Yum in Amazon Linux 2 – GPG Key Issue with Kubernetes Repo

I'm trying to add a kubernetes repo to my Amazon Linux 2 instance and struggle with automatically adding GPG keys.

This is my /etc/yum.repos.d/kubernetes.repo…

[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

I then try to import the GPG keys:


~ # wget https://packages.cloud.google.com/yum/doc/yum-key.gpg \
         https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

~ # rpm --import *.gpg

However when I run any yum command it still doesn't know the keys:

# yum upgrade -y
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
kubernetes/signature                                                                                                                                                                                                   |  454 B  00:00:00     
Retrieving key from https://packages.cloud.google.com/yum/doc/yum-key.gpg
Importing GPG key 0xA7317B0F:
 Userid     : "Google Cloud Packages Automatic Signing Key <gc-team@google.com>"
 Fingerprint: d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f
 From       : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Retrieving key from https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
kubernetes/signature                                                                                                                                                                                                   | 1.4 kB  00:00:00 !!! 
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kubernetes
Trying other mirror.
No packages marked for update

Even if I try to accept them manually it still doesn't work.

# yum upgrade
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
kubernetes/signature                                                                                                                                                                                                   |  454 B  00:00:00     
Retrieving key from https://packages.cloud.google.com/yum/doc/yum-key.gpg
Importing GPG key 0xA7317B0F:
 Userid     : "Google Cloud Packages Automatic Signing Key <gc-team@google.com>"
 Fingerprint: d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f
 From       : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Is this ok [y/N]: y              <<<<< Yes, I accept it!
Retrieving key from https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
kubernetes/signature                                                                                                                                                                                                   | 1.4 kB  00:00:01 !!! 
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kubernetes
Trying other mirror.
No packages marked for update

How can I add the key so that YUM accepts it?

Best Answer

This is a known issue (see https://github.com/kubernetes/kubernetes/issues/60134). Work around it by disabling GPG checks: set repo_gpgcheck=0 in /etc/yum.repos.d/kubernetes.repo.

Credits to drakedevel, who writes:

I think this is due to Amazon Linux 2 shipping an old version of GnuPG, and something about the repomd.xml.asc signature requires a newer version.

GnuPG 2.0.22 outright rejects the signature on the repository metadata with assuming bad signature from key BA07F4FB due to an unknown critical bit. I haven't been able to figure out what critical bit it's referring to -- there don't appear to be any on the signature or key -- but whatever GnuPG 2.0.22 is upset about is most likely the root cause.

This only affects the repomd signature, so there's zero reason to disable gpgcheck as several others have suggested. Disabling repo_gpgcheck is sufficient and preserves package signature verification (although it's still not an ideal workaround...)

Best Answer

Related Solutions

Shell – gpg asks for password even with –passphrase

How to import key that signs a repository for dnf/yum

Related Question