Version: mcr.microsoft.com/azurelinux/imagecustomizer:1.2
I'm passing a repo to the Image Customizer and trying to get it to download a package from that repo. I verified that the repo file and key are passed to the container correctly, but am getting an error verifying the signature if repo_gpgcheck=1 in the repo file. gpgcheck=1 works, and I verified that the key is passed in correctly by checking that signature verification for installation fails if I pass in the incorrect key.
Error output:
�[37mDEBU�[0m[0008][main] repo md signature check: No public key
�[37mDEBU�[0m[0008][main] Error: TDNFVerifySignature 2004
�[37mDEBU�[0m[0008][main] Plugin error: repogpgcheck plugin error: failed to verify signature
�[37mDEBU�[0m[0008][main]
�[37mDEBU�[0m[0008][main] Error(2004) : Unknown error 404
�[37mDEBU�[0m[0008][main] Error: Failed to synchronize cache for repo 'LSG 6.18 Prod aarch64'
�[37mTRAC�[0m[0008][main] Disabling Repo: 'LSG 6.18 Prod aarch64'
I think that IC needs to import the key with gpg --import if repo_gpgcheck=1. I tried deleting the key on the AZL host and it reproduced the failure:
ongchris@TDC1417426060 [ ~/azl/Azure-OneMos ]$ sudo gpg --delete-keys AA86F75E427A19DD33346403EE4D7792F748182B
gpg (GnuPG) 2.4.9; Copyright (C) 2025 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/EE4D7792F748182B 2023-11-15 Microsoft Corporation - General GPG Signer <gpgsign@microsoft.com>
Delete this key from the keyring? (y/N) y
ongchris@TDC1417426060 [ ~/azl/Azure-OneMos ]$ sudo tdnf makecache
Loaded plugin: tdnfrepogpgcheck
Refreshing metadata for: 'Azure Linux Official Cloud Native 3.0 x86_64'
azurelinux-official-cloud-native 1572 100%
azurelinux-official-cloud-native 481 100%
Refreshing metadata for: 'LSG 6.18 Prod x86_64'
lsg-6.18-prod 1560 100%
lsg-6.18-prod 827 100%
repo md signature check: No public key
Error: TDNFVerifySignature 2004
Plugin error: repogpgcheck plugin error: failed to verify signature
Error(2004) : Unknown error 404
Error: Failed to synchronize cache for repo 'LSG 6.18 Prod x86_64'
Disabling Repo: 'LSG 6.18 Prod x86_64'
If I import the key again, tdnf succeeds:
ongchris@TDC1417426060 [ ~/azl/Azure-OneMos ]$ sudo gpg --import /etc/pki/rpm-gpg/LSG-RPM-GPG-KEY
gpg: key EE4D7792F748182B: public key "Microsoft Corporation - General GPG Signer <gpgsign@microsoft.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
ongchris@TDC1417426060 [ ~/azl/Azure-OneMos ]$ sudo tdnf makecache
Loaded plugin: tdnfrepogpgcheck
Refreshing metadata for: 'Azure Linux Official Cloud Native 3.0 x86_64'
azurelinux-official-cloud-native 1572 100%
azurelinux-official-cloud-native 481 100%
Refreshing metadata for: 'LSG 6.18 Prod x86_64'
lsg-6.18-prod 1560 100%
lsg-6.18-prod 827 100%
lsg-6.18-prod 42138 100%
lsg-6.18-prod 465708 100%
lsg-6.18-prod 2962 100%
Refreshing metadata for: 'Azure Linux Official Nvidia 3.0 x86_64'
azurelinux-official-nvidia 1561 100%
azurelinux-official-nvidia 481 100%
Version: mcr.microsoft.com/azurelinux/imagecustomizer:1.2
I'm passing a repo to the Image Customizer and trying to get it to download a package from that repo. I verified that the repo file and key are passed to the container correctly, but am getting an error verifying the signature if repo_gpgcheck=1 in the repo file. gpgcheck=1 works, and I verified that the key is passed in correctly by checking that signature verification for installation fails if I pass in the incorrect key.
Error output:
I think that IC needs to import the key with gpg --import if repo_gpgcheck=1. I tried deleting the key on the AZL host and it reproduced the failure:
If I import the key again, tdnf succeeds: