Foreman Repo Sync: pxeboot/initrd.img failed validation due to checksum

I am syncing the Alma Linux 9 repository to The Foreman server.
Since today, the sync of the Alma Linux 9 BaseOS repo will break and abort.
It seems that the GPG signature of a specific file (in the BaseOS repo) is incorrect.

The error is:

A file located at the url https://repo.almalinux.org/almalinux/9/BaseOS/x86_64/os/images/pxeboot/initrd.img failed validation due to checksum. Expected '730cb204bfd8668e7e3bd2e88ed1d443084d467db6d1228b63f8f27117e52e3a', Actual '1c1985fcc76ac600a37ec117964e1c3ddb9dc60aee9130e3d78ba09c89c22b18'

As a result, Foreman’s repo sync process will break off and abort, and the system can’t sync anything from that repo anymore.

I was able to reproduce the problem with another, independent Foreman server, with the same result.

It’s quite likely that the issue is within the repo itself, and not Foreman.
In theory, this could happen due to a supply-chain attack. But more likely, it may be a mistake in the deployment process.

Is this issue fixable by this community, or does it have to be fixed upstream?

I have found this old thread from 2022, regarding a similar issue:

It seems to be a cache issue.

I also get the 9.4 initrd.img on https://repo.almalinux.org/almalinux/9/BaseOS/x86_64/os/images/pxeboot/initrd.img and the 9.5 initrd.img on https://repo.almalinux.org/almalinux/9.5/BaseOS/x86_64/os/images/pxeboot/initrd.img.

The 9.5 treeinfo file contains the checksum of the 9.5 image and I get the 9.5 treeinfo through /9/.

For foreman, you can either temporarily change the URL to /9.5/ or you can disable the treeinfo for the repository for the moment.

1 Like

This is a perfect workaround to work around the issue - many thanks.

For a permanent fix, I encourage the Alma Linux team to check the yum repo server. Maybe the symlinks were not consistenty updated to 9.5?

the issue is ongoing

https://repo.almalinux.org/almalinux/9/cloud/x86_64/images/AlmaLinux-9-GenericCloud-latest.x86_64.qcow2 contains AlmaLinux 9.4 (old) - sha256sum of 4f2984589020c0d82b9a410cf9e29715a607c948dfdca652025cdc79ddb5e816

https://repo.almalinux.org/almalinux/9/cloud/x86_64/images/CHECKSUM contains hashes for AlmaLinux 9.5 (latest) - sha256sum for GenericCloud is abddf01589d46c841f718cec239392924a03b34c4fe84929af5d543c50e37e37

I have explicitly informed the Alma Linux infra team about the issue:

This issue has been resolved, presumably by Alma’s infra team.

However, @gvde 's suggestion to use an intermittent workaround is also notable: