Closed orgads closed 7 months ago
Hello,
A few more things to add:
NODESOURCE-NODEJS-GPG-SIGNING-KEY-EL
key available, it's never used. Instead, NODESOURCE-NSOLID-GPG-SIGNING-KEY-EL
is used for both nodesource-nsolid
and nodesource-nodejs
repos:
$ file /etc/pki/rpm-gpg/NODESOURCE-NODEJS-GPG-SIGNING-KEY-EL
/etc/pki/rpm-gpg/NODESOURCE-NODEJS-GPG-SIGNING-KEY-EL: PGP public key block Public-Key (old)
$ cat /etc/yum.repos.d/nodesource-nodistro.repo
[nodesource-nsolid]
name=Nsolid Packages for Linux RPM based distros - $basearch
baseurl=https://rpm.nodesource.com/pub_20.x/nodistro/nsolid/$basearch
priority=8
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/NODESOURCE-NSOLID-GPG-SIGNING-KEY-EL
[nodesource-nodejs] name=Node.js Packages for Linux RPM based distros - $basearch baseurl=https://rpm.nodesource.com/pub_20.x/nodistro/nodejs/$basearch priority=9 enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/NODESOURCE-NSOLID-GPG-SIGNING-KEY-EL
2. Nsolid key can't be imported on modern operating systems (e.g. RHEL 9 in my case) since SHA1 hash algorithm is deprecated:
$ sudo rpm --import /etc/pki/rpm-gpg/NODESOURCE-NSOLID-GPG-SIGNING-KEY-EL warning: Signature not supported. Hash algorithm SHA1 not available. error: /etc/pki/rpm-gpg/NODESOURCE-NSOLID-GPG-SIGNING-KEY-EL: key 1 import failed.
It is possible to import this key by updating security configuration but it's strongly discouraged.
3. Even after importing `NODESOURCE-NODEJS-GPG-SIGNING-KEY-EL` key manually, the package's signature can't be verified:
$ sudo rpm --import /etc/pki/rpm-gpg/NODESOURCE-NODEJS-GPG-SIGNING-KEY-EL
$ sudo rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' | grep -i node gpg-pubkey-34fa74dd-540237d4 --> NodeSource gpg-rpm@nodesource.com public key
$ sudo rpmkeys -K nodejs-20.11.1-1nodesource.x86_64.rpm nodejs-20.11.1-1nodesource.x86_64.rpm: digests SIGNATURES NOT OK
Thanks,
Andrii
The same issue with AlmaLinux 9.3
. How to solve this?
Hello guys @userVF @orgads I wanted to thanks for the detailed explanation and the steps to re-pro the issue.
First I want to let you know that we've updated our signing keys, so they are not anymore SHA1 but SHA256.
Where can you find the KEY? https://rpm.nodesource.com/gpgkey/ns-operations-public.key
Then how do you install Node now? let's use our script, this will setup everything for you.
curl -fsSL https://rpm.nodesource.com/setup_20.x | bash -
dnf install -y nodejs
USING DOCKER
docker run --rm -it rockylinux:8.9.20231119 bash -c 'curl -fsSL https://rpm.nodesource.com/setup_20.x | bash - && dnf install nodejs -y && node --version'
We know there is a lot of confusion since we've done several changes in past year, and we're so sorry for that. We will try to clean up a bit the docs and make it more user friendly.
Thank you very much. Installation works with new qpqkey that you provided.
Describe your bug GPG check fails.
Distribution Information:
Node Version:
To Reproduce Steps to reproduce the behavior:
Output
Expected behavior It should work.