kubernetes: Got "repomd.xml signature could not be verified for kubernetes" error when installing Kubernetes from yum repo on Amazon Linux 2
Is this a BUG REPORT or FEATURE REQUEST?: /kind bug
What happened:
I’m trying to install Kubernetes on Amazon Linux 2 as described here, but I get error:
[user@example.com ~]$ sudo yum install -y kubelet kubeadm kubectl
Loaded plugins: langpacks, priorities, update-motd
kubernetes/signature | 454 B 00:00:00
Retrieving key from https://packages.cloud.google.com/yum/doc/yum-key.gpg
Importing GPG key 0xA7317B0F:
Userid : "Google Cloud Packages Automatic Signing Key <gc-team@google.com>"
Fingerprint: d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Retrieving key from https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
kubernetes/signature | 1.4 kB 00:00:00 !!!
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kubernetes
Trying other mirror.
One of the configured repositories failed (Kubernetes),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Run the command with the repository temporarily disabled
yum --disablerepo=kubernetes ...
4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:
yum-config-manager --disable kubernetes
or
subscription-manager repos --disable=kubernetes
5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=kubernetes.skip_if_unavailable=true
failure: repodata/repomd.xml from kubernetes: [Errno 256] No more mirrors to try.
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kubernetes
What you expected to happen: Successful installation kubelet kubeadm kubectl
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
- Kubernetes version (use
kubectl version): I guess should be1.9.3 - Cloud provider or hardware configuration: AWS
- OS (e.g. from /etc/os-release):
NAME="Amazon Linux"
VERSION="2 (2017.12)"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2 (2017.12) LTS Release Candidate"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
- Kernel (e.g.
uname -a):
Linux 4.9.76-38.79.amzn2.x86_64 #1 SMP Mon Jan 15 23:35:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
- Install tools:
- Others:
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 28
- Comments: 48 (7 by maintainers)
Commits related to this issue
- Allow specifying repo baseurl and gpgkey Variable kubernetes_yum_repo_gpgcheck is added because it happens that gpg command on Amazon Linux can fail verifying repomd.xml while working alright with pa... — committed to yousong/ansible-role-kubernetes by yousong 5 years ago
- Allow specifying repo baseurl and gpgkey Variable kubernetes_yum_repo_gpgcheck is added because it happens that gpg command on Amazon Linux can fail verifying repomd.xml while working alright with pa... — committed to yousong/ansible-role-kubernetes by yousong 5 years ago
- ci: Fix kubernetes installation for Fedora 30 We need to import the gpg keys and disable the gpgcheck from the /yum/repos.d/kubernetes repository as it is not possible to perform the installation of ... — committed to GabyCT/tests-1 by GabyCT 4 years ago
- ci: Fix kubernetes installation for Fedora 30 We need to import the gpg keys and disable the gpgcheck from the /yum/repos.d/kubernetes repository as it is not possible to perform the installation of ... — committed to GabyCT/tests-1 by GabyCT 4 years ago
- ci: Fix kubernetes installation for Fedora 30 We need to import the gpg keys and disable the gpgcheck from the /yum/repos.d/kubernetes repository as it is not possible to perform the installation of ... — committed to GabyCT/tests-1 by GabyCT 4 years ago
- ci: Fix kubernetes installation for Fedora 30 We need to import the gpg keys and disable the gpgcheck from the /yum/repos.d/kubernetes repository as it is not possible to perform the installation of ... — committed to GabyCT/tests-1 by GabyCT 4 years ago
- ci: Fix kubernetes installation for Fedora 31 We need to import the gpg keys and disable the gpgcheck from the /yum/repos.d/kubernetes repository as it is not possible to perform the installation of ... — committed to GabyCT/tests-1 by GabyCT 4 years ago
- fix: disable repo_gpgcheck (#5) see https://github.com/kubernetes/kubernetes/issues/60134 — committed to k8s-installer/k8s-installer by tmurakam 4 years ago
- ci: Fix kubernetes installation for Fedora 31 We need to import the gpg keys and disable the gpgcheck from the /yum/repos.d/kubernetes repository as it is not possible to perform the installation of ... — committed to GabyCT/tests-1 by GabyCT 4 years ago
- ci: Fix kubernetes installation for Fedora 31 We need to import the gpg keys and disable the gpgcheck from the /yum/repos.d/kubernetes repository as it is not possible to perform the installation of ... — committed to GabyCT/tests-1 by GabyCT 4 years ago
- ci: Fix kubernetes installation for Fedora 31 We need to import the gpg keys and disable the gpgcheck from the /yum/repos.d/kubernetes repository as it is not possible to perform the installation of ... — committed to GabyCT/tests-1 by GabyCT 4 years ago
- ci: Fix kubernetes installation for Fedora 31 We need to import the gpg keys and disable the gpgcheck from the /yum/repos.d/kubernetes repository as it is not possible to perform the installation of ... — committed to GabyCT/tests-1 by GabyCT 4 years ago
- Disable repo_gpgcheck for kube repo in build image This is a fix according to https://github.com/kubernetes/kubernetes/issues/60134 The build image includes GnuPG 2.0.22 which shows this problem: — committed to mgencur/serverless-operator by mgencur 3 years ago
- Disable repo_gpgcheck for kube repo in build image This is a fix according to https://github.com/kubernetes/kubernetes/issues/60134 The build image includes GnuPG 2.0.22 which shows this problem. — committed to mgencur/serverless-operator by mgencur 3 years ago
