Rpm package metadata problem

I feel like there’s an issue with the CI/CD process that creates the RPM packages for telegraf (it may well affect other products, but this is the only one we use).

We use a private caching mirror in front of https://repos.influxdata.com

This works fine a lot of the time, but we get frequent problems with “Package does not match intended download” errors when trying to deploy telegraf from our mirror.

The problem seems to be that the package is being recreated in place on the upstream, which changes the signature. This results in a corresponding update of the metadata. The new metadata is cached by our mirror, but because it is quite reasonably expecting the upstream package for a particular version to remain unchanged, it does not re-cache the package without manual intervention.

This problem crops with annoying regularity and only with this particular repo (despite the fact that we are caching a large quantity of upstream content from many varied repos).

Not sure where to raise a bug about this, because it doesn’t immediately feel like a telegraf issue, rather the supporting CI/CD process around it.


As previously announced, InfluxData rotated our package signing key after the CircleCI incident announced at the beginning of the year. As a result of the new GPG key, we also re-signed each of the packages with the new GPG key and then again to update the packages’ NVRA value.

This caused two updates to the RPMs, when it should have been done only once. We have updated instructions should we ever need to rotate the GPG key again.

We do not foresee any further updates to packages. This hopefully explains the recent churn.


Thanks for your reply @jpowers

I wasn’t aware there had been an incident with CircleCI and this may well explain the most recent issue we experienced, however, our problems pre-date this incident by some margin. I found instances where we experienced the problem I described above going back to September 2022 (probably even earlier but that’s when we started joining the dots.)

So unless something has been done recently to rectify what was happening prior to CircleCI, then I fear we will continue to experience the problem.