search

hyperledger-archives / indy-sdk

indy-sdk
https://wiki.hyperledger.org/display/indy
Apache License 2.0
669 stars 736 forks source link

Invalid signature in https://repo.sovrin.org/sdk/deb #2407

Closed shinitiandrei closed 3 years ago

shinitiandrei commented 3 years ago

Hey there,

We are facing some serious issues with https://repo.sovrin.org/sdk/deb. We are unable to add the repository in order to install libindy package.

I'm installing libindy in a Ubuntu 18.04 docker and this is my command in Dockerfile:

RUN apt-get update && \
    apt-key adv --refresh-keys --keyserver hkp://keyserver.ubuntu.com:80 && \
    apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CE7709D068DB5E88 && \
    add-apt-repository "deb https://repo.sovrin.org/sdk/deb bionic stable" && \
    apt-get update && \
    apt-get install -y libindy>=1.6.0

And this is the error log:

Err:6 https://repo.sovrin.org/sdk/deb bionic InRelease
  The following signatures were invalid: EXPKEYSIG E8BDBE36C8C97811 Sovrin-Repo-Master (Master key for repo.sovring.org) <repo@sovrin.org>
Hit:7 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
Reading package lists... Done
W: GPG error: https://repo.sovrin.org/sdk/deb bionic InRelease: The following signatures were invalid: EXPKEYSIG E8BDBE36C8C97811 Sovrin-Repo-Master (Master key for repo.sovring.org) <repo@sovrin.org>
E: The repository 'https://repo.sovrin.org/sdk/deb bionic InRelease' is not signed.

I tried many workarounds, even this https://superuser.com/a/1331948 as well. But it seems the key must be at least able to authenticate which is not happening at the moment. I've checked that the repo has been recently updated but not sure if the keys are the same as in https://repo.sovrin.org/sdk/deb/dists/bionic/. This was working fine previously but now it's not, and it's currently breaking many of our pipelines. Can someone have a look at it if not resolved by the time you see it?

Thanks for the support!

dhh1128 commented 3 years ago

@WadeBarnes , is this a predictable side effect of our CI/CD changes?

shinitiandrei commented 3 years ago

Hey @dhh1128 , it seems the repository was updated on 02/07/21 which seemed to solve the problem. I assume the packages were signed with the correct key this time. I'll close this for now, but yeah something to keep in check on your side guys. Thank you!

WadeBarnes commented 3 years ago

@dhh1128, @shinitiandrei, The updates for the fix were communicated in the Hyperledger Rocket.Chat channels. The repository's signing key expired on 2021.06.30. The new key was installed 2021.07.01 and some lingering issues were resolved just before 5am (PST) 2021.07.02. This has nothing to do with any of the CI/CD changes we're doing. I've closed up the hole this fell through so it won't happen in the future (2 years from now).

Rocket.Chat Notification Links:

To get the updated signing subkey you'll need to add apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CE7709D068DB5E88 to your list of update commands.

shinitiandrei commented 3 years ago

Thank you for the update @WadeBarnes!