-
Notifications
You must be signed in to change notification settings - Fork 288
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
4.6.0-0.okd-2020-11-27-200126: Invalid signature configmap, needs force: true
#426
Comments
That's odd, it has
instead of expected
Seems OKD is accidentally using official signature store instead of CI |
Yup,
while born-in-4.5 clusters have:
So this would affect born-in-4.6 clusters only. The workaround would be applying https://github.com/openshift/cluster-update-keys/blob/master/manifests/0000_90_cluster-update-keys_configmap.yaml configmap. |
force: true
So, is there a fix planned for this release and/or is it safe to use |
The fix is planned, but it can't be applied in this release - the problem is that previous 4.6 stable release applied the wrong keys and it went unnoticed. While we sort it out please use |
Should we use |
Seems CVO won't accept the updated configmap (it extracts it from the payload iiuc). How to verify the release manually:
So the encrypted message generated on CI has valid digest, signed with The problem is that previous 4.6 release has changed the expected key to |
If you're like us, and started the upgrade from the Web interface, you first need to clear the upgrade and "downgrade" to the old version again, verify the image with the steps Vrutkovs proposed. If that checks out you can force the upgrade:
|
That's not necessary, edit |
correct config entry is |
Keeping open for openshift/cluster-update-keys#30 (and nightly) to be available |
https://amd64.origin.releases.ci.openshift.org/releasestream/4.6.0-0.okd/release/4.6.0-0.okd-2021-01-15-162431 should have updated expected keys. However release-controller doesn't upload new signatures just yet - tracking this issue w/ infra folks |
This seems to work now:
|
Describe the bug
Unable to upgrade to
4.6.0-0.okd-2020-12-12-135354
from4.6.0-0.okd-2020-11-27-200126
due to errorVersion
4.6.0-0.okd-2020-11-27-200126
Bare Metal Install
How reproducible
100% of the time
Log bundle
Must Gather tar
The text was updated successfully, but these errors were encountered: