search

minio / kes

Key Managament Server for Object Storage and more
https://min.io/docs/kes/concepts/
GNU Affero General Public License v3.0
456 stars 94 forks source link

kes update gives error: Downloading KES minisign signature...Error: minisign: invalid signature: invalid untrusted comment #463

Closed CaptainLoop closed 3 months ago

CaptainLoop commented 3 months ago

Bug describtion

version: kes 2023-05-02T22-48-10Z (commit=1e46c482c170614d9e61f16b50de39cac3593a22)

kes update gives error: Downloading KES minisign signature...Error: minisign: invalid signature: invalid untrusted comment

[root@minio user]# kes update
Downloading KES minisign signature...Error: minisign: invalid signature: invalid untrusted comment
[root@minio user]# kes update --arch amd64
Downloading KES minisign signature...Error: minisign: invalid signature: invalid untrusted comment
[root@minio user]# kes update --arch amd64 -k --os linux v0.23.0
Downloading KES minisign signature...Error: minisign: invalid signature: invalid untrusted comment
[root@minio user]#  kes update --minisign-key RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav
Downloading KES minisign signature...Error: minisign: invalid signature: invalid untrusted comment

Expected behavior

kes service is updated

Additional context

version: kes 2023-05-02T22-48-10Z (commit=1e46c482c170614d9e61f16b50de39cac3593a22)

systemd service:

cat /etc/systemd/system/kes.service
[Unit]
Description=Miniokes
Wants=network-online.target
After=network-online.target

[Service]
User=miniokes
Group=miniokes
Type=simple
ExecStart=/usr/bin/kes \
    server \
    --config /etc/miniokes/config.yml \
    --auth off

[Install]
WantedBy=multi-user.target

I installed another kes service [keslinux.service], latest release

keslinux --version
Version    2024-04-12T13-50-00Z   commit=f7b150f5e065ac191bdedca84a109f13aef513b9
Runtime    go1.21.9 linux/amd64   compiler=gc
License    AGPLv3                 https://www.gnu.org/licenses/agpl-3.0.html
Copyright  2015-2024 MinIO Inc.   https://min.io

I tried to update this one too, but same errors image BUT If I use the --minisign-key attributum with the current rellease key It does not gives me an error

keslinux update --minisign-key RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav
Already on latest version 2024-04-12T13-50-00Z

If I want to downgrade I got the same error

keslinux update -d --minisign-key RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav
Downgrading from '2024-04-12 13:50:00 +0000 UTC' to '2024-04-12 13:50:00 +0000 UTC'
Downloading KES minisign signature...Error: minisign: invalid signature: invalid untrusted comment
  1. What version of Go are you using (go version)? go version go1.19.13 linux/amd64
  2. What operating system and processor architecture are you using (go env)? 
    NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
  3. Anything else that is important? binary release replacement is working without any issue
aead commented 3 months ago

This is a bug in the KES release you are using. It contains a URL to a repo that contains the KES SDK, not the KES server. Refer to: https://github.com/minio/kes/blob/2023-05-02T22-48-10Z/cmd/kes/update.go#L129 and https://github.com/minio/kes/blob/2023-05-02T22-48-10Z/cmd/kes/update.go#L176

Never versions e.g. 2024-04-12T13-50-00Z don't have this problem anymore.