- Disable repo_gpgcheck for kube repo in build image (#862) This is a fix according to https://github.com/kubernetes/kubernetes/issues/60134 The build image includes GnuPG 2.0.22 which shows this pro... — committed to openshift-knative/serverless-operator by mgencur 3 years ago
- Disable repo_gpgcheck for kube repo in build image: This is a fix according to kubernetes/kubernetes#60134 . The build image includes GnuPG 2.0.22 which shows this problem. Signed-off-by: Matthias We... — committed to matzew/eventing by matzew 3 years ago
- Disable repo_gpgcheck for kube repo in build image: This is a fix according to kubernetes/kubernetes#60134 . The build image includes GnuPG 2.0.22 which shows this problem. Signed-off-by: Matthias We... — committed to matzew/eventing-kafka by matzew 3 years ago
- Disable repo_gpgcheck for kube repo in build image: This is a fix according to kubernetes/kubernetes#60134 . The build image includes GnuPG 2.0.22 which shows this problem. Signed-off-by: Matthias We... — committed to matzew/eventing-kafka by matzew 3 years ago
- Disable repo_gpgcheck for kube repo in build image: This is a fix according to kubernetes/kubernetes#60134 . The build image includes GnuPG 2.0.22 which shows this problem. Signed-off-by: Matthias We... — committed to matzew/eventing by matzew 3 years ago
- Disable repo_gpgcheck for kube repo in build image: This is a fix according to kubernetes/kubernetes#60134 . The build image includes GnuPG 2.0.22 which shows this problem. (#136) Signed-off-by: Matt... — committed to openshift-knative/eventing-kafka by matzew 3 years ago
I’m seeing the same. You can get it to work by setting
repo_gpgcheck=0in/etc/yum.repos.d/kubernetes.repobut that is obviously not a real solution.retry
Remove these two lines from your kubernetes.repo file-> gpgcheck=1 repo_gpgcheck=1 It worked for me. These verify package signatures after download.
You can re-import the keys:
rpm --import https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpgHi, I’m writing here on behalf of the Amazon Linux team.
This bug is an intersection of the version of GnuPG 2 available in AL2, the version of GCC used to build it, and PGP keys that contain signature notations flagged as “critical”.
We’ve applied the change from GnuPG 2.1 and later that fixes this issue, and it will be available in our next repository push. I’ll post here again when the package is published.
It’s still failing while I was trying to install kubectl on ec2 with amazon linux
repo_gpgcheck=0 worked for me as well, needs a better solution
Still failing, had to disable gpgcheck as a workaround. Is there any chance for a fix? I ask it as the issue is close to 1 year old.
I think I’m agreeing with @mattsawyer77.
While we’re running a different setup (not on Amazon Linux 2), in CentOS7 installs have started to fail with the
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kuberneteserror.I can reproduce the issue by starting a centos7 container and trying to install anything.
Interesting data points:
Current output when installing:
output when trying yum commands on older, previously functioning node:
To reproduce:
then:
Repeating this with
docker run -it centos:centos8 /bin/bashworks. Note in centos8gnupg2-2.2.20-2.el8is installed instead ofgnupg2-2.0.22-5.el7_5.I think this is due to Amazon Linux 2 shipping an old version of GnuPG, and something about the
repomd.xml.ascsignature requires a newer version.repomd.xmlis signed with key ID6A030B21BA07F4FB, one of two keys present in https://packages.cloud.google.com/yum/doc/yum-key.gpg . This can be used to verify the signature as follows:The story is different on Amazon Linux 2, unfortunately:
GnuPG 2.0.22 outright rejects the signature on the repository metadata with
assuming bad signature from key BA07F4FB due to an unknown critical bit. I haven’t been able to figure out what critical bit it’s referring to – there don’t appear to be any on the signature or key – but whatever GnuPG 2.0.22 is upset about is most likely the root cause.This only affects the repomd signature, so there’s zero reason to disable
gpgcheckas several others have suggested. Disablingrepo_gpgcheckis sufficient and preserves package signature verification (although it’s still not an ideal workaround…)Hi,
Same problem here running, using
repo_gpgcheck=0fixes it but shouldn’t that be fixed ?So funny thing… following along @drakedevel’s line of thinking, I installed the CentOS
gpg(still 2.0.22), onamzn2and now kubernetes signatures are being accepted:just faced the same issue on AWS EC@ instance with Amazon Linux 2 installed
Any thought?
this did not fix it for me, but:
did
it worked for me
Try this way.It worked for me. rpm --import https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg sudo yum install -y http://mirror.centos.org/centos/7/os/x86_64/Packages/gnupg2-2.0.22-5.el7_5.x86_64.rpm
@mattsawyer77 / @luk4z7, see https://github.com/kubernetes/kubernetes/issues/97077#issuecomment-741698560
Solved the issue for me.
EDIT: Nevermind, it did not 😦
It appears that this issue, or one very similar, has recurred in the last few days. We’ve found that we can’t create new nodes currently, and we’re getting essentially the same error as the OP.
I can confirm it’s in the package repo now, I did not expect to find this issue solved just after its second birthday, 🔔 ring the bell
This can be closed
The same issue. Amazon Linux
paste below inside kuberne repo config file then retry.
[kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Might be linked to https://bugzilla.redhat.com/show_bug.cgi?id=1768206 Workaround: this command will import gpg key for yum
yum -q makecache -y --disablerepo='*' --enablerepo=kubernetes