CUDA Repo - RHEL8 - Select Package Signature Failures

System Information:

  • Dell Precision 5820
  • NVIDIA Corporation GP107GL [Quadro P1000] (rev a1)
  • RHEL 8.5 + latest errata
  • RHEL8 CUDA Repo, already setup for nvidia-driver:510-dkms

Happened afternoon-evening of Fri 2/25 and again today Mon 2/28
Was able to install the drivers from the RHEL8 Module for 510:
$ sudo dnf module install nvidia-driver:510-dkms

And I can verify the GPG key 7fa2af80 is good on all driver (from the 510 module) packages.

$ rpm -qi nvidia-kmod-common-510.47.03-1.el8.noarch
Name : nvidia-kmod-common
...
License : NVIDIA License
Signature : RSA/SHA512, Mon 24 Jan 2022 09:30:46 PM CST, Key ID f60f4b3d7fa2af80
Source RPM : nvidia-kmod-common-510.47.03-1.el8.src.rpm
Build Date : Mon 24 Jan 2022 09:29:17 PM CST
...

But when I try to install CUDA 11-4 and 11-6 packages, all but 2 fail.

$ sudo dnf install $(cat /tmp/rpms_cuda11-6_11-4.txt)
...
Error: Transaction test error:
package cuda-toolkit-config-common-11.6.55-1.noarch does not verify: no digest
...
package cuda-11-6-11.6.1-1.x86_64 does not verify: no digest

And I verified in the DNF cache directory … (these are the only 2 good ones)

$ rpm -K /var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/*.rpm | grep -iv not
/var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/datacenter-gpu-manager-2.3.4-1-x86_64.rpm: digests signatures OK
/var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/nsight-systems-2021.5.2-2021.5.2.53_28d0e6e-0.x86_64.rpm: digests signatures OK

And the rest are all bad signatures …

$ rpm -K /var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/*.rpm | grep -i not
/var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/cuda-11-4-11.4.4-1.x86_64.rpm: DIGESTS signatures NOT OK
/var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/cuda-11-6-11.6.1-1.x86_64.rpm: DIGESTS signatures NOT OK
...
/var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/nsight-compute-2022.1.1-2022.1.1.2-1.x86_64.rpm: DIGESTS signatures NOT OK

I’ve found other reports in the forum that this happens from time-to-time. But given the recent nVidia compromise, I don’t want to directly use rpm to install without signature validation.

Please advise and/or remediate.

For security purposes, can someone else verify there are signature failures? This would mean the packages have been tampered with … or at least not signed/signed correctly after being built.

Unless nVidia is using a new GPG signing key than Key ID f60f4b3d7fa2af80

Seems to have been resolved! Thank you!