Installation on CentOS Stream 9 aborts due to failed GPG check #5588
Comments
1player
changed the title
|
Given that the repo config uses https://rpm.rancher.io/public.key for the GPG key, is it out of date or have the RPM packages been compromised? |
1player
changed the title
|
Same issue on RHEL 9. Interestingly I was able to perform a successful install on RHEL 9 earlier. |
|
When I try and run |
|
In fact, yes, after running This is a repo/packaging problem, I think Rancher needs to sign their packages with a SHA256 or SHA521 key instead of SHA1. |
|
Yeah, since we only technically support EL7 and EL8 we haven't updated the signing hash algorithms to account for the deprecation of SHA-1. We'll take a look at addressing this for our next release cycle. Note that this has to do with the hash algorithm used when signing the packages, there is nothing wrong with the keys themselves. |
|
Yeah, sorry, that's what I meant. :) |
|
Another affected user here, but just to add to @hbjydev's comment about updating crypto policies, SHA1 can be disabled after install like this |
It certainly could be, but I don't think it's wise until they fix the package signatures, because doing this will just break any updates to the package until it's sorted out at the repo end. For a dev or test box, sure, but I can't recommend if you're in production. |
|
For what it's worth, we don't update the selinux rpm very often. |
|
@brandond That's fair, yeah, but I'd still rather not need to turn it on and off either side, hence I'm just cautioning that it's not a great solution. :) |
Not to put any pressure, but when is the next release cycle due? I can wait for a few days to install k3s if it's due shortly, otherwise I'll have to try one of the workaround I'd prefer to avoid. |
I'm not sure anyone is using CentOS 9 Stream in production, however RHEL 9 went GA last week so it won't be long before it starts making its way into prod environments and as this issue also affects RHEL 9 people are going to be eager to test things out, I'm already doing test deployments on RHEL 9 which other than the SHA1 issue and another minor issue not directly related to k3s has gone rather well so far. The problem here is as far back as 2005 SHA-1 was considered not secure, so its kind of surprising to see a project in 2022 still signing packages with SHA-1. Collision attacks on SHA-1 are feasible in 2022, there's an interesting answer posted to stackexchange that calculates the time required for a successful attack using current generation GPU's, and before anyone scoff's at the costs of running multiple high end GPU's consider that crypto miners are running small farms with enough RTX30xx's and/or RX 6x00's to generate successful attacks in a few months from their own homes. Please don't take this as a personal attack, its not, I do understand that things get overlooked sometimes. |
|
The Upstream Kubernetes patches for this month just came out yesterday and we are working on validating those again the current support matrix; validating el9 will probably be slotted in for next months cycle but we may be able to get el9 packages out for testing sooner than that. Not to be too blunt about it, but if you're super paranoid about running untrusted software (or software with 'weak' signatures) you're probably not using containers, right? Image signing still isn't really a thing so all you have is TLS to verify the source of your pulls... |
|
"Not to be too blunt about it, but if you're super paranoid about running untrusted software (or software with 'weak' signatures) you're probably not using containers, right?" It's more complicated than that. The script overrides the .repo file, so even setting gpgcheck=0 won't fix it. Supply chain attacks are also a very real threat to enterprise environments, but ignoring that doesn't provide an obvious workaround here. I downloaded the updated rpm and installed it with |
Yes, we are, with k3s for several months now, and it's actually been working great. This recent upgrade was my first real snag. |
Not paranoid, just "aware", in my job I have to answer to security people and customers if I do things like enable a deprecated crypto algorithm. |
|
Work around until this is fixed: Run the script once to get the rancher repo added. Then: Then run the install script again, this time it'll go to completion. |
|
Any movement on this at all? |
|
Been hitting a similar issue with CentOS streams 8. Is this related? |
|
Stream 8 is basically EL9 but worse, so yes. We will address this once our current in-flight releases are complete. |
|
Steam 8 is definitely not Stream 9 and if it's broken there, it is soon to be in RHEL, AlmaLinux, and Rocky. CentOS Stream just did you a favor in giving you a heads up for the scope of impact soon for a significant portion of the project's end users. |
|
An updated package is now available in the curl -ks https://get.k3s.io | INSTALL_K3S_CHANNEL=testing sh -[root@2975a4d1a4bf /]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.0 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.0"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.0 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/9/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.0
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.0"
[root@2975a4d1a4bf /]# curl -ks https://get.k3s.io | INSTALL_K3S_SKIP_START=1 INSTALL_K3S_CHANNEL=testing sh -
[INFO] Finding release for channel testing
[INFO] Using v1.24.1-rc5+k3s1 as release
[INFO] Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.24.1-rc5+k3s1/sha256sum-amd64.txt
[INFO] Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.24.1-rc5+k3s1/k3s
[INFO] Verifying binary download
[INFO] Installing k3s to /usr/local/bin/k3s
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
This system is not registered with an entitlement server. You can use subscription-manager to register.
