Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4.7.0-0.okd-2021-04-11-124433: The update cannot be verified: unable to locate a valid signature for one or more sources #605

Closed
RobVerduijn opened this issue Apr 25, 2021 · 15 comments
Closed

4.7.0-0.okd-2021-04-11-124433: The update cannot be verified: unable to locate a valid signature for one or more sources #605

RobVerduijn opened this issue Apr 25, 2021 · 15 comments

Comments

@RobVerduijn
Copy link

RobVerduijn commented Apr 25, 2021
edited

Describe the bug
Hi,

Today I used the update button to update from 4.7.0-0.okd-2021-04-11-124433 to 4.7.0-0.okd-2021-04-24-103438.
But it seems unable to verify the image.

apiVersion: config.openshift.io/v1
kind: ClusterVersion
metadata:
  creationTimestamp: '2021-04-21T18:21:29Z'
  generation: 2
  managedFields:
    - apiVersion: config.openshift.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        'f:spec':
          .: {}
          'f:channel': {}
          'f:clusterID': {}
          'f:upstream': {}
      manager: cluster-bootstrap
      operation: Update
      time: '2021-04-21T18:21:29Z'
    - apiVersion: config.openshift.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        'f:spec':
          'f:desiredUpdate':
            .: {}
            'f:image': {}
            'f:version': {}
      manager: Mozilla
      operation: Update
      time: '2021-04-25T09:36:15Z'
    - apiVersion: config.openshift.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        'f:spec':
          'f:desiredUpdate':
            'f:force': {}
        'f:status':
          .: {}
          'f:availableUpdates': {}
          'f:conditions': {}
          'f:desired':
            .: {}
            'f:image': {}
            'f:version': {}
          'f:history': {}
          'f:observedGeneration': {}
          'f:versionHash': {}
      manager: cluster-version-operator
      operation: Update
      time: '2021-04-25T09:36:19Z'
  name: version
  resourceVersion: '725979'
  selfLink: /apis/config.openshift.io/v1/clusterversions/version
  uid: dbfdb75c-0e09-41ec-9c37-736b3eba9440
spec:
  channel: stable-4
  clusterID: 6d5876e1-6fea-4f40-be9c-335882390845
  desiredUpdate:
    image: >-
      registry.ci.openshift.org/origin/release@sha256:1c71a740375b34df53c6e2bfe389018f3160cea46c4022ed6080f583c54ecbc0
    version: 4.7.0-0.okd-2021-04-24-103438
  upstream: 'https://origin-release.svc.ci.openshift.org/graph'
status:
  availableUpdates:
    - image: >-
        registry.ci.openshift.org/origin/release@sha256:1c71a740375b34df53c6e2bfe389018f3160cea46c4022ed6080f583c54ecbc0
      version: 4.7.0-0.okd-2021-04-24-103438
  conditions:
    - lastTransitionTime: '2021-04-21T19:15:17Z'
      message: Done applying 4.7.0-0.okd-2021-04-11-124433
      status: 'True'
      type: Available
    - lastTransitionTime: '2021-04-25T12:38:14Z'
      message: >-
        The update cannot be verified: unable to locate a valid signature for
        one or more sources
      reason: ImageVerificationFailed
      status: 'True'
      type: Failing
    - lastTransitionTime: '2021-04-25T09:36:19Z'
      message: >-
        Unable to apply 4.7.0-0.okd-2021-04-24-103438: the image may not be safe
        to use
      reason: ImageVerificationFailed
      status: 'True'
      type: Progressing
    - lastTransitionTime: '2021-04-25T12:35:03Z'
      status: 'True'
      type: RetrievedUpdates
  desired:
    image: >-
      registry.ci.openshift.org/origin/release@sha256:1c71a740375b34df53c6e2bfe389018f3160cea46c4022ed6080f583c54ecbc0
    version: 4.7.0-0.okd-2021-04-24-103438
  history:
    - completionTime: null
      image: >-
        registry.ci.openshift.org/origin/release@sha256:1c71a740375b34df53c6e2bfe389018f3160cea46c4022ed6080f583c54ecbc0
      startedTime: '2021-04-25T09:36:19Z'
      state: Partial
      verified: false
      version: 4.7.0-0.okd-2021-04-24-103438
    - completionTime: '2021-04-21T19:15:17Z'
      image: >-
        quay.io/openshift/okd@sha256:4414db9e8945504d1d5423ec11d64df9fa8b4aa60d978f8b4bdb3d0720800741
      startedTime: '2021-04-21T18:21:52Z'
      state: Completed
      verified: false
      version: 4.7.0-0.okd-2021-04-11-124433
  observedGeneration: 2
  versionHash: 4boqI_3hclA=

Version

How reproducible

use the update function in okd
Log bundle

Is a log needed ? the update hasn't done anything yet.

Rob
@GerbenWelter
Copy link

Hey Rob,

Long time no see/hear. This has happened before. Some image signing process hasn't run yet. Maybe one of the admins need to to restart that process.

@vrutkovs
Copy link
Member

Right, seems the signer has stuck. We'll restart it, until then please use 'oc adm upgrade --force' or set .spec.desired.force to true in ClusterVersion

@RobVerduijn
Copy link
Author

I'll wait for the signer to do it's job.

@danielchristianschroeter
Copy link

We see this almost every month. Is there no sustainable solution for this?

@bobby0724
Copy link

I have the same issue

@vrutkovs vrutkovs changed the title The update cannot be verified: unable to locate a valid signature for one or more sources 4.7.0-0.okd-2021-04-11-124433: The update cannot be verified: unable to locate a valid signature for one or more sources Apr 27, 2021
@bobby0724
Copy link

bobby0724 commented Apr 27, 2021
edited

Right, seems the signer has stuck. We'll restart it, until then please use 'oc adm upgrade --force' or set .spec.desired.force to true in ClusterVersion

just for general info 'oc adm upgrade --force' didn't work

@twling
Copy link

twling commented Apr 27, 2021

Right, seems the signer has stuck. We'll restart it, until then please use 'oc adm upgrade --force' or set .spec.desired.force to true in ClusterVersion

just for general info 'oc adm upgrade --force' didn't work

The second option did work for me to force the update for an unverified image, specifically set .spec.desiredUpdate.force to true

@vrutkovs
Copy link
Member

vrutkovs commented Apr 28, 2021
edited 

$ export RELEASE="4.7.0-0.okd-2021-04-24-103438"                                  
$ oc adm release info quay.io/openshift/okd:${RELEASE} | head -n 2 
Name:           4.7.0-0.okd-2021-04-24-103438
Digest:         sha256:1c71a740375b34df53c6e2bfe389018f3160cea46c4022ed6080f583c54ecbc0
$ export DIGEST="1c71a740375b34df53c6e2bfe389018f3160cea46c4022ed6080f583c54ecbc0"                                                         
$ curl -Ls https://storage.googleapis.com/openshift-ci-release/releases/signatures/openshift/release/sha256\=${DIGEST}/signature-1 | gpg -d
{
  "critical": {
    "type": "atomic container signature",
    "image": {
      "docker-manifest-digest": "sha256:1c71a740375b34df53c6e2bfe389018f3160cea46c4022ed6080f583c54ecbc0"
    },
    "identity": {
      "docker-reference": "quay.io/openshift/okd:4.7.0-0.okd-2021-04-24-103438"
    }
  },
  "optional": {
    "creator": "openshift release-controller",
    "timestamp": 1619554498
  }
}gpg: Signature made Tue 27 Apr 2021 22:14:58 CEST
gpg:                using RSA key 65C28371F55D29A9

However the previous signer key has expired, so you'd have to force upgrade this time (and, most likely, the next time too).

