Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrading with "rvm get stable" gives an incorrect error message regarding GPG keys #4533

Closed
danarnold opened this issue Dec 17, 2018 · 3 comments

Comments

Projects
None yet
4 participants
@danarnold
Copy link

commented Dec 17, 2018

Description

In order to upgrade rvm with "rvm get stable", I needed to import pkuczynski's GPG key. The installation page gives correct instructions, telling the user to import both keys from the gnupg key servers. When attempting to upgrade rvm, without pkuczynski's key, it will fail, but the error message is as follows:

Warning, RVM 1.26.0 introduces signed releases and automated check of signatures when GPG software found. Assuming you trust Michal Papis import the mpapis public key (downloading the signatures).

GPG signature verification failed for '/Users/dan/.rvm/archives/rvm-installer' - 'https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc'! Try to install GPG v2 and then fetch the public key:

    gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3

or if it fails:

    command curl -sSL https://rvm.io/mpapis.asc | gpg --import -

the key can be compared with:

    https://rvm.io/mpapis.asc
    https://keybase.io/mpapis

NOTE: GPG version 2.1.17 have a bug which cause failures during fetching keys from remote server. Please downgrade or upgrade to newer version (if available) or use the second method described above.

This error message should give the full line including the second key: gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB.

Additionally, in the instance that these servers are both inaccessible or these commands do not work for the user, importing directly from rvm.io is the fallback option. Unfortunately, both the installation page linked above and the error message from running "rvm get stable" only give the command to import the key belonging to mpapis, not pkuczynski's key. I only figured this out after seeing this comment on a different issue while searching for a solution. So, the error message and the installation page should show the full command to import the keys from rvm.io:

curl -sSL https://rvm.io/pkuczynski.asc | gpg --import -
curl -sSL https://rvm.io/mpapis.asc | gpg --import -

I know it was pkuczynski's key that made the difference, because when importing mpapis', gpg reported "not changed," whereas pkuczynski's key reported "imported."

Environment info

I was on rvm 1.29.4 before upgrading. I upgraded because an "rvm install" attempt failed with the same gpg key error, and other members of my team were experiencing errors upgrading rvm with the same error.

@pkuczynski

This comment has been minimized.

Copy link
Member

commented Dec 18, 2018

This release was done in a bit of unmanaged fashion, apologies for that. We should first ensure new keys are distributed prior to running a release. Unfortunately, @mpapis has currently limited time and many people were waiting for the new release, while I was unaware of complications.

Follow instructions from http://rvm.io and you should be fine...

command curl -sSL https://rvm.io/pkuczynski.asc | gpg --import -

Issue is fixed in the latest release...

@tompave

This comment has been minimized.

Copy link

commented Dec 27, 2018

+1

I had the same problem and at first I got a bit concerned because rvm get stable reported an unknown signature:

$ rvm get stable
Downloading https://get.rvm.io
Downloading https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc
Verifying /Users/Tom/.rvm/archives/rvm-installer.asc
gpg: Signature made Sat 22 Dec 00:26:59 2018 CET
gpg:                using RSA key 7D2BAF1CF37B13E2069D6956105BD0E739499BDB

I thought that the download server had been compromised and it was trying to install a tampered version.

I got and inspected the key 7D2BAF1CF37B13E2069D6956105BD0E739499BDB and noticed it seemed to belong to @pkuczynski, a core contributor, but it was still not clear if it could be trusted until I found this issue. In hindsight, if I had checked the online installation docs I could have noticed that the signature is also reported there.

@jacob

This comment has been minimized.

Copy link

commented Apr 12, 2019

I also encountered this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.