Nvidia-docker: Unable validate gpg signatures of EL7 RPMs signed with subkeys
Related to #1081
Published RPMs are signed with a subkey but the tooling in EL7 doesn't support validating with subkeys, only primary keys. See https://bugzilla.redhat.com/show_bug.cgi?id=1225133 .Thus the published RPMs for RHEL7, even though signed, cannot be gpg validated using rpm and / or yum.
chuckatkins
All 6 comments
RPM does not directly support verification of subkeys, it's not a feature Red Hat is ever going to implement for reasons (any features not present in GPGv3 causes rpm to fail verification). We rely on the yum repository metadata signing, which does support subkeys.
It is expected that RPMs not installed through the repo will show the issues you've described.
For a manual extra-paranoid process to double-confirm the signatures on the RPMs themselves, see /usr/lib/rpm/tgpg or https://github.com/rpm-software-management/rpm/blob/master/scripts/tgpg
The correct process is to install from the repo. Either the original repo or your own local clone of it.
nvjmayo
on 24 Sep 2019
Something must be broken with the package metadata signing. This is what I see with dnf update -v:
repo: downloading from remote: libnvidia-container
libnvidia-container 2.2 kB/s | 455 B 00:00
libnvidia-container 48 kB/s | 4.6 kB 00:00
repo libnvidia-container: 0xDDCAE044F796ECB0 already imported
libnvidia-container 2.6 kB/s | 455 B 00:00
Cannot download 'https://nvidia.github.io/libnvidia-container/centos7/x86_64': repomd.xml GPG signature verification error: Bad GPG signature.
Failed to download metadata for repo 'libnvidia-container'
zeroepoch
on 24 Sep 2019
The following output may explain the problem?
$ curl -L https://nvidia.github.io/libnvidia-container/centos7/x86_64/repomd.xml
# Unsupported distribution!
# Check https://nvidia.github.io/libnvidia-container
Does yum set the user agent to a special value or something? I thought this error only shows up when the OS, centos7 in this case, is incorrect.
zeroepoch
on 24 Sep 2019
Not just you. Amazon Linux 2 as well.
https://nvidia.github.io/nvidia-docker/amzn2/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for nvidia-docker
Trying other mirror.
bkruger99
on 24 Sep 2019
Sorry about that, we cycled our keys last Friday.
You can follow this page to get the new keys: https://nvidia.github.io/nvidia-docker/
I'll update it later with instructions for dnf.
RenaudWasTaken
on 24 Sep 2019
@RenaudWasTaken,
Based on your instructions I was able to figure out how to solve the problem on Fedora. I used the following semi-brute force steps:
$ sudo rpm -e gpg-pubkey-f796ecb0
$ sudo dnf clean all
$ sudo rm -rf /var/cache/dnf/*
$ sudo rm /var/cache/dnf/.gpgkeyschecked.yum
$ sudo dnf update
I'm not sure if you need to clear the entire dnf cache or if just removing the key is enough, but those steps worked for me and now dnf update finishes without errors after re-accepting the keys.
zeroepoch
on 25 Sep 2019
Related issues
SpotCrowdTech
路
3Comments
romansavrulin
路
4Comments
terrybroad
路
4Comments
opptimus
路
3Comments
lsb
路
4Comments
Most helpful comment
@RenaudWasTaken,
Based on your instructions I was able to figure out how to solve the problem on Fedora. I used the following semi-brute force steps:
I'm not sure if you need to clear the entire dnf cache or if just removing the key is enough, but those steps worked for me and now
dnf updatefinishes without errors after re-accepting the keys.