-
Bug
-
Resolution: Duplicate
-
Undefined
-
None
-
rhel-10.1
-
None
-
Yes
-
Low
-
image-builder
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
All
-
None
What were you trying to do that didn't work?
Composing an image-installer with a simple blueprint with the ipmitool package will fail.
The issue has been reproduced after upgrading RHEL 10.0 to 10.1, I didn't check if it also fails with a fresh 10.1 installation.
Basically, I understand ipmitool from 10.1 appstream is signed with a new key (release key 4) that is not part of the gpgkey in the composer's sources.
# rpmkeys -checksig ipmitool-1.8.19* ipmitool-1.8.19-10.el10_1.x86_64.rpm: digests SIGNATURES NOT OK <<< RHEL 10.1 KO ipmitool-1.8.19-9.el10.x86_64.rpm: digests signatures OK <<< RHEL 10.0 OK # rpmkeys --list fd431d51-4ae0493b: Red Hat, Inc. (release key 2) <security@redhat.com> public key 5a6340b3-6229229e: Red Hat, Inc. (auxiliary key 3) <security@redhat.com> public key # rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release # rpmkeys --list fd431d51-4ae0493b: Red Hat, Inc. (release key 2) <security@redhat.com> public key 5a6340b3-6229229e: Red Hat, Inc. (auxiliary key 3) <security@redhat.com> public key 05707a62-68e6a1f3: Red Hat, Inc. (release key 4) <security@redhat.com> public key <<<
What is the impact of this issue to you?
Cannot build 10.1 images
Please provide the package NVR for which the bug is seen:
osbuild-composer-149-1.el10.x86_64
How reproducible is this bug?:
Always
Steps to reproduce
- (possibly optional) install a fresh 10.0 with osbuild-composer and upgrade it to 10.1
- Create a simple blueprint with the ipmitool package
- Compose an image-installer
Expected results
The package signature can be verified
Actual results
Pipeline: anaconda-tree Stage: org.osbuild.rpm Output: Failed to open file "/sys/fs/selinux/checkreqprot": Read-only file system imported gpg key Signature check failed on sha256:64a27e906cbec0c59108600ccfc0ca7bc6bd4ac5b2641422b9acc7fec9588bc1, lookup package name in manifest. Traceback (most recent call last): File "/run/osbuild/bin/org.osbuild.rpm", line 260, in <module> r = main(args["tree"], args["inputs"], args["options"]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/run/osbuild/bin/org.osbuild.rpm", line 162, in main subprocess.run([ File "/usr/lib64/python3.12/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '['rpmkeys', '--root', '/run/osbuild/tree', '--checksig', 'sha256:64a27e906cbec0c59108600ccfc0ca7bc6bd4ac5b2641422b9acc7fec9588bc1']' returned non-zero exit status 1.
Workaround
Create a repository override and append the 3rd and last key from `/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release` to the appstream "gpgkey" value
mkdir -p /etc/osbuild-composer/repositories cp /usr/share/osbuild-composer/repositories/rhel-10.1.json /etc/osbuild-composer/repositories/
Then edit `/etc/osbuild-composer/repositories/rhel-10.1.json` and change the value of the "gpgkey" field for the appstream x86_64 by appending at the end of the string (before the closing double-quote) the output of:
echo '\n-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n'$(rpm -qi gpg-pubkey-05707a62 | grep -A1000 BEGIN | grep -v -e '^$' -e '^---' | xargs | sed 's/ /\\n/g')'\n-----END PGP PUBLIC KEY BLOCK-----\n'
And then restart the composer service.
