opentofu: install of tofu-1.6.0~alpha5-1.x86_64.rpm fails - rpm not signed
OpenTofu Version
N/A
OpenTofu Configuration Files
N/A
Debug Output
N/A
Expected Behavior
opentofu should have installed
Actual Behavior
Package tofu-1.6.0~alpha5-1.x86_64.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
Steps to Reproduce
- Create repo file following https://opentofu.org/docs/intro/install/rpm
- Run
sudo dnf install tofu
Additional Context
No response
References
No response
About this issue
- Original URL
- State: closed
- Created 7 months ago
- Comments: 18 (9 by maintainers)
Commits related to this issue
- Fixes #913: Incorrect installation instructions for RPM Currently, the installation instructions for RPM-based distributions are incorrect since we are not GPG-signing the packages. This change turns... — committed to janosdebugs/opentofu by janosdebugs 7 months ago
- Fixes #913: Incorrect installation instructions for RPM Currently, the installation instructions for RPM-based distributions are incorrect since we are not GPG-signing the packages. This change turns... — committed to janosdebugs/opentofu by janosdebugs 7 months ago
- Fixes #913: Incorrect installation instructions for RPM (#917) Signed-off-by: Janos Bonic <86970079+janosdebugs@users.noreply.github.com> — committed to opentofu/opentofu by janosdebugs 7 months ago
Just a thought, but maybe it’s better to leave the gpgcheck enabled in the .repo file and run (interactively) with
dnf install --nogpgcheck? Then at least its obvious what’s happening & when rpms do get signed the repo file doesn’t need updating. 🤷Thanks though, other than that install issue my first go at tf -> tofu seemed seamless which is really impressive.
Thanks again @sjpb your help has been invaluable. We have temporarily fixed the installation instructions and made an automated test to prevent this from happening again. Longer term (hopefully soon) we’ll GPG-sign the packages (see #915) and then update the instructions accordingly.
@sjpb thanks for all your help, it seems there was a bit of an oversight on my part when I wrote the new instructions. The DEB and RPM packages are currently only signed with cosign, which doesn’t play well with yum/dnf. The repo metadata is signed by Packagecloud, but not the packages.
I’m afraid, the only current option is to disable the gpgcheck and I’ll update the instructions accordingly. #915 tracks the RFC to add GPG signing to the packages.
I’m sorry for the confusion and the unnecessary work caused. Thank you so much for reporting this issue, this really helps.