Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't check signature: No public key #792

Closed
phbergsmann opened this issue Feb 22, 2022 · 4 comments
Closed

Can't check signature: No public key #792

phbergsmann opened this issue Feb 22, 2022 · 4 comments

Comments

@phbergsmann
Copy link

I'm trying to install the metal image version 34.20210626.3.1 of FCOS (raw) which is required by OKD version 4.9.0-0.okd-2022-02-12-140851

This is my install script. I've added the "--insecure" flag and the gpg import to mitigate the error but it didn't work.

The image_url is "https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/34.20210626.3.1/x86_64/fedora-coreos-34.20210626.3.1-metal.x86_64.raw.xz"

apt update
apt install pkg-config libssl-dev

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y

source $HOME/.cargo/env

cargo install coreos-installer

curl https://getfedora.org/static/fedora.gpg | gpg --import

coreos-installer install --image-url ${image_url} --insecure -i /tmp/init.ign ${install_disk_device}

The Debian version which executes the coreos-installer is 11.2

My expected result would be a successful installation and a reboot afterwards (which worked until some days ago). Currently the following error appears:

gpg: Signature made Wed 14 Jul 2021 06:26:09 PM CEST
gpg: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39
gpg: Can't check signature: No public key
Error: GPG verification failure
Resetting partition table
Error: install failed

Is there anything I'm missing?
@bgilbert
Copy link
Contributor

Thanks for the report. Actually, this is intentional behavior. FCOS releases are signed with the Fedora key for the corresponding Fedora major release (the first component of the FCOS version number). The last FCOS release based on Fedora 34 was obsoleted by FCOS 35.20211029.3.0 on November 23, so the recent coreos-installer 0.13.1 release dropped the Fedora 34 key from its keyring.

coreos-installer ships with a hardcoded keyring that's imported into a temporary GPG home directory at runtime, which is why a manual gpg --import doesn't help. Likewise, --insecure will ignore a missing signature, but not an existing invalid one.

You have a couple options for workarounds:

  • Mirror the image but not the signature to your own server, and point coreos-installer to the mirror while passing --insecure. (Or download it to the node and pass --image-file.)
  • Downgrade to coreos-installer 0.12.0.

The proper fix for this issue is for current releases of OKD to stop depending on 8-month-old releases of Fedora CoreOS. We don't support or recommend running old FCOS releases, and there have been some important security fixes since 34.20210626.3.1 was released.

@jlebon
Copy link
Member

jlebon commented Feb 23, 2022

/cc @LorbusChris @vrutkovs

@vrutkovs
Copy link
Member

This issue would go away in OKD 4.10 (it uses stable FCOS).

@bgilbert
Copy link
Contributor

bgilbert commented Nov 3, 2022

Closing, since coreos-installer is working as intended here.

@bgilbert bgilbert closed this as not planned Won't fix, can't repro, duplicate, stale Nov 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vrutkovs @bgilbert @phbergsmann @jlebon