New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Installing Yarn on Ubuntu 18.04.1 LTS gives invalid signature error. Possible expired key? #6865

Closed
Hates opened this Issue Jan 1, 2019 · 30 comments

Comments

Projects
None yet
@Hates
Copy link

Hates commented Jan 1, 2019

What is the current behavior?

Attempting to install yarn on a new Ubuntu 18.04.1 LTS server and I get the following errors:

root@vps631721:~# curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
OK
root@vps631721:~# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2016-10-05 [SC]
      72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
uid           [ unknown] Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-30 [S] [expires: 2019-01-01]

.................

root@vps631721:~# echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
deb https://dl.yarnpkg.com/debian/ stable main
root@vps631721:~# sudo apt-get update
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Hit:3 http://nova.clouds.archive.ubuntu.com/ubuntu bionic InRelease
Hit:4 http://nova.clouds.archive.ubuntu.com/ubuntu bionic-updates InRelease
Get:5 https://dl.yarnpkg.com/debian stable InRelease [13.3 kB]
Hit:6 http://nova.clouds.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:7 http://apt.postgresql.org/pub/repos/apt bionic-pgdg InRelease
Err:5 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures were invalid: EXPKEYSIG E074D16EB6FF4DE3 Yarn Packaging <yarn@dan.cx>
Reading package lists... Done
W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG E074D16EB6FF4DE3 Yarn Packaging <yarn@dan.cx>
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I don't know if the line sub rsa4096 2016-10-30 [S] [expires: 2019-01-01] (which is today) when doing the apt-key list is of any note?

What is the expected behavior?

Yarn installs.

Please mention your node.js, yarn and operating system version.

Ubuntu 18.04.1 LTS

@heupr heupr bot assigned Daniel15 Jan 1, 2019

@heupr heupr bot added the triaged label Jan 1, 2019

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 1, 2019

Ohh, the key may have expired today! I'll have to take a look once I'm back from vacation (later today or tomorrow).

@sharkeyryan

This comment has been minimized.

Copy link

sharkeyryan commented Jan 1, 2019

We are having this issue as of today as well.

Thanks for all your help @Daniel15.

@lukasjuhrich

This comment has been minimized.

Copy link

lukasjuhrich commented Jan 1, 2019

@DanBuild Indeed: I also experience an EXPKEYSIG E074D16EB6FF4DE3 Yarn Packaging <yarn@dan.cx> when adding the repo and running apt-get update on debian stretch.

Note the key you provide:

$ curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --keyid-format 0xlong                                                                                                                 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096/0x1646B01B86E50310 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid                             Yarn Packaging <yarn@dan.cx>
sub   rsa4096/0x02820C39D50AF136 2016-10-05 [E]
sub   rsa4096/0xD101F7899D41F3C3 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096/0x46C2130DFD2497F5 2016-10-30 [S] [expires: 2019-01-01]
sub   rsa4096/0xE074D16EB6FF4DE3 2017-09-10 [S] [expired: 2019-01-01]

Note that the expired subkey is precisely the one referenced the error.

@gbrusella

This comment has been minimized.

Copy link

gbrusella commented Jan 1, 2019

@Daniel15 The key is valid until 2019-01-01 as per #4253

@AliSawari

This comment has been minimized.

Copy link

AliSawari commented Jan 1, 2019

I had the same issue few moments ago, it seems it was valid till 2018.
and oh... by the way, Happy new year guys, great job at Yarn!

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 1, 2019

The installation script should still work, so you can use that for now. I'll fix it as soon as I can, but that won't be until tonight as I'm currently travelling.

I usually create a Github issue for key rotation, but I forgot to do that in 2018. I'm going to add a reminder in my calendar so I don't forget about this next year too.

@guyguy333

This comment has been minimized.

Copy link

guyguy333 commented Jan 1, 2019

As a temporary fix, adding [trusted=yes] will remove GPG error:

deb [trusted=yes] https://dl.yarnpkg.com/debian/ stable main

lukasjuhrich added a commit to agdsn/pycroft that referenced this issue Jan 1, 2019

Trust yarn repo
This is a quickfix so the biulds will work in spite of the expired gpg
key.
See yarnpkg/yarn#6865.
@daveomcd

This comment has been minimized.

Copy link

daveomcd commented Jan 1, 2019

As a temporary fix, adding [trusted=yes] will remove GPG error:

deb [trusted=yes] https://dl.yarnpkg.com/debian/ stable main
``

I added this to my /etc/apt/sources.list.d/yarn.list file... but running sudo apt update still gives me the error. Is there something else I need to do?

@Hates

This comment has been minimized.

Copy link

Hates commented Jan 1, 2019

@daveomcd I believe it just comes up as a warning once that's added, try running the sudo apt-get install yarn. It was able to install after that.

@rromanchuk

This comment has been minimized.

Copy link

rromanchuk commented Jan 1, 2019

This caused failures in my auto provisioning (aws autoscaling spot fleet) when an ansible tower callback that ran a playbook that updated the cache and caused provision failures. Time to harden up my playbooks, be careful out there folks!

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 1, 2019

I'm really sorry for breaking it. This is 100% my fault. I usually create a Github issue for the yearly key rotation (see #4253 for the previous issue) but forgot to create one last year and it just slipped my mind this year.

@daveomcd's workaround is good. I'm still a few hours away from home but I'll rotate the key and publish the new one as soon as possible. I'm also going to configure some monitoring so we get alerts if the key is within 90 days of expiry.