Sorry for the inconvenience

@vrutkovs vrutkovs pinned this issue Apr 28, 2021
@OleksandrShtepa
Copy link

OleksandrShtepa commented Apr 28, 2021
edited

Got same problem, mitigated:

$ oc get clusterversion
NAME      VERSION                         AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.okd-2021-04-11-124433   True        True          70s     Unable to apply 4.7.0-0.okd-2021-04-24-103438: the image may not be safe to use
$ oc adm upgrade --clear=true
Cleared the update field, still at 4.7.0-0.okd-2021-04-24-103438
$ oc get clusterversion
NAME      VERSION                         AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.okd-2021-04-11-124433   True        True          8m4s    Working towards 4.7.0-0.okd-2021-04-11-124433: 601 of 669 done (89% complete)
...
version   4.7.0-0.okd-2021-04-11-124433   True        False         107s    Cluster version is 4.7.0-0.okd-2021-04-11-124433
$ oc adm upgrade --force --to=4.7.0-0.okd-2021-04-24-103438
warning: --force overrides cluster verification of your supplied release image and waives any update precondition failures.
Updating to 4.7.0-0.okd-2021-04-24-103438
$ oc get clusterversion
NAME      VERSION                         AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.okd-2021-04-11-124433   True        True          5s      Working towards 4.7.0-0.okd-2021-04-24-103438: downloading update
...
version   4.7.0-0.okd-2021-04-11-124433   True        True          57m     Working towards 4.7.0-0.okd-2021-04-24-103438: 301 of 669 done (44% complete)
...
version   4.7.0-0.okd-2021-04-24-103438   True        False         20s     Cluster version is 4.7.0-0.okd-2021-04-24-103438

@bobby0724
Copy link

thanks

@bobby0724
Copy link

bobby0724 commented Apr 29, 2021
edited

my upgrade --force take a little while but finally completes thanks

@vrutkovs vrutkovs mentioned this issue May 9, 2021
Closed
1 task
@apmlima
Copy link

apmlima commented May 11, 2021

Got same problem, mitigated:

$ oc get clusterversion
NAME      VERSION                         AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.okd-2021-04-11-124433   True        True          70s     Unable to apply 4.7.0-0.okd-2021-04-24-103438: the image may not be safe to use
$ oc adm upgrade --clear=true
Cleared the update field, still at 4.7.0-0.okd-2021-04-24-103438
$ oc get clusterversion
NAME      VERSION                         AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.okd-2021-04-11-124433   True        True          8m4s    Working towards 4.7.0-0.okd-2021-04-11-124433: 601 of 669 done (89% complete)
...
version   4.7.0-0.okd-2021-04-11-124433   True        False         107s    Cluster version is 4.7.0-0.okd-2021-04-11-124433
$ oc adm upgrade --force --to=4.7.0-0.okd-2021-04-24-103438
warning: --force overrides cluster verification of your supplied release image and waives any update precondition failures.
Updating to 4.7.0-0.okd-2021-04-24-103438
$ oc get clusterversion
NAME      VERSION                         AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.okd-2021-04-11-124433   True        True          5s      Working towards 4.7.0-0.okd-2021-04-24-103438: downloading update
...
version   4.7.0-0.okd-2021-04-11-124433   True        True          57m     Working towards 4.7.0-0.okd-2021-04-24-103438: 301 of 669 done (44% complete)
...
version   4.7.0-0.okd-2021-04-24-103438   True        False         20s     Cluster version is 4.7.0-0.okd-2021-04-24-103438

I got:

oc get clusterversion

NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.6.0-0.okd-2021-02-14-205305 True True 64m Unable to apply 4.7.0-0.okd-2021-04-24-103438: the control plane is reporting an internal error

Can anyone help?

@vrutkovs
Copy link
Member

openshift/cluster-update-keys#36 would resolve that. 4.8 nightlies signature verification works.

@vrutkovs
Copy link
Member

Fixed in 4.7.0-0.okd-2021-05-22-050008.

Note that release verification needs to forced this one time.

@kissoliver
Copy link

I have the same issue:

The update cannot be verified: unable to locate a valid signature for one or more sources
Unable to apply 4.7.0-0.okd-2021-05-22-050008: the image may not be safe to use

@devzeronull devzeronull mentioned this issue Jun 7, 2021
Closed
@vrutkovs vrutkovs mentioned this issue Jun 8, 2021
Closed
@vrutkovs vrutkovs unpinned this issue Jun 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@vrutkovs @RobVerduijn @danielchristianschroeter @GerbenWelter @apmlima @twling @bobby0724 @OleksandrShtepa @kissoliver