Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RVM 1.29.5 stable signed with different key #4520

Closed
daygr opened this Issue Dec 12, 2018 · 7 comments

Comments

Projects
None yet
7 participants
@daygr
Copy link

daygr commented Dec 12, 2018

I am attempting to run rvm get stable on Ubuntu 16.04 LTS

Steps to reproduce

Install rvm on master: curl -sSL https://get.rvm.io | bash -s master
Attempt to run rvm get stable

Alternatively, try to install stable rvm: curl -sSL https://get.rvm.io | bash -s stable

Expected behavior

The script correctly installs the latest stable release version.

Actual behavior

curl -sSL https://get.rvm.io | bash -s stable
Downloading https://github.com/rvm/rvm/archive/1.29.5.tar.gz
Downloading https://github.com/rvm/rvm/releases/download/1.29.5/1.29.5.tar.gz.asc
gpg: Signature made Wed Dec 12 11:25:22 2018 UTC using RSA key ID 39499BDB
gpg: Can't check signature: public key not found
Warning, RVM 1.26.0 introduces signed releases and automated check of signatures when GPG software found. Assuming you trust Michal Papis import the mpapis public key (downloading the signatures).

GPG signature verification failed for '/usr/local/rvm/archives/rvm-1.29.5.tgz' - 'https://github.com/rvm/rvm/releases/download/1.29.5/1.29.5.tar.gz.asc'! Try to install GPG v2 and then fetch the public key:

    sudo gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3

or if it fails:

    command curl -sSL https://rvm.io/mpapis.asc | sudo gpg --import -

the key can be compared with:

    https://rvm.io/mpapis.asc
    https://keybase.io/mpapis

NOTE: GPG version 2.1.17 have a bug which cause failures during fetching keys from remote server. Please downgrade or upgrade to newer version (if available) or use the second method described above.

Note that I do have Michal Papis's key:

gpg --list-keys
...
------------------------
pub   4096R/D39DC0E3 2014-10-28
uid                  Michal Papis (RVM signing) <mpapis@gmail.com>
uid                  Michal Papis <michal.papis@toptal.com>
uid                  [jpeg image of size 5015]
sub   2048R/C71866D7 2015-11-02
sub   4096R/BF04FF17 2014-10-28 [expires: 2019-03-09]
...

This is due to the newest stable release, 1.29.5, having been signed by https://github.com/pkuczynski rather than https://github.com/mpapis

gpg --verify 1.29.5.tar.gz.asc rvm-1.29.5.tar.gz 
gpg: Signature made Wed 12 Dec 2018 06:25:22 AM EST
gpg:                using RSA key 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
gpg: Can't check signature: No public key
gpg --verify 1.29.4.tar.gz.asc rvm-1.29.4.tar.gz
gpg: Signature made Sun 01 Jul 2018 03:41:26 PM EDT
gpg:                using RSA key 62C9E5F4DA300D94AC36166BE206C29FBF04FF17
gpg: Good signature from "Michal Papis (RVM signing) <mpapis@gmail.com>" [unknown]
gpg:                 aka "Michal Papis <michal.papis@toptal.com>" [unknown]
gpg:                 aka "[jpeg image of size 5015]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 409B 6B17 96C2 7546 2A17  0311 3804 BB82 D39D C0E3
     Subkey fingerprint: 62C9 E5F4 DA30 0D94 AC36  166B E206 C29F BF04 FF17

To "fix" the problem, I imported pkuczynski's key listed on the signature (gpg --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB), and was able to run rvm get stable, however, the documentation still refers to mpapis key.