Note that for CI systems, ideally you should not install Yarn fresh on each build. Instead, use a Docker image with all your build tools installed. :)

@kojiromike

This comment has been minimized.

Copy link

kojiromike commented Jan 1, 2019

@Daniel15 No worries, we all appreciate the time you devote entirely voluntarily and for free to maintaining open source software.

@generalredneck

This comment has been minimized.

Copy link

generalredneck commented Jan 2, 2019

Note that for CI systems, ideally you should not install Yarn fresh on each build. Instead, use a Docker image with all your build tools installed. :)

Or cache it... That's the way I got around this problem on Circle CI... that way if install of newest fails, I still gots a yarn to fallback on.

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 2, 2019

@generalredneck

This comment has been minimized.

Copy link

generalredneck commented Jan 2, 2019

Correct,
and now apparently they have a node-browsers variant on the PHP containers too which also includes yarn... which wasn't always the case... time to go update some docker container tags.

@jleclanche

This comment has been minimized.

Copy link

jleclanche commented Jan 2, 2019

I usually create a Github issue for key rotation, but I forgot to do that in 2018. I'm going to add a reminder in my calendar so I don't forget about this next year too.

I'd like to recommend expiring the key on a date other than January 1st… that way if it does expire, it's not during a holiday period :)

@traceypooh

This comment has been minimized.

Copy link

traceypooh commented Jan 2, 2019

think this may have been reported earlier than jan1 even..
#6861

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 2, 2019

Should be fixed by yarnpkg/releases@0f3e4b2.

Please redownload the key as it now contains a new subkey:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

The new subkey expires on 2020-02-02 (thanks for the suggestion of not using January 1st, @jleclanche)

@jleclanche

This comment has been minimized.

Copy link

jleclanche commented Jan 2, 2019

@Daniel15 Thanks for the quick response time, I can confirm it works =)

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 2, 2019

Yeah I just double checked with fresh Debian and Ubuntu VMs and verified that it's working now. Thanks for your patience!

My mistake here was assuming that apt/dpkg would still be fine with the key/signature even though it's expired, as the repo was signed while the key was still valid (since the last update was in November). I think this is what 'vanilla' GPG does, and is also how it works on Windows:

Signing tools from Microsoft allow developers to affix time stamps at the same time as they affix Authenticode signatures. Time stamping allows Authenticode signatures to be verifiable even after the certificates used for signature have expired.

https://docs.microsoft.com/en-us/windows/desktop/seccrypto/time-stamping-authenticode-signatures

I'll follow up on this by creating some monitoring scripts that will alert us when the key is getting dangerously close to expiring.

@Daniel15 Daniel15 closed this Jan 2, 2019

@raphaelpereira

This comment has been minimized.

Copy link

raphaelpereira commented Jan 2, 2019

Signing tools from Microsoft allow developers to affix time stamps at the same time as they affix Authenticode signatures. Time stamping allows Authenticode signatures to be verifiable even after the certificates used for signature have expired.

I think it should work like that! Probably a bug report on Debian?

@abdullaev

This comment has been minimized.

Copy link

abdullaev commented Jan 11, 2019

Still have the warning with nightly repo
W: GPG error: https://nightly.yarnpkg.com/debian nightly InRelease: The following signatures were invalid: EXPKEYSIG E074D16EB6FF4DE3 Yarn Packaging <yarn@dan.cx> E: The repository 'https://nightly.yarnpkg.com/debian nightly InRelease' is not signed.

Daniel15 added a commit to yarnpkg/release-infra that referenced this issue Jan 11, 2019

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 11, 2019

I generated a new GPG subkey for the nightly repo, but I'm having issues with Aptly (#6904) which is making it impossible to republish the repo :/

18:00 daniel@vps03 /var/www/nightly.yarnpkg.com
% ./update-deb.sh
+ aptly repo add -remove-files=true yarn-nightly ./nightly/deb-incoming/
Loading packages...
+ aptly publish update -gpg-key=4F77679369475BAA nightly yarn-nightly
ERROR: unable to update: local repo with uuid 55ff60af-263a-4df6-8f97-2c09ad7a4995 not found
@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 11, 2019

This should be fixed now!

@Daniel15 Daniel15 reopened this Jan 11, 2019

@Daniel15 Daniel15 closed this Jan 11, 2019

@manuel-uberti

This comment has been minimized.

Copy link

manuel-uberti commented Jan 11, 2019

Hi,

the problem is still here with this in my /etc/apt/sources.list.d:

deb https://dl.yarnpkg.com/debian/ stable main

Edit: never mind, re-downloading the key fixed it. :)

@bvnierop

This comment has been minimized.

Copy link

bvnierop commented Jan 11, 2019

I can second the above comment. The key changed since the previous rotation 9 days ago and had to be re-downloaded.

@DanBuild

This comment has been minimized.

Copy link

DanBuild commented Jan 11, 2019

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 14, 2019

The key changed since the previous rotation 9 days ago

Investigating in #6916. Currently it looks like an Aptly bug: aptly-dev/aptly#805

@LukasTsunami

This comment has been minimized.

Copy link

LukasTsunami commented Jan 15, 2019

I resolved here with the commands:
sudo pkill dirmngr; dirmngr --debug-all --daemon --standard-resolver
sudo apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys 4F77679369475BAA
wget https://yum.dockerproject.org/gpg
sudo apt-key add gpg

@bvnierop

This comment has been minimized.

Copy link

bvnierop commented Jan 15, 2019

The revised key that I downloaded 4 days ago (which included the new subkey) stopped working again today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment