Fix Telegraf Installation Error

Error:

warning: /var/cache/yum/x86_64/7/influxdata/packages/telegraf-1.26.3-1.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 7df8b07e: NOKEY

Solution:

https://www.influxdata.com/blog/linux-package-signing-key-rotation/

Configuring Linux Hosts to Use the New Signing Key

The fingerprint of the new key is 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E.

DEB-Based Systems

  1. Obtain and verify the new key:

    $ wget -q https://repos.influxdata.com/influxdata-archive_compat.key
    $ gpg --with-fingerprint --show-keys ./influxdata-archive_compat.key
    pub   rsa4096 2023-01-18 [SC] [expires: 2026-01-17]
          9D53 9D90 D332 8DC7 D6C8  D3B9 D8FF 8E1F 7DF8 B07E
    uid                  InfluxData Package Signing Key <support@influxdata.com>
    
  2. Install the new key:

    $ cat influxdata-archive_compat.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/null
    
  3. Update your APT sources to use the new key:

    $ echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list
    
  4. Clean up the old key:

    $ sudo rm -f /etc/apt/trusted.gpg.d/influxdb.gpg
    
  5. Confirm that sudo apt-get update returns no errors for https://repos.influxdata.com


Update: Linux Package Signing Key Rotation

Update 2023-01-26: As of 2023-01-26, InfluxData's Linux packaging signing key has been rotated. Users should update their configurations to use the new key.

Original 2023-01-24: On January 4, CircleCI issued an alert recommending that all CircleCI users rotate their secrets. InfluxData is a CircleCI customer, and as a precaution, we are proactively rotating all secrets stored in CircleCI.

InfluxData uses CircleCI for various products, and the Linux packaging signing key with fingerprint 05CE 1508 5FC0 9D18 E99E FB22 684A 14CF 2582 E0C5 was stored in CircleCI during the exposure period. InfluxData will rotate this signing key, so Linux DEB and RPM users must configure their systems to use the new key.

The official InfluxData repositories were not compromised, and InfluxData has verified that software signed by this key and retrievable via the official repositories has not been modified. Additionally, while a hypothetical attacker could use this key to sign binaries that appear to come from InfluxData, the attacker cannot access the official repositories to deliver them to your host.

We are rotating the key signing key in two phases:

  1. On 2023-01-26, we will start using the new Linux package signing key with fingerprint 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E.
  2. On 2023-04-27, we will revoke the old Linux package signing key with fingerprint 05CE 1508 5FC0 9D18 E99E FB22 684A 14CF 2582 E0C5.

Once the new key is rolled out to the official InfluxData repositories, DEB and RPM-based Linux systems will no longer be able to download and/or verify software from the InfluxData repositories until the following configuration changes are made. InfluxData will provide an update to this post indicating when the new key is in place.

Configuring Linux Hosts to Use the New Signing Key

The fingerprint of the new key is 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E.

DEB-Based Systems

  1. Obtain and verify the new key:

    $ wget -q https://repos.influxdata.com/influxdata-archive_compat.key
    $ gpg --with-fingerprint --show-keys ./influxdata-archive_compat.key
    pub   rsa4096 2023-01-18 [SC] [expires: 2026-01-17]
          9D53 9D90 D332 8DC7 D6C8  D3B9 D8FF 8E1F 7DF8 B07E
    uid                  InfluxData Package Signing Key <support@influxdata.com>
    
  2. Install the new key:

    $ cat influxdata-archive_compat.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/null
    
  3. Update your APT sources to use the new key:

    $ echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list
    
  4. Clean up the old key:

    $ sudo rm -f /etc/apt/trusted.gpg.d/influxdb.gpg
    
  5. Confirm that sudo apt-get update returns no errors for https://repos.influxdata.com

The above specifies the paths for files and configurations in the latest documentation. Users who use a different /etc/apt/sources.list.d/influxdata.list file need to update their file to use signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg. Similarly, users who installed the old key in a different location need to use that location to remove the old key (/etc/apt/trusted.gpg.d/influxdb.gpg).

RPM-Based Systems

  1. Update your YUM repository configuration to use the new key:

    $ cat <<EOF | sudo tee /etc/yum.repos.d/influxdata.repo
    [influxdata]
    name = InfluxData Repository - Stable
    baseurl = https://repos.influxdata.com/stable/\$basearch/main
    enabled = 1
    gpgcheck = 1
    gpgkey = https://repos.influxdata.com/influxdata-archive_compat.key
    EOF
    
  2. The next YUM operation pulling from the repo will update the key:

    $ sudo yum update && sudo yum install telegraf
    Importing GPG key 0x7DF8B07E:
    Userid : "InfluxData Package Signing Key <support@influxdata.com>"
    Fingerprint: 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E
    From : https://repos.influxdata.com/influxdata-archive_compat.key
    Is this ok [y/N]: y
    
  3. Clean up the old key:

    $ sudo rpm --erase gpg-pubkey-2582e0c5-56099b04
    

The above specifies the configuration path in the latest documentation. Users who use a different /etc/yum.repos.d/influxdata.repo file need to update their file to use gpgkey = https://repos.influxdata.com/influxdata-archive_compat.key.

评论

暂无评论。

登录后可发表评论。