5

I'm trying to add a kubernetes repo to my Amazon Linux 2 instance and struggle with automatically adding GPG keys.

This is my /etc/yum.repos.d/kubernetes.repo...

[kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

I then try to import the GPG keys:

 ~ # wget https://packages.cloud.google.com/yum/doc/yum-key.gpg \ https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg ~ # rpm --import *.gpg

However when I run any yum command it still doesn't know the keys:

# yum upgrade -y Loaded plugins: extras_suggestions, langpacks, priorities, update-motd kubernetes/signature | 454 B 00:00:00 Retrieving key from https://packages.cloud.google.com/yum/doc/yum-key.gpg Importing GPG key 0xA7317B0F: Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>" Fingerprint: d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f From : https://packages.cloud.google.com/yum/doc/yum-key.gpg Retrieving key from https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg kubernetes/signature | 1.4 kB 00:00:00 !!! https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kubernetes Trying other mirror. No packages marked for update

Even if I try to accept them manually it still doesn't work.

# yum upgrade Loaded plugins: extras_suggestions, langpacks, priorities, update-motd kubernetes/signature | 454 B 00:00:00 Retrieving key from https://packages.cloud.google.com/yum/doc/yum-key.gpg Importing GPG key 0xA7317B0F: Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>" Fingerprint: d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f From : https://packages.cloud.google.com/yum/doc/yum-key.gpg Is this ok [y/N]: y <<<<< Yes, I accept it! Retrieving key from https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg kubernetes/signature | 1.4 kB 00:00:01 !!! https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kubernetes Trying other mirror. No packages marked for update

How can I add the key so that YUM accepts it?

Improve this question

1 Answer 1

Reset to default
6

This is a known issue (see https://github.com/kubernetes/kubernetes/issues/60134). Work around it by disabling GPG checks: set repo_gpgcheck=0 in /etc/yum.repos.d/kubernetes.repo.

Credits to drakedevel, who writes:

I think this is due to Amazon Linux 2 shipping an old version of GnuPG, and something about the repomd.xml.asc signature requires a newer version.

GnuPG 2.0.22 outright rejects the signature on the repository metadata with assuming bad signature from key BA07F4FB due to an unknown critical bit. I haven't been able to figure out what critical bit it's referring to -- there don't appear to be any on the signature or key -- but whatever GnuPG 2.0.22 is upset about is most likely the root cause.

This only affects the repomd signature, so there's zero reason to disable gpgcheck as several others have suggested. Disabling repo_gpgcheck is sufficient and preserves package signature verification (although it's still not an ideal workaround...)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.