search

openvinotoolkit / openvino

OpenVINO™ is an open-source toolkit for optimizing and deploying AI inference
https://docs.openvino.ai
Apache License 2.0
6.78k stars 2.16k forks source link

[Build]: failed to parse GPG signature for RPM repository #24365

Closed abrown closed 4 months ago

abrown commented 4 months ago

OpenVINO Version

2024.1.0

Operating System

Other (Please specify in description)

Hardware Architecture

x86 (64 bits)

Target Platform

$ cat /etc/os-release | grep NAME
NAME="Fedora Linux"
VERSION_CODENAME=""
PRETTY_NAME="Fedora Linux 40 (Workstation Edition)"
CPE_NAME="cpe:/o:fedoraproject:fedora:40"
DEFAULT_HOSTNAME="fedora"

$ uname -r
6.8.7-300.fc40.x86_64

$ lscpu | grep name
Model name:                           Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz

Build issue description

When attempting to retrieve the OpenVINO packages from the Yum repository, the GPG signature is bad. The linked RPM issue (#2351) in the output below tells us that RPM does not consider this an issue; their view is that Intel's key is the one that is non-conformant.

The "fix" for this is to disable signature checking in the *.repo file:

gpgcheck=0
repo_gpgcheck=0

This is hardly a fix, though, since it defeats the point of verifying the RPM signature and exposes users to dependency attacks. It seems like the right thing to do is fix the GPG key somehow.

Build script or step-by-step to reproduce

$ cat /etc/yum.repos.d/intel-openvino-2024.repo
[OpenVINO]
name=Intel(R) Distribution of OpenVINO 2024
baseurl=https://yum.repos.intel.com/openvino/2024
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB

$ sudo dnf search openvino
Intel(R) Distribution of OpenVINO 2024                                                                                       25 kB/s | 943  B     00:00
Importing GPG key 0x53D04109:
 Userid     : "CN=Intel(R) Software Development Products"
 Fingerprint: E9BF 0AFC 46D6 E8B7 DA58 82F1 BAC6 F0C3 53D0 4109
 From       : https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB
Is this ok [y/N]: y
Intel(R) Distribution of OpenVINO 2024                                                                                      3.2 kB/s | 287  B     00:00
Error: Failed to download metadata for repo 'OpenVINO': repomd.xml GPG signature verification error: Error during parsing OpenPGP packets: Parsing an OpenPGP packet:
  Failed to parse Signature Packet
      because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
      because: Malformed MPI: leading bit is not set: expected bit 8 to be set in   100001 (21)
Ignoring repositories: OpenVINO
Last metadata expiration check: 1:36:13 ago on Fri 03 May 2024 12:20:58 PM PDT.
No matches found.

$ sudo vim /etc/yum.repos.d/intel-openvino-2024.repo
# Modify the repository file to disable signature checking.

$ sudo cat /etc/yum.repos.d/intel-openvino-2024.repo
[OpenVINO]
name=Intel(R) Distribution of OpenVINO 2024
baseurl=https://yum.repos.intel.com/openvino/2024
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB

$ sudo dnf search openvino
Intel(R) Distribution of OpenVINO 2024                                                                                       23 kB/s | 5.9 kB     00:00
============================================================= Name & Summary Matched: openvino =============================================================
openvino.noarch : OpenVINO™ Toolkit
libopenvino-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-auto-batch-plugin-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-auto-batch-plugin-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-auto-plugin-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-auto-plugin-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-devel-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-devel-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-hetero-plugin-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-hetero-plugin-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-intel-cpu-plugin-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-intel-cpu-plugin-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-intel-gpu-plugin-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-intel-gpu-plugin-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-ir-frontend-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-ir-frontend-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-onnx-frontend-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-onnx-frontend-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-paddle-frontend-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-paddle-frontend-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-pytorch-frontend-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-pytorch-frontend-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-tensorflow-frontend-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-tensorflow-frontend-2024.1.0.x86_64 : OpenVINO™ Toolkit
libopenvino-tensorflow-lite-frontend-2024.0.0.x86_64 : OpenVINO™ Toolkit
libopenvino-tensorflow-lite-frontend-2024.1.0.x86_64 : OpenVINO™ Toolkit
openvino-2024.0.0.noarch : OpenVINO™ Toolkit
openvino-2024.1.0.noarch : OpenVINO™ Toolkit
openvino-libraries-2024.0.0.noarch : OpenVINO™ Toolkit
openvino-libraries-2024.1.0.noarch : OpenVINO™ Toolkit
openvino-libraries-devel.noarch : OpenVINO™ Toolkit
openvino-libraries-devel-2024.0.0.noarch : OpenVINO™ Toolkit
openvino-libraries-devel-2024.1.0.noarch : OpenVINO™ Toolkit
openvino-samples-2024.0.0.noarch : OpenVINO™ Toolkit
openvino-samples-2024.1.0.noarch : OpenVINO™ Toolkit

Relevant log output

No response

Issue submission checklist

artanokhov commented 4 months ago

Can't reproduce it with clean Fedora 38 image(the first system where applied such requirements for signature)

[root@0317b27b5307 /]# cat /etc/os-release | grep NAME
NAME="Fedora Linux"
VERSION_CODENAME=""
PRETTY_NAME="Fedora Linux 38 (Container Image)"
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
DEFAULT_HOSTNAME="fedora"

[root@0317b27b5307 /]# cat /etc/yum.repos.d/openvino-2024.repo
[OpenVINO]
name=Intel(R) Distribution of OpenVINO 2024
baseurl=https://yum.repos.intel.com/openvino/2024
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB

[root@0317b27b5307 /]# yum list 'openvino*'
Fedora 38 - x86_64                                                                                                                                                                 7.6 MB/s |  83 MB     00:10
Fedora 38 openh264 (From Cisco) - x86_64                                                                                                                                           1.3 kB/s | 2.6 kB     00:01
Fedora Modular 38 - x86_64                                                                                                                                                         1.6 MB/s | 2.8 MB     00:01
Fedora 38 - x86_64 - Updates                                                                                                                                                       2.4 MB/s |  41 MB     00:17
Fedora Modular 38 - x86_64 - Updates                                                                                                                                               904 kB/s | 2.1 MB     00:02
Intel(R) Distribution of OpenVINO 2024                                                                                                                                             222  B/s | 287  B     00:01
Intel(R) Distribution of OpenVINO 2024                                                                                                                                             1.7 kB/s | 943  B     00:00
Importing GPG key 0x53D04109:
 Userid     : "CN=Intel(R) Software Development Products"
 Fingerprint: E9BF 0AFC 46D6 E8B7 DA58 82F1 BAC6 F0C3 53D0 4109
 From       : https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB
Is this ok [y/N]:y
Intel(R) Distribution of OpenVINO 2024                                                                                                                                             4.2 kB/s |  15 kB     00:03
Available Packages
openvino.noarch                                                                                                  2024.1.0.15008-1                                                                          OpenVINO
openvino-2024.0.0.noarch                                                                                         2024.0.0.14509-1                                                                          OpenVINO
openvino-2024.1.0.noarch                                                                                         2024.1.0.15008-1                                                                          OpenVINO
openvino-libraries-2024.0.0.noarch                                                                               2024.0.0.14509-1                                                                          OpenVINO
openvino-libraries-2024.1.0.noarch                                                                               2024.1.0.15008-1                                                                          OpenVINO
openvino-libraries-devel.noarch                                                                                  2024.1.0.15008-1                                                                          OpenVINO
openvino-libraries-devel-2024.0.0.noarch                                                                         2024.0.0.14509-1                                                                          OpenVINO
openvino-libraries-devel-2024.1.0.noarch                                                                         2024.1.0.15008-1                                                                          OpenVINO
openvino-samples-2024.0.0.noarch                                                                                 2024.0.0.14509-1                                                                          OpenVINO
openvino-samples-2024.1.0.noarch                                                                                 2024.1.0.15008-1                                                                          OpenVINO

