Netdata installations using kickstart on RHEL9 started to fail today due to GPG key error.
The same install was working just fine about 8 hours ago.
netdata-kickstart.sh --interactive --disable-telemetry --stable-channel --no-updates --dont-start-it --disable-cloud --native-only --install-version 1.46.3*
One thing we noticed is that the fingerprint shown on the Web page (Install Netdata using native DEB/RPM packages | Learn Netdata) is different than the fingerprint of the key available here: https://repository.netdata.cloud/netdatabot.gpg.key
Thanks for your help.
BTW, I also tried a newer version (1.47.5) and have the same issue with the GPG key error returned.
I then edited the yum repo file, disabling gpg checking. After doing this the installation worked perfectly.
repo_gpgcheck=0
gpgcheck=0
This leads me to believe that there’s something wrong with the key download at https://repository.netdata.cloud/netdatabot.gpg.key
If I manually download the key using the url above, it looks like this when installed in the gpg keyring:
pub rsa4096 2025-03-16 [SC] [expires: 2035-03-14]
6E155DC153906B73765A74A99DD4A74CECFA8F4F
uid [ unknown] Netdatabot (Netdata Repository Signing Key) <bot@netdata.cloud>
sub rsa4096 2025-03-16 [E] [expires: 2035-03-14]
However, the “Install Netdata using native DEB/RPM packages” page shows the current fingerprint being, 6588FDD7B14721FE7C3115E6F9177B5265F56346. You can see they’re different.
As a temporary workaround, I copied the key from a server where netdata was previously installed successfully, and I’m manually installing it (rpm --import key.asc) onto new hosts. This key I copied from another server matches the fingerprint in your documentation ( 6588FDD7B14721FE7C3115E6F9177B5265F56346).
After manually installing the key, I can run the kickstart installer to completion without issue.
Not sure when it was updated, but it seems that their Install Netdata using native DEB/RPM packages page now lists the correct signature (which is the one I am getting from apt-key list).
However, when trying a fresh install of Netdata using the native DEB/RPM packages in a new VM, I am getting the following error when adding the repo (yes, the repo key has already been added):
Failed to update apt cache: W:GPG error: https://repo.netdata.cloud/repos/stable/ubuntu focal/ InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F9177B5265F56346, E:The repository 'https://repo.netdata.cloud/repos/stable/ubuntu focal/ InRelease' is not signed.
Same problem here.
Netdata 36 kB/s | 3.1 kB 00:00
Importing GPG key 0xECFA8F4F:
Userid : “Netdatabot (Netdata Repository Signing Key) bot@netdata.cloud”
Fingerprint: 6E15 5DC1 5390 6B73 765A 74A9 9DD4 A74C ECFA 8F4F
From : https://repository.netdata.cloud/netdatabot.gpg.key
Is this ok [y/N]: y
Key imported successfully
Import of key(s) didn’t help, wrong key(s)?
Public key for netdata-2.2.6-1.el8.x86_64.rpm is not installed. Failing package is: netdata-2.2.6-1.el8.x86_64
GPG Keys are configured as: https://repository.netdata.cloud/netdatabot.gpg.key
This is due to an oversight on our end during the signing key rotation we did on Monday. We’ve just merged a fix and it should be live within the next 10-20 minutes (though it may take longer to be visible to some users).
1 Like
I’m still seeing this issue as of March 27th. I’m using the kickstart.sh installer on both RHEL 8/9 and Rocky9. I’m trying to get a consistent knightly build installed all my agents.
Thanks !