gpg --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB

gpg: requesting key 39499BDB from hkp server keys.gnupg.net
gpg: key 39499BDB: public key "Piotr Kuczynski <piotr.kuczynski@gmail.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

rvm get stable
Downloading https://get.rvm.io
Downloading https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc
Verifying /usr/local/rvm/archives/rvm-installer.asc
gpg: Signature made Sat Mar 31 21:47:44 2018 UTC using RSA key ID BF04FF17
gpg: Good signature from "Michal Papis (RVM signing) <mpapis@gmail.com>"
gpg:                 aka "Michal Papis <michal.papis@toptal.com>"
gpg:                 aka "[jpeg image of size 5015]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 409B 6B17 96C2 7546 2A17  0311 3804 BB82 D39D C0E3
     Subkey fingerprint: 62C9 E5F4 DA30 0D94 AC36  166B E206 C29F BF04 FF17
GPG verified '/usr/local/rvm/archives/rvm-installer'
Downloading https://github.com/rvm/rvm/archive/1.29.5.tar.gz
Downloading https://github.com/rvm/rvm/releases/download/1.29.5/1.29.5.tar.gz.asc
gpg: Signature made Wed Dec 12 11:25:22 2018 UTC using RSA key ID 39499BDB
gpg: Good signature from "Piotr Kuczynski <piotr.kuczynski@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7D2B AF1C F37B 13E2 069D  6956 105B D0E7 3949 9BDB
GPG verified '/usr/local/rvm/archives/rvm-1.29.5.tgz'
Upgrading the RVM installation in /usr/local/rvm/
Upgrade of RVM in /usr/local/rvm/ is complete.
  * Please do NOT forget to add your users to the rvm group.
     The installer no longer auto-adds root or users to the rvm group. Admins must do this.
     Also, please note that group memberships are ONLY evaluated at login time.
     This means that users must log out then back in before group membership takes effect!
  * No new notes to display.

RVM reloaded!

This affected my ansible playbook (using the rvm.ruby galaxy role) for example, and may have other unintended consequences.

@crevete

This comment has been minimized.

Copy link

crevete commented Dec 12, 2018

I've got the same issue... Please check it out ASAP. Thanks.

@CharlesP

This comment has been minimized.

Copy link

CharlesP commented Dec 12, 2018

Yes- Same issue here as well. I'm assuming everyone trying to install 1.29.5 today is going experience this.

@rmldsky

This comment has been minimized.

Copy link

rmldsky commented Dec 12, 2018

Seems @pkuczynski added a PR #4519 to mention his key in documentation, which makes it legit I guess? It's a pity it didn't go live the same time as actual rvm release. CHANGELOG could also mention it to avoid confusion.

@pedrolcn

This comment has been minimized.

Copy link

pedrolcn commented Dec 12, 2018

Same issue here. @daygr solution to add @pkuczynski GPG key solved it.
added

gpg --keyserver hkp://keys.gnupg.net --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB

to build

@daygr

This comment has been minimized.

Copy link
Author

daygr commented Dec 12, 2018

@rmldsky @pkuczynski the PR is good to see, looks like it addresses the problem, makes me feel better about importing the key and installing 1.29.5. I grabbed the .asc file mentioned in the PR and imported it, and it's the same key.

gpg --import pkuczynski.asc
gpg: key 105BD0E739499BDB: "Piotr Kuczynski <piotr.kuczynski@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

That said, I think that PR should have been merged before a stable package was released with the new key.

@pkuczynski

This comment has been minimized.

Copy link
Member

pkuczynski commented Dec 12, 2018

Sorry for all confusion. We added the key before to rvm site, just forgot to add it here. Michał has no time anymore for rvm so I will be releasing next versions

@pkuczynski pkuczynski added this to the rvm-1.29.7 milestone Dec 13, 2018

bryangingechen added a commit to bryangingechen/lean that referenced this issue Jan 10, 2019

chore(.travis.yml): gpg key for new rvm maintainer
[OS X builds are currently failing on Travis](https://travis-ci.org/leanprover/lean/jobs/477775262#L1091), the underlying issue seems to be that [rvm has a new maintainer with a new gpg key](rvm/rvm#4520).

Kha added a commit to leanprover/lean that referenced this issue Jan 11, 2019

chore(.travis.yml): gpg key for new rvm maintainer
[OS X builds are currently failing on Travis](https://travis-ci.org/leanprover/lean/jobs/477775262#L1091), the underlying issue seems to be that [rvm has a new maintainer with a new gpg key](rvm/rvm#4520).

athix added a commit to athix/sorcery that referenced this issue Jan 12, 2019

@alexismansilla

This comment has been minimized.

Copy link

alexismansilla commented Jan 30, 2019

thx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.