[root@0317b27b5307 /]# dnf install -y openvino-2024.1.0.noarch
.....
.....
Upgraded:
  elfutils-libelf-0.191-1.fc38.x86_64  elfutils-libs-0.191-1.fc38.x86_64  glibc-2.37-19.fc38.x86_64  glibc-common-2.37-19.fc38.x86_64  glibc-minimal-langpack-2.37-19.fc38.x86_64  libgcc-13.2.1-7.fc38.x86_64
  libgomp-13.2.1-7.fc38.x86_64         libstdc++-13.2.1-7.fc38.x86_64
Installed:
  binutils-2.39-16.fc38.x86_64                                              binutils-gold-2.39-16.fc38.x86_64                                  cmake-3.27.7-1.fc38.x86_64
  cmake-data-3.27.7-1.fc38.noarch                                           cmake-filesystem-3.27.7-1.fc38.x86_64                              cpp-13.2.1-7.fc38.x86_64
  elfutils-debuginfod-client-0.191-1.fc38.x86_64                            emacs-filesystem-1:29.3-1.fc38.noarch                              gc-8.2.2-3.fc38.x86_64
  gcc-13.2.1-7.fc38.x86_64                                                  gcc-c++-13.2.1-7.fc38.x86_64                                       glibc-devel-2.37-19.fc38.x86_64
  glibc-headers-x86-2.37-19.fc38.noarch                                     guile22-2.2.7-7.fc38.x86_64                                        jansson-2.13.1-6.fc38.x86_64
  jsoncpp-1.9.5-4.fc38.x86_64                                               kernel-headers-6.8.3-100.fc38.x86_64                               libmpc-1.3.1-2.fc38.x86_64
  libopenvino-2024.1.0-2024.1.0.15008-1.x86_64                              libopenvino-auto-batch-plugin-2024.1.0-2024.1.0.15008-1.x86_64     libopenvino-auto-plugin-2024.1.0-2024.1.0.15008-1.x86_64
  libopenvino-devel-2024.1.0-2024.1.0.15008-1.x86_64                        libopenvino-hetero-plugin-2024.1.0-2024.1.0.15008-1.x86_64         libopenvino-intel-cpu-plugin-2024.1.0-2024.1.0.15008-1.x86_64
  libopenvino-intel-gpu-plugin-2024.1.0-2024.1.0.15008-1.x86_64             libopenvino-ir-frontend-2024.1.0-2024.1.0.15008-1.x86_64           libopenvino-onnx-frontend-2024.1.0-2024.1.0.15008-1.x86_64
  libopenvino-paddle-frontend-2024.1.0-2024.1.0.15008-1.x86_64              libopenvino-pytorch-frontend-2024.1.0-2024.1.0.15008-1.x86_64      libopenvino-tensorflow-frontend-2024.1.0-2024.1.0.15008-1.x86_64
  libopenvino-tensorflow-lite-frontend-2024.1.0-2024.1.0.15008-1.x86_64     libpkgconf-1.8.0-6.fc38.x86_64                                     libstdc++-devel-13.2.1-7.fc38.x86_64
  libtool-ltdl-2.4.7-6.fc38.x86_64                                          libuv-1:1.48.0-1.fc38.x86_64                                       libxcrypt-devel-4.4.36-1.fc38.x86_64
  make-1:4.4.1-1.fc38.x86_64                                                ocl-icd-2.3.2-1.fc38.x86_64                                        openvino-2024.1.0-2024.1.0.15008-1.noarch
  openvino-libraries-2024.1.0-2024.1.0.15008-1.noarch                       openvino-libraries-devel-2024.1.0-2024.1.0.15008-1.noarch          openvino-samples-2024.1.0-2024.1.0.15008-1.noarch
  pkgconf-1.8.0-6.fc38.x86_64                                               pkgconf-m4-1.8.0-6.fc38.noarch                                     pkgconf-pkg-config-1.8.0-6.fc38.x86_64
  rhash-1.4.3-2.fc38.x86_64                                                 tbb-2020.3-16.fc38.x86_64                                          vim-filesystem-2:9.1.354-1.fc38.noarch

Complete!
artanokhov commented 4 months ago

Reproduced on Fedora 40.

artanokhov commented 4 months ago

Fixed. @abrown you can try it now :)

[root@b352c6c9cb96 /]# cat /etc/os-release | grep NAME
NAME="Fedora Linux"
VERSION_CODENAME=""
PRETTY_NAME="Fedora Linux 40 (Container Image)"
CPE_NAME="cpe:/o:fedoraproject:fedora:40"
DEFAULT_HOSTNAME="fedora"

[root@b352c6c9cb96 /]# yum install -y openvino-2024.1.0.noarch
...
...
Installed:
  binutils-2.41-34.fc40.x86_64                                              binutils-gold-2.41-34.fc40.x86_64                                  cmake-3.28.2-1.fc40.x86_64
  cmake-data-3.28.2-1.fc40.noarch                                           cmake-filesystem-3.28.2-1.fc40.x86_64                              cpp-14.0.1-0.15.fc40.x86_64
  elfutils-debuginfod-client-0.191-4.fc40.x86_64                            emacs-filesystem-1:29.3-6.fc40.noarch                              gc-8.2.2-6.fc40.x86_64
  gcc-14.0.1-0.15.fc40.x86_64                                               gcc-c++-14.0.1-0.15.fc40.x86_64                                    glibc-devel-2.39-6.fc40.x86_64
  glibc-headers-x86-2.39-6.fc40.noarch                                      guile30-3.0.7-12.fc40.x86_64                                       jansson-2.13.1-9.fc40.x86_64
  jsoncpp-1.9.5-7.fc40.x86_64                                               kernel-headers-6.8.3-300.fc40.x86_64                               libmpc-1.3.1-5.fc40.x86_64
  libopenvino-2024.1.0-2024.1.0.15008-1.x86_64                              libopenvino-auto-batch-plugin-2024.1.0-2024.1.0.15008-1.x86_64     libopenvino-auto-plugin-2024.1.0-2024.1.0.15008-1.x86_64
  libopenvino-devel-2024.1.0-2024.1.0.15008-1.x86_64                        libopenvino-hetero-plugin-2024.1.0-2024.1.0.15008-1.x86_64         libopenvino-intel-cpu-plugin-2024.1.0-2024.1.0.15008-1.x86_64
  libopenvino-intel-gpu-plugin-2024.1.0-2024.1.0.15008-1.x86_64             libopenvino-ir-frontend-2024.1.0-2024.1.0.15008-1.x86_64           libopenvino-onnx-frontend-2024.1.0-2024.1.0.15008-1.x86_64
  libopenvino-paddle-frontend-2024.1.0-2024.1.0.15008-1.x86_64              libopenvino-pytorch-frontend-2024.1.0-2024.1.0.15008-1.x86_64      libopenvino-tensorflow-frontend-2024.1.0-2024.1.0.15008-1.x86_64
  libopenvino-tensorflow-lite-frontend-2024.1.0-2024.1.0.15008-1.x86_64     libpkgconf-2.1.0-1.fc40.x86_64                                     libstdc++-devel-14.0.1-0.15.fc40.x86_64
  libuv-1:1.48.0-1.fc40.x86_64                                              libxcrypt-devel-4.4.36-5.fc40.x86_64                               make-1:4.4.1-6.fc40.x86_64
  ocl-icd-2.3.2-5.fc40.x86_64                                               openvino-2024.1.0-2024.1.0.15008-1.noarch                          openvino-libraries-2024.1.0-2024.1.0.15008-1.noarch
  openvino-libraries-devel-2024.1.0-2024.1.0.15008-1.noarch                 openvino-samples-2024.1.0-2024.1.0.15008-1.noarch                  pkgconf-2.1.0-1.fc40.x86_64
  pkgconf-m4-2.1.0-1.fc40.noarch                                            pkgconf-pkg-config-2.1.0-1.fc40.x86_64                             rhash-1.4.3-4.fc40.x86_64
  tbb2020.3-2020.3-4.fc40.x86_64                                            vim-filesystem-2:9.1.354-1.fc40.noarch

Complete!
abrown commented 4 months ago

I tried this out on a different machine and indeed the signing issue is now fixed — thanks!