-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot upgrade from N-2 releases due to missing GPG key #749
Comments
@dustymabe Hi Dusty, can you please shed some light on this? Thank you very much. |
I just added a new remote and specify the key for fedora coreos 33 there. And the verify error just gone. But I got a new error as below: [root@k8s-v1-16-9-xjanjbsicidd-master-0 remotes.d]# rpm-ostree deploy bc7745fe1b5b77385fd39595ed82c142483a904dd4dc855b538e6d18d4f1641f |
@openstacker thanks for the report, however this seems specific to Fedora CoreOS so I'm transferring the issue there. In general, the FCOS version you are using is quite ancient and should go through several intermediate updates first, before reaching the current For signing keys specifically, https://docs.fedoraproject.org/en-US/fedora-coreos/update-barrier-signing-keys/ describes how the mechanism works. |
That error is because that commit has never actually been released on the stable branch. (It corresponds to 32.20200726.3.0, which was nixed because of coreos/fedora-coreos-streams#158 (comment)). Out of curiosity, how did you get that checksum?
Hmm, actually I think this reveals a flaw in the design. I don't think even with Zincati it would have upgraded. The issue is that rpm-ostree wants to verify that the checksum provided lives on the same branch. To do that, it needs to pull the commit metadata objects starting from the tip and go down the tree until it finds the matching checksum. If the tip has moved far enough that the signing key rotated twice, it won't be able to verify it without the user manually importing it. For disclosure, I'm responsible for that rpm-ostree behaviour, and while it gets in the way here, I still think it's the right thing to do as a default behaviour. We could maybe have a switch or something to override that which Zincati could use? Something like |
Yeah indeed, booting an f31 FCOS, here's the Zincati logs:
|
Hmm actually, nowadays we could just use OSTree ref bindings for this. It's not as strong as verifying that the commit is on the same branch (because ref bindings can be for multiple branches), but it's probably enough so we could drop that rpm-ostree behaviour. (And actually in the FCOS case, we would only have a single ref in the list anyway so it effectively is as strong.) |
This was well-intentioned but sadly it doesn't actually work in practice: coreos#749 Let's just skip doing that for now until we address it.
We discussed this in the community meeting today. A few alternatives that came out were:
Personally, I'm leaning now more towards 3. Then, arbitrarily old nodes will still be able to update to the latest (or at least, we're not consciously breaking that path), but we still get some validation that the commit belongs to the same stream (which is what branch protection was trying to help with). |
|
In Fedora CoreOS, updates are driven by Zincati and we thus completely trust the information it gives us. The branch validation rpm-ostree does is thus not necessary. It's also harmful in the case where the node is extremely out of date because it may not be able to GPG verify the commit at the tip of the branch (e.g. because the GPG key isn't yet in the tree). See: coreos/fedora-coreos-tracker#749
In Fedora CoreOS, updates are driven by Zincati and we thus completely trust the information it gives us. The branch validation rpm-ostree does is thus not necessary. It's also harmful in the case where the node is extremely out of date because it may not be able to GPG verify the commit at the tip of the branch (because the GPG key isn't yet in the tree). See: coreos/fedora-coreos-tracker#749
In Fedora CoreOS, updates are driven by Zincati and we thus completely trust the information it gives us. The branch validation rpm-ostree does is thus not necessary. It's also harmful in the case where the node is extremely out of date because it may not be able to GPG verify the commit at the tip of the branch (because the GPG key isn't yet in the tree). See: coreos/fedora-coreos-tracker#749
rpm-ostree patch: coreos/rpm-ostree#2819 For the commit metadata validation, I think that logic makes the most sense in Zincati? I.e. Zincati would first fetch the commit metadata of the target commit (using the API or just shelling out to |
Discussed this with @lucab. We can just stage it as a locked deployment as usual and then we can inspect the metadata via |
Another option is to import the GPG keys into the node via a trusted channel to allow rpm-ostree to verify commits signautres and update the node. |
WORKAROUNDIf you find yourself in this position a quick workaround is to grab the keys from releases you may be missing. Something like:
After this Zincati/rpm-ostree can continue to process updates. |
Zincati part filed here: coreos/zincati#558 |
This update barrier is pretty much useless because of coreos/fedora-coreos-tracker#749, but we decided to put them in place anyway just to keep following the process. As far as the process goes. See past discussion on this topic: - coreos/fedora-coreos-tracker#480 (comment) - https://docs.fedoraproject.org/en-US/fedora-coreos/update-barrier-signing-keys/
This update barrier is pretty much useless because of coreos/fedora-coreos-tracker#749, but we decided to put them in place anyway just to keep following the process. As far as the process goes. See past discussion on this topic: - coreos/fedora-coreos-tracker#480 (comment) - https://docs.fedoraproject.org/en-US/fedora-coreos/update-barrier-signing-keys/
We decided to continue to do this even though it's broken right now. We have a plan to fix it in the future so let's leave the process in place. xref: coreos#749 (comment)
We decided to continue to do this even though it's broken right now. We have a plan to fix it in the future so let's leave the process in place. xref: #749 (comment)
I think we should probably close this since coreos/rpm-ostree#2819 and coreos/zincati#622 were implemented. |
Host system details
Provide the output of
rpm-ostree status
.[root@k8s-v1-16-9-xjanjbsicidd-master-0 ~]# rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora:fedora/x86_64/coreos/stable
Version: 31.20200407.3.0 (2020-04-21T19:37:39Z)
Commit: 89e17cc21b6aa3bea8959d1e6957fda157168d57ba6805d8a36142184edc2901
GPGSignature: Valid signature by 7D22D5867F2A4236474BF7B850CB390B3C3359C4
Expected vs actual behavior
[root@k8s-v1-16-9-xjanjbsicidd-master-0 ~]# rpm-ostree deploy bc7745fe1b5b77385fd39595ed82c142483a904dd4dc855b538e6d18d4f1641f
Validating checksum 'bc7745fe1b5b77385fd39595ed82c142483a904dd4dc855b538e6d18d4f1641f'
error: Commit 20de1953c18bd432a8ed4e19b91c64978100dba7d1c4813f91f8cf4d4d2411b4: Signature made Wed Feb 3 18:16:59 2021 using RSA key ID 49FD77499570FF31
Can't check signature: public key not found
Deploy success.
Steps to reproduce it
Create a Fedora CoreOS 31 server and try to upgrade to any version later than that.
Based on the error, I understand it's because the RPM GPG key for 33 is missing on the server created based on 31, but I don't think it should fail like this, because I'm not asking to upgrade to 33 directly.
bc7745fe1b5b77385fd39595ed82c142483a904dd4dc855b538e6d18d4f1641f
is still in 31.And BTW, is there any way I can manually add the 33 GPG key to old server so as to avoid this kind of issue? Thanks.
The text was updated successfully, but these errors were encountered: