grafana-pcp icon indicating copy to clipboard operation
grafana-pcp copied to clipboard
verified publisher icon performancecopilot

Grafana Labs can’t guarantee the integrity of this unsigned plugin.

Open vastingll-github opened this issue 7 months ago • 4 comments

Make a request :

When I installed Performance Co-Pilot and Grafana on Red Hat Enterprise Linux release 10.0 (Coughlan), the following message was output. I was asked to make a request to the creator, so I will do so.

Messages :

Invalid plugin signature

Grafana Labs checks each plugin to verify that it has a valid digital signature. Plugin signature verification is part of our security measures to ensure plugins are safe and trustworthy. Grafana Labs can’t guarantee the integrity of this unsigned plugin. Ask the plugin author to request it to be signed.

Versions: Performance Co-Pilot : pcp-selinux-6.3.7-1.el10_0.x86_64 pcp-doc-6.3.7-1.el10_0.noarch pcp-conf-6.3.7-1.el10_0.x86_64 pcp-libs-6.3.7-1.el10_0.x86_64 pcp-6.3.7-1.el10_0.x86_64 python3-pcp-6.3.7-1.el10_0.x86_64 pcp-pmda-nfsclient-6.3.7-1.el10_0.x86_64 pcp-pmda-openmetrics-6.3.7-1.el10_0.x86_64 pcp-system-tools-6.3.7-1.el10_0.x86_64 pcp-pmda-dm-6.3.7-1.el10_0.x86_64 pcp-zeroconf-6.3.7-1.el10_0.x86_64 grafana-pcp-5.2.2-3.el10_0.x86_64

Grafana : grafana-pcp-5.2.2-3.el10_0.x86_64 grafana-10.2.6-18.el10_0.x86_64 grafana-selinux-10.2.6-18.el10_0.x86_64 valkey-8.0.3-1.el10_0.x86_64

Grafana: v11.3.1 grafana-pcp: 5.2.2 Valkey: 7.2.6 (installed on another server)

vastingll-github avatar Jul 04 '25 02:07 vastingll-github

Hi. Can you confirm which Grafana you have installed? In your message both the Grafana we ship in RHEL (10.2.6) and a different version of Grafana that we do not currently ship in RHEL (11.3.1) are mentioned.

The Grafana rpm shipped in RHEL sets the configuration to allow loading the plugin. Using Grafana from another source requires manually changing the configuration file (see the “sed” command here).

Getting the plugin signed is an open issue. Everything works without the signing with the right configuration.

sfeifer avatar Jul 04 '25 22:07 sfeifer

Thank you for your comment, sfeifer.

I am building this using the RHEL10 resource creation image prepared on the cloud infrastructure Azure.

The OS /etc/redhat-release is "Red Hat Enterprise Linux release 10.0 (Coughlan)".

# uname -a
Linux grafana 6.12.0-55.19.1.el10_0.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Jun 23 01:47:18 EDT 2025 x86_64 GNU/Linux

The following PCP and Grafana packages are installed on this server.

pcp-selinux-6.3.7-1.el10_0.x86_64
pcp-6.3.7-1.el10_0.x86_64
pcp-system-tools-6.3.7-1.el10_0.x86_64
pcp-pmda-dm-6.3.7-1.el10_0.x86_64
pcp-zeroconf-6.3.7-1.el10_0.x86_64
grafana-pcp-5.2.2-3.el10_0.x86_64
grafana-10.2.6-18.el10_0.x86_64
grafana-selinux-10.2.6-18.el10_0.x86_64
valkey-8.0.3-1.el10_0.x86_64

Since the web client does not start on Azure RHEL10, the RHEL9 server accesses this RHEL10 server and outputs an unauthorized message.

Grafana: v11.3.1 grafana-pcp: 5.2.2 Valkey: 7.2.6 (installed on another server) was a typo.

vastingll-github avatar Jul 07 '25 07:07 vastingll-github

Thanks for clarifying that and the additional info. It sounds to me like you will need to update the allow_loading_unsigned_plugins line in /etc/grafana/grafana.ini. This command should do the trick:

sudo sed -i 's/;allow_loading_unsigned_plugins =/allow_loading_unsigned_plugins = performancecopilot-pcp-app,pcp-valkey-datasource,pcp-vector-datasource,pcp-bpftrace-datasource,pcp-flamegraph-panel,pcp-breadcrumbs-panel,pcp-troubleshooting-panel,performancecopilot-valkey-datasource,performancecopilot-vector-datasource,performancecopilot-bpftrace-datasource,performancecopilot-flamegraph-panel,performancecopilot-breadcrumbs-panel,performancecopilot-troubleshooting-panel/' /etc/grafana/grafana.ini

I’m not familiar with the setup using Azure, but the grafana rpm you installed makes the necessary changes to /etc/grafana/grafana.ini when it is installed, so I’m not sure why this did not happen for you. @kurik, do you have some insight here into what is causing this issue?

sfeifer avatar Jul 07 '25 21:07 sfeifer

Hi @vastingll-github ,

reading your report it seems to me like you see the warning on the Home > Administration > Plugins and data > Plugins > Performance Co-Pilot page. Am I correct ? If so, then this is the way it works. The message you see is just a warning, that you are using unsigned (external) plugin. This is so, because Grafana signs its plugins during its packaging process, while the grafana-pcp plugin is built outside of Grafana's packaging process as part of RHEL compose and thus it is not signed by GrafanaLab. When you enable the plugin, all should work without any issues.

kurik avatar Jul 08 '25 05:07 kurik