Rancher K3s Common (testing) 3.6 kB/s | 3.0 kB 00:00
Dependencies resolved.
=============================================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================================
Installing:
k3s-selinux noarch 1.2-2.el8 rancher-k3s-common-testing 20 k
Transaction Summary
=============================================================================================================================================================================================
Install 1 Package
Total download size: 20 k
Installed size: 94 k
Downloading Packages:
k3s-selinux-1.2-2.el8.noarch.rpm 111 kB/s | 20 kB 00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 110 kB/s | 20 kB 00:00
Rancher K3s Common (testing) 7.1 kB/s | 2.4 kB 00:00
Importing GPG key 0xD161F542:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: 856A 0069 529C A63B 21AA 4E0A 089F A20E D161 F542
From : https://rpm-testing.rancher.io/public.key
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: k3s-selinux-1.2-2.el8.noarch 1/1
Installing : k3s-selinux-1.2-2.el8.noarch 1/1
Running scriptlet: k3s-selinux-1.2-2.el8.noarch 1/1
Verifying : k3s-selinux-1.2-2.el8.noarch 1/1
Installed products updated.
Installed:
k3s-selinux-1.2-2.el8.noarch
Complete! |
|
This is now fixed for me. I upgraded to 1.23.8 on CentOS Stream 9 normally with the regular update script today without any workarounds. |
No. Stream 8 is used for EL8 and Stream 9 is used for EL9. The confusion on the "rolling release" is strong, but really simple. Updates to Centos 8 will show up as minor upgrade for EL8 and similar for Cent9 -> EL9. |
|
Any update on this? |
|
I'm having the same issue on CentOS Stream 9. @brandond The # dnf install --nogpgcheck k3s-selinux
Last metadata expiration check: 0:10:50 ago on Sun 14 Aug 2022 12:43:08 PM UTC.
Dependencies resolved.
================================================================================================================================================================
Package Architecture Version Repository Size
================================================================================================================================================================
Installing:
k3s-selinux noarch 1.1-1.el8 rancher-k3s-common-stable 20 k
Installing dependencies:
container-selinux noarch 3:2.189.0-1.el9 appstream 49 k
policycoreutils-python-utils noarch 3.4-2.el9 appstream 75 k
Transaction Summary
================================================================================================================================================================
Install 3 Packages
Total size: 143 k
Installed size: 268 k
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] container-selinux-2.189.0-1.el9.noarch.rpm: Already downloaded
[SKIPPED] policycoreutils-python-utils-3.4-2.el9.noarch.rpm: Already downloaded
[SKIPPED] k3s-selinux-1.1-1.el8.noarch.rpm: Already downloaded
Running transaction check
Transaction check succeeded.
Running transaction test
RPM: warning: Signature not supported. Hash algorithm SHA1 not available.
RPM: warning: Signature not supported. Hash algorithm SHA1 not available.
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
package k3s-selinux-1.1-1.el8.noarch does not verify: Header V4 RSA/SHA1 Signature, key ID e257814a: BAD |
|
Using testing and the Centos 8 packages worked for me on Centos 9, however I am not using the k3s install script but just set this via ansible: |
|
the updated k3s-selinux package should now be available in other channels. |
|
Reverted back to stable and everything is good. Any chance on packaging specifically for centos9? Probably not a big deal now unless se policies ore dependencies drift more. |
Environmental Info:
Node(s) CPU architecture, OS, and Version: CentOS Stream 9 on x86_64
Describe the bug:
Ran
curl -sfL https://get.k3s.io | sh -as root, fails during package installation with:Steps To Reproduce:
Run
curl -sfL https://get.k3s.io | sh -on a CentOS Stream 9 or other RPM distribution.The text was updated successfully, but these errors were encountered: