New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dl.yarnpkg.com/debianv is missing GPG NO_PUBKEY #6885

Closed
dotnetCarpenter opened this Issue Jan 7, 2019 · 9 comments

Comments

Projects
None yet
4 participants
@dotnetCarpenter
Copy link

dotnetCarpenter commented Jan 7, 2019

Reporting it here since https://github.com/yarnpkg/releases does not have an issue list.

Possible duplicate of #4453 and #6865. But I just got this error, I wouldn't call it fixed.

An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1EFailed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1ESome index files failed to download. They have been ignored, or old ones used instead.

@heupr heupr bot assigned Daniel15 Jan 7, 2019

@heupr heupr bot added the triaged label Jan 7, 2019

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 7, 2019

You're missing the public key. Run this to get it:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

Please let me know if you still encounter issues after doing that.

@Daniel15 Daniel15 closed this Jan 7, 2019

@dotnetCarpenter

This comment has been minimized.

Copy link

dotnetCarpenter commented Jan 7, 2019

Following the commands described here: #4453 (comment) Seem to fix the issue.

@dotnetCarpenter

This comment has been minimized.

Copy link

dotnetCarpenter commented Jan 7, 2019

@Daniel15 does apt not have an auto update GPG key feature? I can't believe I have to fix all expiring keys manually.

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 7, 2019

I don't think there is, unfortunately. 😢

Debian distribute all their keys in a package (https://packages.debian.org/buster/debian-archive-keyring) so whenever they need to roll out a new key (eg. for a new Debian release, or if they rotate them for some other reason), they add it to that package, but keep signing with the old key for a while such that most people will have the new key by the time they switch across.

That's not really doable in our case though, as the problem with having the keys in a package is that the repo that package is in also needs to be signed. In Debian's case they include the package on the installation CD, which bootstraps the initial version. For custom repos, you always need some custom steps to get the signing key.

@dotnetCarpenter

This comment has been minimized.

Copy link

dotnetCarpenter commented Jan 7, 2019

Wow. I thought at least you had a field in a debian package that could point to a key server to auto update key close to expiring. I guess I see the security flaw in pointing to the Internet for a public key but it would not be much different than apt-key adv --keyserver keys.yarnpkg.com --recv-keys.

Gonna write down your one-liner for next time.
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

@Daniel15

This comment has been minimized.

Copy link
Member

Daniel15 commented Jan 8, 2019

You can also find that command on the installation page (https://yarnpkg.com/en/docs/install#debian-stable) if you ever need it again 😃

@dotnetCarpenter

This comment has been minimized.

Copy link

dotnetCarpenter commented Jan 8, 2019

You're right but I would probably just copy/paste the 2 lines and get duplicates in my sources.. until I actually read the 2 lines and now can see that it would just overwrite my existing yarn.list. 🤔😕😟

@ohmer1

This comment has been minimized.

Copy link

ohmer1 commented Jan 9, 2019

You could still distribute your keys with a package. You would still need to install the current key first when adding the repository but the day you decide to change your signing key, everything is handled automatically by the package. Right now, apt complain your repo is not safe because the key changed and need manual (re)configuration.

@r4co0n

This comment has been minimized.

Copy link

r4co0n commented Jan 16, 2019

Do the same using only apt-key:

apt-key adv --fetch-keys https://dl.yarnpkg.com/debian/pubkey.gpg

or (currently):

apt-key adv --keyserver keyserver.ubuntu.com --recv 1646B01B86E50310
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment