Error:
warning: /var/cache/yum/x86_64/7/influxdata/packages/telegraf-1.26.3-1.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 7df8b07e: NOKEY
Solution:
https://www.influxdata.com/blog/linux-package-signing-key-rotation/
Configuring Linux Hosts to Use the New Signing Key
The fingerprint of the new key is 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E.
DEB-Based Systems
Obtain and verify the new key:
$ wget -q https://repos.influxdata.com/influxdata-archive_compat.key $ gpg --with-fingerprint --show-keys ./influxdata-archive_compat.key pub rsa4096 2023-01-18 [SC] [expires: 2026-01-17] 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E uid InfluxData Package Signing Key <support@influxdata.com>Install the new key:
$ cat influxdata-archive_compat.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/nullUpdate your APT sources to use the new key:
$ echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.listClean up the old key:
$ sudo rm -f /etc/apt/trusted.gpg.d/influxdb.gpgConfirm that
sudo apt-get updatereturns no errors for https://repos.influxdata.com
Update: Linux Package Signing Key Rotation
Update 2023-01-26: As of 2023-01-26, InfluxData's Linux packaging signing key has been rotated. Users should update their configurations to use the new key.
Original 2023-01-24: On January 4, CircleCI issued an alert recommending that all CircleCI users rotate their secrets. InfluxData is a CircleCI customer, and as a precaution, we are proactively rotating all secrets stored in CircleCI.
InfluxData uses CircleCI for various products, and the Linux packaging signing key with fingerprint 05CE 1508 5FC0 9D18 E99E FB22 684A 14CF 2582 E0C5 was stored in CircleCI during the exposure period. InfluxData will rotate this signing key, so Linux DEB and RPM users must configure their systems to use the new key.
The official InfluxData repositories were not compromised, and InfluxData has verified that software signed by this key and retrievable via the official repositories has not been modified. Additionally, while a hypothetical attacker could use this key to sign binaries that appear to come from InfluxData, the attacker cannot access the official repositories to deliver them to your host.
We are rotating the key signing key in two phases:
- On 2023-01-26, we will start using the new Linux package signing key with fingerprint
9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E. - On 2023-04-27, we will revoke the old Linux package signing key with fingerprint
05CE 1508 5FC0 9D18 E99E FB22 684A 14CF 2582 E0C5.
Once the new key is rolled out to the official InfluxData repositories, DEB and RPM-based Linux systems will no longer be able to download and/or verify software from the InfluxData repositories until the following configuration changes are made. InfluxData will provide an update to this post indicating when the new key is in place.
Configuring Linux Hosts to Use the New Signing Key
The fingerprint of the new key is 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E.
DEB-Based Systems
Obtain and verify the new key:
$ wget -q https://repos.influxdata.com/influxdata-archive_compat.key $ gpg --with-fingerprint --show-keys ./influxdata-archive_compat.key pub rsa4096 2023-01-18 [SC] [expires: 2026-01-17] 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E uid InfluxData Package Signing Key <support@influxdata.com>Install the new key:
$ cat influxdata-archive_compat.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/nullUpdate your APT sources to use the new key:
$ echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.listClean up the old key:
$ sudo rm -f /etc/apt/trusted.gpg.d/influxdb.gpgConfirm that
sudo apt-get updatereturns no errors for https://repos.influxdata.com
The above specifies the paths for files and configurations in the latest documentation. Users who use a different /etc/apt/sources.list.d/influxdata.list file need to update their file to use signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg. Similarly, users who installed the old key in a different location need to use that location to remove the old key (/etc/apt/trusted.gpg.d/influxdb.gpg).
RPM-Based Systems
Update your YUM repository configuration to use the new key:
$ cat <<EOF | sudo tee /etc/yum.repos.d/influxdata.repo [influxdata] name = InfluxData Repository - Stable baseurl = https://repos.influxdata.com/stable/\$basearch/main enabled = 1 gpgcheck = 1 gpgkey = https://repos.influxdata.com/influxdata-archive_compat.key EOFThe next YUM operation pulling from the repo will update the key:
$ sudo yum update && sudo yum install telegraf Importing GPG key 0x7DF8B07E: Userid : "InfluxData Package Signing Key <support@influxdata.com>" Fingerprint: 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E From : https://repos.influxdata.com/influxdata-archive_compat.key Is this ok [y/N]: yClean up the old key:
$ sudo rpm --erase gpg-pubkey-2582e0c5-56099b04
The above specifies the configuration path in the latest documentation. Users who use a different /etc/yum.repos.d/influxdata.repo file need to update their file to use gpgkey = https://repos.influxdata.com/influxdata-archive_compat.key.
暂无评论。