Installing grafana on Centos stream 9 gpg key error

bertha · September 28, 2022, 2:14pm

Trying to install the latest grafana 9.1.6-1 on Centos Stream 9.

cat <<EOF | sudo tee /etc/yum.repos.d/grafana.repo
[grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
EOF

And :

sudo dnf install grafana -y

What happened?

> Total download size: 77 M
> Installed size: 263 M
> Is this ok [y/N]: y
> Downloading Packages:
> (1/2): chkconfig-1.20-2.el9.x86_64.rpm                                          643 kB/s | 180 kB     00:00    
> (2/2): grafana-9.1.6-1.x86_64.rpm                                                25 MB/s |  77 MB     00:03    
> ----------------------------------------------------------------------------------------------------------------
> Total                                                                            14 MB/s |  77 MB     00:05     
> grafana                                                                         8.1 kB/s | 1.7 kB     00:00    
> Importing GPG key 0x24098CB6:
>  Userid     : "Grafana <info @grafana.com>"
>  Fingerprint: 4E40 DDF6 D76E 284A 4A67 80E4 8C8C 34C5 2409 8CB6
>  From       : htt ps://packages.grafana.com/gpg.key
> Is this ok [y/N]: y
> warning: Signature not supported. Hash algorithm SHA1 not available.
> Key import failed (code 2). Failing package is: grafana-9.1.6-1.x86_64
>  GPG Keys are configured as: htt ps://packages.grafana.com/gpg.key
> The downloaded packages were saved in cache until the next successful transaction.
> You can remove cached packages by executing 'dnf clean packages'.
> Error: GPG check FAILED

I could install grafana trough epel repo but this is far from the latest version.
Also i colud install with wget but it’s much nicer through a repo because otherwise i have to remember to check for newer versions.

I’m a long time user (from Centos6 ) but this is the first time i run in this error.

Also it’s possible to skip gpg-key check with :

gpgcheck=1

But that’s not nice

Found something that looks like it could be the problem:

What is the problem ?

I added :

The same for Rocky 9

usman.ahmad · September 28, 2022, 5:59pm

Hi @bertha,

Welcome to the community support forums !!

For OSS releases the repo file looks like this (same what you posted):

[grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt

Then what you can do is run some additional commands (as you already got the signature error).

[usman@localhost ~]$ dnf clean all

[usman@localhost ~]$ dnf clean metadata

[usman@localhost ~]$ dnf install epel-release 

[usman@localhost ~]$ dnf update

And finally, do;

[usman@localhost ~]$ dnf install grafana

The reason for cleaning the dnf is that sometimes it causes problems when getting package information.

Then installing n running epel-release is mostly helpful as some required packages are not available in the core repo.

I hope this helps. If not then let me know.

bertha · September 28, 2022, 6:23pm

Thanks usmanahmad for replying !

I tried with epel repo and that works ok but is a very old version (7 i believe)

I always worked with grafana.repo (since CentOS 6 or so) an d never had any problems. Even with CentOS Stream 8.

Now with both Rocky 9 and Stream 9 its broken.

Does it have anything to do with the sha-1 key link in my first post.
RedHat says; packages needs to be generated with SHA-256 and not with SHA-1 anymore ?

usman.ahmad · September 28, 2022, 10:01pm

So I myself is also a CentOS user and was really interested as what caused it so I tried to reproduce it on CentOS 9 Steam (like you I used CentOS 8 and there it works fine).

Here are my steps to reproduce and also the solution to resolve it.

Here are my installation logs with comments;

1- Preparing the repo

[root@localhost ~]# vi /etc/yum.repos.d/grafana.repo

[root@localhost ~]# dnf update
grafana                                         2.1 kB/s | 454  B     00:00    
grafana                                          20 kB/s | 1.7 kB     00:00    
Importing GPG key 0x24098CB6:
 Userid     : "Grafana <info@grafana.com>"
 Fingerprint: 4E40 DDF6 D76E 284A 4A67 80E4 8C8C 34C5 2409 8CB6
 From       : https://packages.grafana.com/gpg.key
Is this ok [y/N]: y
grafana                                         5.1 MB/s |  13 MB     00:02    
Last metadata expiration check: 0:00:04 ago on Wed 28 Sep 2022 11:24:50 PM CEST.
Dependencies resolved.
Nothing to do.
Complete!

[root@localhost ~]# dnf makecache
CentOS Stream 9 - BaseOS                         23 kB/s |  11 kB     00:00    
CentOS Stream 9 - AppStream                     102 kB/s |  12 kB     00:00    
CentOS Stream 9 - Extras packages                79 kB/s |  12 kB     00:00    
Extra Packages for Enterprise Linux 9 - x86_64   33 kB/s |  23 kB     00:00    
Extra Packages for Enterprise Linux 9 - Next -   41 kB/s |  23 kB     00:00    
grafana                                         2.1 kB/s | 454  B     00:00    
Metadata cache created.

2- Installing Grafana via dnf package manager

[root@localhost ~]# dnf install grafana
[...]
[...]
grafana                                                                                                                                                                             17 kB/s | 1.7 kB     00:00    
Importing GPG key 0x24098CB6:
 Userid     : "Grafana <info@grafana.com>"
 Fingerprint: 4E40 DDF6 D76E 284A 4A67 80E4 8C8C 34C5 2409 8CB6
 From       : https://packages.grafana.com/gpg.key
Is this ok [y/N]: y
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: grafana-9.1.6-1.x86_64
 GPG Keys are configured as: https://packages.grafana.com/gpg.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Now, I finally got the error which you described. Then after some research found out that in the latest version of CentOS, RHEL and Rocky Linux (ver 9 series in most cases), there are some changes made on the core cryptographic subsystems protocols.

So to view it you need to make sure that this package crypto-policies-scripts is installed on the machine.

Once there, run this command;

[root@localhost ~]# update-crypto-policies --show
DEFAULT

Now, DEFAULT here means that the system allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048 bits long.

I found this info from RedHat official docs after some digging and found that DEFAULT does not have SHA1:

3- Solution

Change the policy to SHA1 via command

[root@localhost ~]# update-crypto-policies --set DEFAULT:SHA1
Setting system policy to DEFAULT:SHA1

Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

# Do a reboot on the machine
[root@localhost ~]# reboot

4- Run Installer again

[root@localhost ~]# dnf clean packages
20 files removed
[root@localhost ~]# dnf install grafana
Last metadata expiration check: 0:10:39 ago on Wed 28 Sep 2022 11:25:05 PM CEST.
Dependencies resolved.
[...]
[...]
[...]
(20/20): grafana-9.1.6-1.x86_64.rpm                                                                                                                                                6.1 MB/s |  77 MB     00:12    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                              5.6 MB/s |  85 MB     00:15     
grafana                                                                                                                                                                             16 kB/s | 1.7 kB     00:00    
Importing GPG key 0x24098CB6:
 Userid     : "Grafana <info@grafana.com>"
 Fingerprint: 4E40 DDF6 D76E 284A 4A67 80E4 8C8C 34C5 2409 8CB6
 From       : https://packages.grafana.com/gpg.key
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                           1/1 
  Installing       : urw-base35-fonts-common-20200910-6.el9.noarch                                                                                                                                            
[...]
[...]
[...]
Installed:
  chkconfig-1.20-2.el9.x86_64                   fontconfig-2.14.0-1.el9.x86_64                             freetype-2.10.4-9.el9.x86_64                        grafana-9.1.6-1.x86_64                            
  graphite2-1.3.14-9.el9.x86_64                 harfbuzz-2.7.4-8.el9.x86_64                                libpng-2:1.6.37-12.el9.x86_64                       urw-base35-bookman-fonts-20200910-6.el9.noarch    
  urw-base35-c059-fonts-20200910-6.el9.noarch   urw-base35-d050000l-fonts-20200910-6.el9.noarch            urw-base35-fonts-20200910-6.el9.noarch              urw-base35-fonts-common-20200910-6.el9.noarch     
  urw-base35-gothic-fonts-20200910-6.el9.noarch urw-base35-nimbus-mono-ps-fonts-20200910-6.el9.noarch      urw-base35-nimbus-roman-fonts-20200910-6.el9.noarch urw-base35-nimbus-sans-fonts-20200910-6.el9.noarch
  urw-base35-p052-fonts-20200910-6.el9.noarch   urw-base35-standard-symbols-ps-fonts-20200910-6.el9.noarch urw-base35-z003-fonts-20200910-6.el9.noarch         xml-common-0.6.3-58.el9.noarch                    

Complete!

5- Revert back the crypto-policy

[root@localhost ~]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

I hope this helps.

usman.ahmad · September 28, 2022, 10:10pm

I will also try to get in touch with our team to see if they can help further for new OS releases. But I think the above solution/workaround which you also figured out can help at the moment.

usman.ahmad · September 28, 2022, 10:26pm

I have now reported this case at our GitHub OSS repo: Installation not possible on new CentOS, RHEL, RockyLinux (ver 9) as SHA1 is Legacy · Issue #55962 · grafana/grafana · GitHub

bertha · September 29, 2022, 4:04pm

Thank you so much … this did the trick

Finally it’s possible to install my production server with grafana, influxb and node-red.

I was confused because i thought tested the rpm with :

sudo rpm -qpi grafana-enterprise-9.2.0~beta1-1.x86_64.rpm
Name : grafana-enterprise
Version : 9.2.0~beta1
Release : 1
Architecture: x86_64
Install Date: (not installed)
Group : default
Size : 342833185
License : unknown
Signature : RSA/SHA512, ma 26 sep 2022 13:02:15 CEST, Key ID 8c8c34c524098cb6
Source RPM : grafana-enterprise-9.2.0~beta1-1.src.rpm
Build Date : ma 26 sep 2022 13:01:28 CEST
Build Host : 649f38019f19
Relocations : /
Packager : contact@grafana.com
Vendor : Grafana Enterprise
URL : https://grafana.com
Summary : Grafana
Description :
Grafana

And

Signature : RSA/SHA512

made me uncertain because of the sha512 which is better than the new sha256

Your methode is a workaround and better than installing the rpm which makes me maually check for new versions.
With your workaround i get an error while updating the system ( i think ).
But i need to reboot after installing a new release which is for the time beeing ok.

Do you have any idea when or even if the maintainers will use the new sha256?

But for now …

bertha · September 29, 2022, 4:09pm

It’s remarkable to see many “tutorials” which comment out the gpg key check in the repo-file.

bertha · October 1, 2022, 9:05am

I’m a little confused …

When i’m downloading the garfana rpm with wget there is a sha256 key.

But when i’m installing through the repo-file it’s using sha1 ?

Is this a wrong conclusion that i’m taken over here?

usman.ahmad · October 4, 2022, 7:51pm

Hi @bertha,

I suggest that you could report this information in the above GitHub issue so that the developers can know more and find a possible solution.

sivan · December 21, 2022, 4:36pm

Is there any update on this? The GitHub issue is closed, but the issue persists.

usman.ahmad · December 21, 2022, 5:02pm

Hi @sivan,

The last update on Github says that it should be resolved starting from the next 9.3 and/or 9.4 release.

What version you are using and are you still getting the same error?

bertha · January 15, 2023, 10:05am

@usman.ahmad

Today there was an new GPG-key installed which updated grafana with it’s repo.

Thank you for addressing this at github which solved this problem !