k3s: Installation on CentOS Stream 9 aborts due to failed GPG check

Environmental Info:

Node(s) CPU architecture, OS, and Version: CentOS Stream 9 on x86_64

Describe the bug:

Ran curl -sfL https://get.k3s.io | sh - as root, fails during package installation with:

Downloading Packages:
(1/3): container-selinux-2.183.0-1.el9.noarch.rpm                                                             313 kB/s |  47 kB     00:00
(2/3): policycoreutils-python-utils-3.3-5.el9.noarch.rpm                                                      433 kB/s |  74 kB     00:00
(3/3): k3s-selinux-1.1-1.el8.noarch.rpm                                                                        28 kB/s |  20 kB     00:00
----------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                         162 kB/s | 142 kB     00:00
Rancher K3s Common (stable)                                                                                   4.6 kB/s | 2.4 kB     00:00
Importing GPG key 0xE257814A:
 Userid     : "Rancher (CI) <ci@rancher.com>"
 Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
 From       : https://rpm.rancher.io/public.key
Key imported successfully
Import of key(s) didn't help, wrong key(s)?
Problem opening package k3s-selinux-1.1-1.el8.noarch.rpm. Failing package is: k3s-selinux-1.1-1.el8.noarch
 GPG Keys are configured as: https://rpm.rancher.io/public.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Steps To Reproduce:

Run curl -sfL https://get.k3s.io | sh - on a CentOS Stream 9 or other RPM distribution.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 3
  • Comments: 29 (6 by maintainers)

Most upvoted comments

Steam 8 is definitely not Stream 9 and if it’s broken there, it is soon to be in RHEL, AlmaLinux, and Rocky. CentOS Stream just did you a favor in giving you a heads up for the scope of impact soon for a significant portion of the project’s end users.

+2
vwbusguy on Jun 9, 2022

Stream 8 is basically EL9 but worse, so yes.

We will address this once our current in-flight releases are complete.

+2
brandond on Jun 8, 2022

Work around until this is fixed:

Run the script once to get the rancher repo added. Then:

dnf install container-selinux
dnf download k3s-selinux
rpm -Uvh --nosignature ./k3s-selinux-1.1-1.el8.noarch.rpm

Then run the install script again, this time it’ll go to completion.

+2
1player on May 31, 2022

Not to be too blunt about it, but if you’re super paranoid about running untrusted software (or software with ‘weak’ signatures) you’re probably not using containers, right? Image signing still isn’t really a thing so all you have is TLS to verify the source of your pulls…

Not paranoid, just “aware”, in my job I have to answer to security people and customers if I do things like enable a deprecated crypto algorithm.

+2
mplinuxgeek on May 28, 2022

When I try and run dnf install --nogpgcheck k3s-selinux I get packages does not verify: Header V4 RSA/SHA1 Signature, key ID e257814a: BAD – this could be due to RHEL 9 deprecating and no longer enabling SHA1 out of the box

+2
hbjydev on May 24, 2022

An updated package is now available in the testing channel. You should now be able to do:

curl -ks https://get.k3s.io | INSTALL_K3S_CHANNEL=testing sh -

[root@2975a4d1a4bf /]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.0 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.0"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.0 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/9/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.0
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.0"

[root@2975a4d1a4bf /]# curl -ks https://get.k3s.io | INSTALL_K3S_SKIP_START=1 INSTALL_K3S_CHANNEL=testing sh -
[INFO]  Finding release for channel testing
[INFO]  Using v1.24.1-rc5+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.24.1-rc5+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.24.1-rc5+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.

This system is not registered with an entitlement server. You can use subscription-manager to register.

Rancher K3s Common (testing)                                                                                                                                 3.6 kB/s | 3.0 kB     00:00
Dependencies resolved.
=============================================================================================================================================================================================
 Package                                    Architecture                          Version                                    Repository                                                 Size
=============================================================================================================================================================================================
Installing:
 k3s-selinux                                noarch                                1.2-2.el8                                  rancher-k3s-common-testing                                 20 k

Transaction Summary
=============================================================================================================================================================================================
Install  1 Package

Total download size: 20 k
Installed size: 94 k
Downloading Packages:
k3s-selinux-1.2-2.el8.noarch.rpm                                                                                                                             111 kB/s |  20 kB     00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                        110 kB/s |  20 kB     00:00
Rancher K3s Common (testing)                                                                                                                                 7.1 kB/s | 2.4 kB     00:00
Importing GPG key 0xD161F542:
 Userid     : "Rancher (CI) <ci@rancher.com>"
 Fingerprint: 856A 0069 529C A63B 21AA 4E0A 089F A20E D161 F542
 From       : https://rpm-testing.rancher.io/public.key
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                     1/1
  Running scriptlet: k3s-selinux-1.2-2.el8.noarch                                                                                                                                        1/1
  Installing       : k3s-selinux-1.2-2.el8.noarch                                                                                                                                        1/1
  Running scriptlet: k3s-selinux-1.2-2.el8.noarch                                                                                                                                        1/1
  Verifying        : k3s-selinux-1.2-2.el8.noarch                                                                                                                                        1/1
Installed products updated.

Installed:
  k3s-selinux-1.2-2.el8.noarch

Complete!
+1
brandond on Jun 10, 2022
Read more comments on GitHub
← k3s: Installation hangs forever when firewall(ufw) is active
k3s: invalid capacity 0 on image filesystem warning when starting k3s node →