from an older repository with the expired key and then try to update again.
Version 1.27 seems to be the most recent version that offers the old key:
I can provide the exact commands if necessary but the basic steps are the following:
rpm -qa | grep 9a296436 | xargs rpm --erase
/etc/yum.repos.d/kubernetes.repo
back to version 1.27 (or an older version)kubectl
) from the old repo. You might have to disablegpgcheck
. Interestingly the expired key erros seem to be ignored when downgrading via:dnf downgrade kubectl
/etc/yum.repos.d/kubernetes.repo
back to the most recent version (currently 1.31)dnf upgrade kubectl
-> it will fail due to the expired keyAnything else we need to know?:
Environment:
Fedora 40 but it should apply to any
yum
/dnf
based system (it might work better with the futurednf5
though - I didn't look at that).The text was updated successfully, but these errors were encountered: