EPEL GPG key not found on rhel/ubi8

Question

EPEL GPG key not found on rhel/ubi8

mla-lbn opened this issue 4 years ago · 8 comments

Using geerlingguy/docker-ubi8-ansible:latest I am getting:

    TASK [geerlingguy.repo-epel : Check if EPEL repo is already configured.] *******
    Thursday 24 September 2020  11:07:41 +0200 (0:00:04.626)       0:00:15.583 ****
    ok: [rhel8]

    TASK [geerlingguy.repo-epel : Import EPEL GPG key.] ****************************
    Thursday 24 September 2020  11:07:45 +0200 (0:00:04.745)       0:00:20.329 ****
fatal: [rhel8]: FAILED! => changed=false
  msg: Not a valid key /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8

[root@rhel8 /]# ls /etc/pki/rpm-gpg/
RPM-GPG-KEY-redhat-beta  RPM-GPG-KEY-redhat-release

It would looks like the EPEL key is only available by default on Centos and not rhel/ubi ?

Answer 1 · 2020-09-24T10:56:20.000Z

I just checked using a fresh CentOS 8 host and I get the same error.

[root@docker-1 rpm-gpg]# ls
RPM-GPG-KEY-centosofficial  RPM-GPG-KEY-centostesting
[root@docker-1 rpm-gpg]# cat /etc/centos-release
CentOS Linux release 8.2.2004 (Core)

Answer 2 · 2020-09-24T14:14:09.000Z

Seeing this one too, for a work around we pinned 1.3.0

Answer 3 · 2020-09-24T20:46:19.000Z

Same here; I think it's because epel_repo_gpg_key_url is targeting a file instead of a remote URL, since the file does not exist on the system prior to epel-release being installed.

Answer 4 · 2020-09-24T22:33:07.000Z

We see the same here on RHEL 7:

TASK [geerlingguy.repo-epel : Import EPEL GPG key.] ****************************
fatal: [02d7-student1-attacker]: FAILED! => {"changed": false, "msg": "Not a valid key /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"}

To me it looks like commit 9133e45 is responsible for it. I must admit that I don't really get why this change was introduced: how should a machine have that key already before the repo is installed?

Answer 5 · 2020-09-24T23:53:14.000Z

To me it looks like commit 9133e45 is responsible for it. I must admit that I don't really get why this change was introduced: how should a machine have that key already before the repo is installed?

It's related to #42 where I reported an issue with CentOS where the command to install the epel repo failed because Ansible wouldn't accept the "accept GPG key" prompt which is why the Install key was moved earler in the tasks.

Answer 6 · 2020-09-25T00:32:52.000Z

I see that - but I don't understand how that should fix such an issue?! In the end, we cannot import a key which is not there?!
Anyway, multiple OSs were named in this thread where this role is not working anymore due to this change.

Answer 7 · 2020-09-25T06:28:55.000Z

I have replaced geerlingguy.repo-epel with robertdebock.epel, and have no issue with CentOS7 / CentOS8.

Answer 8 · 2020-09-28T15:41:38.000Z

I believe this should be fixed in #45 — new release coming shortly after CI passes.