shasum mismatch for macOS arm builds

[omenos]

Describe the bug

Current releases have invalid shasums for macOS arm builds of client utilities. The sha256sum.txt contains different hashes than what are generated on end client systems. In this case, it's a 2021 M1 MacBook Pro running macOS Ventura 13.3

$ shasum -a 256 -c sha256sum.txt
ccoctl-linux-4.12.0-0.okd-2023-04-16-041331.tar.gz: OK
openshift-client-linux-4.12.0-0.okd-2023-04-16-041331.tar.gz: OK
openshift-client-linux-arm64-4.12.0-0.okd-2023-04-16-041331.tar.gz: OK
openshift-client-mac-4.12.0-0.okd-2023-04-16-041331.tar.gz: OK
openshift-client-mac-arm64-4.12.0-0.okd-2023-04-16-041331.tar.gz: FAILED
openshift-client-windows-4.12.0-0.okd-2023-04-16-041331.zip: OK
openshift-install-linux-4.12.0-0.okd-2023-04-16-041331.tar.gz: OK
openshift-install-mac-4.12.0-0.okd-2023-04-16-041331.tar.gz: OK
openshift-install-mac-arm64-4.12.0-0.okd-2023-04-16-041331.tar.gz: FAILED
release.txt: OK
shasum: WARNING: 2 computed checksums did NOT match

Version

OKD 4.12.0-0.okd-2023-04-16-041331

How reproducible

100%

Log bundle

N/A

[titou10titou10]

It seems there is a general signature problem with this release, not only for clients or install packages, but also with OKD images themselves

oc adm ugrade --to-latest 


Retrieving payload failed version="4.12.0-0.okd-2023-04-16-041331" {...} verified: unable to verify sha256:{...} against keyrings: verifier-public-key-ci

It seems very similar to #1361

oc adm ugrade --to-latest --force

makes the release install with ClusterVersion status:

Target release version="4.12.0-0.okd-2023-04-16-041331"
image="registry.ci.openshift.org/origin/release@sha256:c51a70b2131b67a6f1140994de46a9ec42a9c07be051ca0883f96f5a2d0f4e4c"
cannot be verified, but continuing anyway because the update was forced:
unable to verify
sha256:c51a70b2131b67a6f1140994de46a9ec42a9c07be051ca0883f96f5a2d0f4e4c
against keyrings: verifier-public-key-ci

[2023-04-16T23:26:47Z: prefix
sha256-c51a70b2131b67a6f1140994de46a9ec42a9c07be051ca0883f96f5a2d0f4e4c
in config map signatures-managed: no more signatures to check,
2023-04-16T23:26:47Z: invalid signature, 2023-04-16T23:26:47Z: unable to
retrieve signature from
https://storage.googleapis.com/openshift-ci-release/releases/signatures/openshift/release/sha256=c51a70b2131b67a6f1140994de46a9ec42a9c07be051ca0883f96f5a2d0f4e4c/signature-2:
no more signatures to check, 2023-04-16T23:26:47Z: parallel signature
store wrapping containers/image signature store under
https://storage.googleapis.com/openshift-ci-release/releases/signatures/openshift/release:
no more signatures to check, 2023-04-16T23:26:47Z: serial signature
store wrapping config maps in openshift-config-managed with label
"release.openshift.io/verification-signatures", parallel signature store
wrapping containers/image signature store under
https://storage.googleapis.com/openshift-ci-release/releases/signatures/openshift/release:
no more signatures to check]

[ExNG]

Hi
With this release the signing key has rotated, to update see here: #1566 (comment)

[vrutkovs]

That started affecting us again in 4.14, now on 4.15.0-0.okd-2024-01-27-070424:
actual - b50d51a4950acf99586ff13aa204e44f6fb35cc57526d134ac482e21a00f48ae openshift-install-mac-arm64-4.15.0-0.okd-2024-01-27-070424.tar.gz
expected - 05edd7058edf94ab24fd9b0c702592a551b986d8b6c47b2f70db80ac832cc119 openshift-install-mac-arm64-4.15.0-0.okd-2024-01-27-070424.tar.gz

[JaimeMagiera]

Hi,

We are not working on FCOS builds of OKD any more. Please see these documents...

https://okd.io/blog/2024/06/01/okd-future-statement
https://okd.io/blog/2024/07/30/okd-pre-release-testing

Please test with the OKD SCOS nightlies and file a new issue as needed.

Many thanks,

Jaime