Hello,
I just wanted to let people know that if you’re installing K3S on EL9 (RHEL9, AlmaLinux 9, and probably Rocky Linux 9), you may need to tweak some settings to accept the RPM signatures. EL9 deprecates SHA1 package signatures in favor of SHA512 package signatures.
I had to make the following update before running the K3s installer
# update-crypto-policies --set DEFAULT:SHA1
After that, running the K3S install process proceeded normally.
For those that want to set things back, you can run this:
# update-crypto-policies --set DEFAULT
I think ultimately one of the RPM repos that K3s references will need to roll their signing keys to support SHA512 signatures, which is what Duo Security wound up doing.
References:
- Post on Duo Security forums: Duo RPM repository broken for EL9 distributions - Unix and SSH - Duo Security Community
- Duo security rolling signing keys: Heads-up: GPG key for Duo Unix will be updated June 2, 2022 - Release Notes - Duo Security Community
- Thanks to the AlmaLinux support group on IRC/Matrix. They helped me spot the issue originally.