Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RVM 1.29.5 stable signed with different key #4520

Closed
daygr opened this issue Dec 12, 2018 · 9 comments
Closed

RVM 1.29.5 stable signed with different key #4520

daygr opened this issue Dec 12, 2018 · 9 comments

Comments

@daygr
Copy link

@daygr daygr commented Dec 12, 2018

I am attempting to run rvm get stable on Ubuntu 16.04 LTS

Steps to reproduce

Install rvm on master: curl -sSL https://get.rvm.io | bash -s master
Attempt to run rvm get stable

Alternatively, try to install stable rvm: curl -sSL https://get.rvm.io | bash -s stable

Expected behavior

The script correctly installs the latest stable release version.

Actual behavior

curl -sSL https://get.rvm.io | bash -s stable
Downloading https://github.com/rvm/rvm/archive/1.29.5.tar.gz
Downloading https://github.com/rvm/rvm/releases/download/1.29.5/1.29.5.tar.gz.asc
gpg: Signature made Wed Dec 12 11:25:22 2018 UTC using RSA key ID 39499BDB
gpg: Can't check signature: public key not found
Warning, RVM 1.26.0 introduces signed releases and automated check of signatures when GPG software found. Assuming you trust Michal Papis import the mpapis public key (downloading the signatures).

GPG signature verification failed for '/usr/local/rvm/archives/rvm-1.29.5.tgz' - 'https://github.com/rvm/rvm/releases/download/1.29.5/1.29.5.tar.gz.asc'! Try to install GPG v2 and then fetch the public key:

    sudo gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3

or if it fails:

    command curl -sSL https://rvm.io/mpapis.asc | sudo gpg --import -

the key can be compared with:

    https://rvm.io/mpapis.asc
    https://keybase.io/mpapis

NOTE: GPG version 2.1.17 have a bug which cause failures during fetching keys from remote server. Please downgrade or upgrade to newer version (if available) or use the second method described above.

Note that I do have Michal Papis's key:

gpg --list-keys
...
------------------------
pub   4096R/D39DC0E3 2014-10-28
uid                  Michal Papis (RVM signing) <mpapis@gmail.com>
uid                  Michal Papis <michal.papis@toptal.com>
uid                  [jpeg image of size 5015]
sub   2048R/C71866D7 2015-11-02
sub   4096R/BF04FF17 2014-10-28 [expires: 2019-03-09]
...

This is due to the newest stable release, 1.29.5, having been signed by https://github.com/pkuczynski rather than https://github.com/mpapis

gpg --verify 1.29.5.tar.gz.asc rvm-1.29.5.tar.gz 
gpg: Signature made Wed 12 Dec 2018 06:25:22 AM EST
gpg:                using RSA key 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
gpg: Can't check signature: No public key
gpg --verify 1.29.4.tar.gz.asc rvm-1.29.4.tar.gz
gpg: Signature made Sun 01 Jul 2018 03:41:26 PM EDT
gpg:                using RSA key 62C9E5F4DA300D94AC36166BE206C29FBF04FF17
gpg: Good signature from "Michal Papis (RVM signing) <mpapis@gmail.com>" [unknown]
gpg:                 aka "Michal Papis <michal.papis@toptal.com>" [unknown]
gpg:                 aka "[jpeg image of size 5015]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 409B 6B17 96C2 7546 2A17  0311 3804 BB82 D39D C0E3
     Subkey fingerprint: 62C9 E5F4 DA30 0D94 AC36  166B E206 C29F BF04 FF17

To "fix" the problem, I imported pkuczynski's key listed on the signature (gpg --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB), and was able to run rvm get stable, however, the documentation still refers to mpapis key.

gpg --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB

gpg: requesting key 39499BDB from hkp server keys.gnupg.net
gpg: key 39499BDB: public key "Piotr Kuczynski <piotr.kuczynski@gmail.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

rvm get stable
Downloading https://get.rvm.io
Downloading https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc
Verifying /usr/local/rvm/archives/rvm-installer.asc
gpg: Signature made Sat Mar 31 21:47:44 2018 UTC using RSA key ID BF04FF17
gpg: Good signature from "Michal Papis (RVM signing) <mpapis@gmail.com>"
gpg:                 aka "Michal Papis <michal.papis@toptal.com>"
gpg:                 aka "[jpeg image of size 5015]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 409B 6B17 96C2 7546 2A17  0311 3804 BB82 D39D C0E3
     Subkey fingerprint: 62C9 E5F4 DA30 0D94 AC36  166B E206 C29F BF04 FF17
GPG verified '/usr/local/rvm/archives/rvm-installer'
Downloading https://github.com/rvm/rvm/archive/1.29.5.tar.gz
Downloading https://github.com/rvm/rvm/releases/download/1.29.5/1.29.5.tar.gz.asc
gpg: Signature made Wed Dec 12 11:25:22 2018 UTC using RSA key ID 39499BDB
gpg: Good signature from "Piotr Kuczynski <piotr.kuczynski@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7D2B AF1C F37B 13E2 069D  6956 105B D0E7 3949 9BDB
GPG verified '/usr/local/rvm/archives/rvm-1.29.5.tgz'
Upgrading the RVM installation in /usr/local/rvm/
Upgrade of RVM in /usr/local/rvm/ is complete.
  * Please do NOT forget to add your users to the rvm group.
     The installer no longer auto-adds root or users to the rvm group. Admins must do this.
     Also, please note that group memberships are ONLY evaluated at login time.
     This means that users must log out then back in before group membership takes effect!
  * No new notes to display.

RVM reloaded!

This affected my ansible playbook (using the rvm.ruby galaxy role) for example, and may have other unintended consequences.

@crevete
Copy link

@crevete crevete commented Dec 12, 2018

I've got the same issue... Please check it out ASAP. Thanks.

@CharlesP
Copy link

@CharlesP CharlesP commented Dec 12, 2018

Yes- Same issue here as well. I'm assuming everyone trying to install 1.29.5 today is going experience this.

@rmldsky
Copy link

@rmldsky rmldsky commented Dec 12, 2018

Seems @pkuczynski added a PR #4519 to mention his key in documentation, which makes it legit I guess? It's a pity it didn't go live the same time as actual rvm release. CHANGELOG could also mention it to avoid confusion.

@pedrolcn
Copy link

@pedrolcn pedrolcn commented Dec 12, 2018

Same issue here. @daygr solution to add @pkuczynski GPG key solved it.
added

gpg --keyserver hkp://keys.gnupg.net --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB

to build

@daygr
Copy link
Author

@daygr daygr commented Dec 12, 2018

@rmldsky @pkuczynski the PR is good to see, looks like it addresses the problem, makes me feel better about importing the key and installing 1.29.5. I grabbed the .asc file mentioned in the PR and imported it, and it's the same key.

gpg --import pkuczynski.asc
gpg: key 105BD0E739499BDB: "Piotr Kuczynski <piotr.kuczynski@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

That said, I think that PR should have been merged before a stable package was released with the new key.

@pkuczynski
Copy link
Member

@pkuczynski pkuczynski commented Dec 12, 2018

Sorry for all confusion. We added the key before to rvm site, just forgot to add it here. Michał has no time anymore for rvm so I will be releasing next versions

@pkuczynski pkuczynski added this to the rvm-1.29.7 milestone Dec 13, 2018
Kha added a commit to leanprover/lean that referenced this issue Jan 11, 2019
[OS X builds are currently failing on Travis](https://travis-ci.org/leanprover/lean/jobs/477775262#L1091), the underlying issue seems to be that [rvm has a new maintainer with a new gpg key](rvm/rvm#4520).
athix added a commit to athix/sorcery that referenced this issue Jan 12, 2019
See related issues:
[rvm/rvm#4520](rvm/rvm#4520)
[rvm/rvm#4561](rvm/rvm#4561)

Should be solved by (but isn't yet):
[travis-ci/travis-build#1634](travis-ci/travis-build#1634)
@alexismansilla
Copy link

@alexismansilla alexismansilla commented Jan 30, 2019

thx

@rpolasek
Copy link

@rpolasek rpolasek commented Jul 15, 2019

i've imported a new Piotr's key but i still can't update my rvm using command rvm get head :-/

$ gpg --list-keys
pub rsa4096 2014-10-28 [SC]
409B6B1796C275462A1703113804BB82D39DC0E3
uid [ unknown] Michal Papis (RVM signing) mpapis@gmail.com
uid [ unknown] Michal Papis michal.papis@toptal.com
uid [ unknown] [jpeg image of size 5015]
sub rsa4096 2014-10-28 [S] [expires: 2022-03-12]
sub rsa2048 2015-11-02 [E]

pub rsa4096 2016-11-11 [SC]
7D2BAF1CF37B13E2069D6956105BD0E739499BDB
uid [ unknown] Piotr Kuczynski piotr.kuczynski@gmail.com
sub rsa4096 2016-11-11 [E]

$ rvm get head
Downloading https://get.rvm.io
Downloading https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc
Verifying /home/rpolasek/.rvm/archives/rvm-installer.asc
gpg: Signature made Fri 12 Jul 2019 11:08:29 AM CEST
gpg: using RSA key 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
gpg: BAD signature from "Piotr Kuczynski piotr.kuczynski@gmail.com" [unknown]
GPG signature verification failed for '/home/rpolasek/.rvm/archives/rvm-installer' - 'https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc'! Try to install GPG v2 and then fetch the public key:

gpg2 --keyserver hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB

or if it fails:

command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
command curl -sSL https://rvm.io/pkuczynski.asc | gpg2 --import -

In case of further problems with validation please refer to https://rvm.io/rvm/security

@pkuczynski
Copy link
Member

@pkuczynski pkuczynski commented Jul 15, 2019

Its fixed now.

ashokm added a commit to ashokm/dotfiles that referenced this issue Mar 17, 2020
Fixes install failure with v1.29.5.
See rvm/rvm#4520 for details.
ashokm added a commit to ashokm/dotfiles that referenced this issue Mar 17, 2020
Fixes install failure with v1.29.5.
See rvm/rvm#4520 for details.
ashokm added a commit to ashokm/dotfiles that referenced this issue Mar 17, 2020
Fixes install failure with v1.29.5.
See rvm/rvm#4520 for details.
ashokm added a commit to ashokm/dotfiles that referenced this issue Mar 17, 2020
Fixes install failure with v1.29.5.
See rvm/rvm#4520 for details.
ashokm added a commit to ashokm/dotfiles that referenced this issue Mar 17, 2020
Fixes install failure with v1.29.5.
See rvm/rvm#4520 for details.
ashokm added a commit to ashokm/dotfiles that referenced this issue Mar 17, 2020
Fixes install failure with v1.29.5.
See rvm/rvm#4520 for details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants