添加 Kubernetes 存储库时,即使在“rpm --import”之后,Amazon Linux 2 中的 Yum 仍然要求 GPG 密钥

添加 Kubernetes 存储库时,即使在“rpm --import”之后,Amazon Linux 2 中的 Yum 仍然要求 GPG 密钥

我正在尝试添加一个Kubernetes回购到我的亚马逊Linux 2实例并努力自动添加 GPG 密钥。

这是我的/etc/yum.repos.d/kubernetes.repo...

[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

然后我尝试导入 GPG 密钥:


~ # wget https://packages.cloud.google.com/yum/doc/yum-key.gpg \
         https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

~ # rpm --import *.gpg

但是,当我运行任何yum命令时,它仍然不知道键:

# yum upgrade -y
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
kubernetes/signature                                                                                                                                                                                                   |  454 B  00:00:00     
Retrieving key from https://packages.cloud.google.com/yum/doc/yum-key.gpg
Importing GPG key 0xA7317B0F:
 Userid     : "Google Cloud Packages Automatic Signing Key <[email protected]>"
 Fingerprint: d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f
 From       : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Retrieving key from https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
kubernetes/signature                                                                                                                                                                                                   | 1.4 kB  00:00:00 !!! 
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kubernetes
Trying other mirror.
No packages marked for update

即使我尝试手动接受它们,它仍然不起作用。

# yum upgrade
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
kubernetes/signature                                                                                                                                                                                                   |  454 B  00:00:00     
Retrieving key from https://packages.cloud.google.com/yum/doc/yum-key.gpg
Importing GPG key 0xA7317B0F:
 Userid     : "Google Cloud Packages Automatic Signing Key <[email protected]>"
 Fingerprint: d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f
 From       : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Is this ok [y/N]: y              <<<<< Yes, I accept it!
Retrieving key from https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
kubernetes/signature                                                                                                                                                                                                   | 1.4 kB  00:00:01 !!! 
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kubernetes
Trying other mirror.
No packages marked for update

如何添加密钥以便 YUM 接受它?

答案1

这是一个已知问题(请参阅https://github.com/kubernetes/kubernetes/issues/60134)。通过禁用 GPG 检查来解决这个问题:repo_gpgcheck=0/etc/yum.repos.d/kubernetes.repo.

致谢德雷克德维尔,谁写道:

我认为这是由于 Amazon Linux 2 发布了旧版本的 GnuPG,而有关 repomd.xml.asc 签名的某些内容需要更新版本。

GnuPG 2.0.22 完全拒绝存储库元数据上的签名,并假设由于未知的关键位而导致密钥 BA07F4FB 的签名错误。我无法弄清楚它指的是哪个关键位——签名或密钥上似乎没有任何关键位——但无论 GnuPG 2.0.22 感到不安,很可能是根本原因。

这只会影响 repomd 签名,因此没有理由像其他人建议的那样禁用 gpgcheck。禁用 repo_gpgcheck 就足够了,并保留包签名验证(尽管它仍然不是理想的解决方法......)

相关内容