agent
agent copied to clipboard
grafana
RPM : repomd.xml GPG signature verification error on Fedora 39
What's wrong?
I cannot get updates on my Fedora 39 machine, dnf report problem with repomd.xml GPG signature
I had to disable GPG into /etc/yum.repos.d/grafana.repo to make dnf works again
```#repo_gpgcheck=1````
Steps to reproduce
Grafana repo installed on Fedora 38 or before, then upgrade to Fedora 39.
System information
Linux 6.5.11-300.fc39.x86_64
Software version
Grafana Agent 0.37
Configuration
Package installed while on Fedora 38, distro upgraded to Fedora 39
Logs
grafana 2.2 kB/s | 629 B 00:00
Error: Failed to download metadata for repo 'grafana': repomd.xml GPG signature verification error: Error during parsing OpenPGP packets: Parsing an OpenPGP packet:
Failed to parse Signature Packet
because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
because: Malformed MPI: leading bit is not set: expected bit 8 to be set in 1101011 (6b)
Also for me, after upgrading to Fedora 39 the grafana repo doesn't work due to signature problems. The error message is slightly different:
Error: Failed to download metadata for repo 'grafana': repomd.xml GPG signature verification error: Bad PGP signature
I had an outdated repo file, but also after updating (see below) the problem persists.
[grafana]
name=grafana
baseurl=https://rpm.grafana.com
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://rpm.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
Of course, the workaround disabling repo_gpgcheck works for me as well.
Fellas, if you remove the repo and then re-add, does the issue still happen?
Yes, the problem is that the following signature is invalid: https://rpm.grafana.com/repodata/repomd.xml.asc
Whoever operates the repository needs to regenerate that file using a proper GPG implementation.
Assuming a proper gpg version is installed on the server, gpg --detach-sign --armor repodata/repomd.xml will do the trick.
Can confirm this is impacting the aarch64 release as well as x86_64
root@alfred:~# dnf up
grafana 1.2 kB/s | 629 B 00:00
Error: Failed to download metadata for repo 'grafana': repomd.xml GPG signature verification error: Error during parsing OpenPGP packets: Parsing an OpenPGP packet:
Failed to parse Signature Packet
because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
because: Malformed MPI: leading bit is not set: expected bit 8 to be set in 1110000 (70)
Ignoring repositories: grafana
Last metadata expiration check: 0:10:24 ago on Wed 29 Nov 2023 22:10:50.
Dependencies resolved.
Nothing to do.
Complete!
root@alfred:~# cat /etc/yum.repos.d/grafana.repo
[grafana]
name=grafana
baseurl=https://rpm.grafana.com
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://rpm.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
exclude=*beta*
root@alfred:~# rpm -q grafana
grafana-10.2.2-1.aarch64
root@alfred:~#
Just hit this on Fedora x86. Is there a workaround right now?
The work around is to install the .rpm file directly from the Grafana web site. As it is not signed, you won't be able to verify the signature. This is safe as long as believe the grafana.com site has not been compromised.
https://grafana.com/grafana/download
The proper solution is to wait until Grafana use a new GPG key to sign the RPM file. We can only wait until this is done.
Hoping there is a fix soon. Been a couple of months now. I just updated to Fedora 39 and that has caused the issue to start happening.
Hey people, apologies for the belated response, the holidays took their toll here. We'll be looking into this.
The work around is to install the .rpm file directly from the Grafana web site. As it is not signed, you won't be able to verify the signature. This is safe as long as believe the grafana.com site has not been compromised.
https://grafana.com/grafana/download
The proper solution is to wait until Grafana use a new GPG key to sign the RPM file. We can only wait until this is done.
Also works with the .repo if you set repo_gpgcheck to 0 (but also not the best solution).
Hi, we think we have fixed this. Could folks give a re-check please?
log from me trying in a fedora docker container
This used to error before, as people are saying in this issue. Now it works:
[root@e7e83fd6dd5e /]# cat <<EOF | tee /etc/yum.repos.d/grafana.repo
> [grafana]
name=grafana
baseurl=https://rpm.grafana.com
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://rpm.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
EOF
[grafana]
name=grafana
baseurl=https://rpm.grafana.com
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://rpm.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
[root@e7e83fd6dd5e /]# dnf update
grafana 4.1 kB/s | 712 B 00:00
grafana 48 kB/s | 2.4 kB 00:00
Importing GPG key 0x10458545:
Userid : "Grafana Labs <[email protected]>"
Fingerprint: B53A E77B ADB6 30A6 8304 6005 963F A277 1045 8545
From : https://rpm.grafana.com/gpg.key
Is this ok [y/N]: y
grafana 78 MB/s | 76 MB 00:00
Last metadata expiration check: 0:00:11 ago on Tue Mar 12 13:01:48 2024.
Dependencies resolved.
Nothing to do.
Complete!
[root@e7e83fd6dd5e /]# dnf install grafana-agent
Last metadata expiration check: 0:00:16 ago on Tue Mar 12 13:01:48 2024.
Dependencies resolved.
===========================================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================================================================================================================================================================
Installing:
grafana-agent x86_64 0.40.2-1 grafana 112 M
Transaction Summary
===========================================================================================================================================================================================================================================================================================
Install 1 Package
Total download size: 112 M
Installed size: 392 M
Is this ok [y/N]: y
Downloading Packages:
grafana-agent-0.40.2-1.amd64.rpm 24 MB/s | 112 MB 00:04
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 24 MB/s | 112 MB 00:04
grafana 56 kB/s | 2.4 kB 00:00
Importing GPG key 0x10458545:
Userid : "Grafana Labs <[email protected]>"
Fingerprint: B53A E77B ADB6 30A6 8304 6005 963F A277 1045 8545
From : https://rpm.grafana.com/gpg.key
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : grafana-agent-0.40.2-1.x86_64 1/1
Running scriptlet: grafana-agent-0.40.2-1.x86_64 1/1
Verifying : grafana-agent-0.40.2-1.x86_64 1/1
Installed:
grafana-agent-0.40.2-1.x86_64
Complete!
I can confirm now that setting repo_gpgcheck=1 in the repo file does not cause any errors on Fedora 39.
Previously, I set it to repo_gpgcheck=0 to work around the error.
Do you want me to close this issue?
Can confirm it is now working for me. I think the issue can be closed. Thanks for fixing it.