What changed regarding GPG keys for releases?

[colemickens]

I maintain https://github.com/colemickens/flake-firefox-nightly which provides nightly builds to nix flakes users.

However, something broke regarding Firefox releases. I'm on vacation and can't dig into this, but would like to not leave my users on a stuck version of Nightly for 5+ days.

Can anyone advise if something changed regarding how Firefox publishes releases?

error: builder for '/nix/store/xff2q0yjxxzmgbrnc0bjnyhkmfrcsp5q-firefox-90.0a1.en-US.linux-x86_64.tar.bz2.drv' failed with exit code 2;
       last 10 log lines:
       > gpg: key 61B7B526D98F0353: 26 signatures not checked due to missing keys
       > gpg: /build/tmp.jAJ9Gzdf8M/.gnupg/trustdb.gpg: trustdb created
       > gpg: key 61B7B526D98F0353: public key "Mozilla Software Releases <release@mozilla.com>" imported
       > gpg: Total number processed: 1
       > gpg:               imported: 1
       > gpg: no ultimately trusted keys found
       > gpgv: can't allocate lock for '/build/tmp.jAJ9Gzdf8M/.gnupg/pubring.kbx'
       > gpgv: Signature made Thu May 27 11:09:26 2021 UTC
       > gpgv:                using RSA key 4360FE2109C49763186F8E21EBE41E90F6F12F6D
       > gpgv: Can't check signature: No public key
       For full logs, run 'nix log /nix/store/xff2q0yjxxzmgbrnc0bjnyhkmfrcsp5q-firefox-90.0a1.en-US.linux-x86_64.tar.bz2.drv'.
error: build of '/nix/store/rb0g83kg404ngzpmbjjf7fyf26shnyl2-firefox-bin-90.0a1.drv', '/nix/store/x79gjl4qhrw7a54by099whbh0azccay5-firefox-release-bin-unwrapped-90.0a1.drv', '/nix/store/xff2q0yjxxzmgbrnc0bjnyhkmfrcsp5q-firefox-90.0a1.en-US.linux-x86_64.tar.bz2.drv' failed
nix-build-uncached: nix build failed: exit status 1

[bb010g]

I'm seeing this on my own personal pinned Nightly setup, which uses something similar to the following.

let
  pkgsSrc = builtins.fetchTarball {
    url = "https://github.com/NixOS/nixpkgs/archive/65a9923bbb94e4da656eb63f88f3a378be232e02.tar.gz";
    sha256 = "1hwrdhb6izis0zqqxriqm8gsqylj0awf0fn72xd3l2iqvhkhl8p2";
  };
  pkgs = import pkgsSrc { config = { allowUnfree = true; }; overlay = [ ]; };
  mozillaSrc = pkgs.fetchzip {
    url = "https://github.com/mozilla/nixpkgs-mozilla/archive/8c007b60731c07dd7a052cce508de3bb1ae849b4.zip";
    sha256 = "1zybp62zz0h077zm2zmqs2wcg3whg6jqaah9hcl1gv4x8af4zhs6";
  };
  mozilla = import (mozillaSrc + "/package-set.nix") { inherit pkgs; };
  firefox-nightlySpec = {
    system = "linux-x86_64";
    timestamp = "2021-05-27-21-28-01";
    version = "90.0a1";
  };
in
(mozilla.lib.firefoxOverlay.firefoxVersion {
  name = "Firefox Nightly";
  inherit (firefox-nightlySpec) timestamp version;
  release = false;
}).overrideAttrs (o: {
  buildCommand = pkgs.lib.replaceStrings [ ''
    --set MOZ_SYSTEM_DIR "$out/lib/mozilla" \
  '' ] [ ''
    --set MOZ_SYSTEM_DIR "$out/lib/mozilla" \
    --set SNAP_NAME firefox \
  '' ] o.buildCommand;
})

On my system, building this fails.

bb010g ~ % nix-build ~/Documents/scraps/firefox-nightly-no-public-key.nix --show-trace --keep-going
these 3 derivations will be built:
  /nix/store/5hnds400ns30ma35gbxpjya8pzb222c4-firefox-90.0a1.en-US.linux-x86_64.tar.bz2.drv
  /nix/store/6zyl7456c9rmxmmqkxyrfb8bki3nxp23-firefox-release-bin-unwrapped-90.0a1.drv
  /nix/store/siywl3zf02fga525w461ndszpz89691l-firefox-bin-90.0a1.drv
building '/nix/store/5hnds400ns30ma35gbxpjya8pzb222c4-firefox-90.0a1.en-US.linux-x86_64.tar.bz2.drv'...

trying https://download.cdn.mozilla.net/pub/firefox/nightly/2021/05/2021-05-27-21-28-01-mozilla-central/firefox-90.0a1.en-US.linux-x86_64.tar.bz2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 83.8M  100 83.8M    0     0  2255k      0  0:00:38  0:00:38 --:--:-- 1514k
gpg: directory '/build/tmp.mKrikrd4SI/.gnupg' created
gpg: keybox '/build/tmp.mKrikrd4SI/.gnupg/pubring.kbx' created
gpg: key 61B7B526D98F0353: 26 signatures not checked due to missing keys
gpg: /build/tmp.mKrikrd4SI/.gnupg/trustdb.gpg: trustdb created
gpg: key 61B7B526D98F0353: public key "Mozilla Software Releases <release@mozilla.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
gpgv: can't allocate lock for '/build/tmp.mKrikrd4SI/.gnupg/pubring.kbx'
gpgv: Signature made Thu May 27 22:53:47 2021 UTC
gpgv:                using RSA key 4360FE2109C49763186F8E21EBE41E90F6F12F6D
gpgv: Can't check signature: No public key
error: builder for '/nix/store/5hnds400ns30ma35gbxpjya8pzb222c4-firefox-90.0a1.en-US.linux-x86_64.tar.bz2.drv' failed with exit code 2;
       last 10 log lines:
       > gpg: key 61B7B526D98F0353: 26 signatures not checked due to missing keys
       > gpg: /build/tmp.mKrikrd4SI/.gnupg/trustdb.gpg: trustdb created
       > gpg: key 61B7B526D98F0353: public key "Mozilla Software Releases <release@mozilla.com>" imported
       > gpg: Total number processed: 1
       > gpg:               imported: 1
       > gpg: no ultimately trusted keys found
       > gpgv: can't allocate lock for '/build/tmp.mKrikrd4SI/.gnupg/pubring.kbx'
       > gpgv: Signature made Thu May 27 22:53:47 2021 UTC
       > gpgv:                using RSA key 4360FE2109C49763186F8E21EBE41E90F6F12F6D
       > gpgv: Can't check signature: No public key
       For full logs, run 'nix log /nix/store/5hnds400ns30ma35gbxpjya8pzb222c4-firefox-90.0a1.en-US.linux-x86_64.tar.bz2.drv'.
error: 1 dependencies of derivation '/nix/store/6zyl7456c9rmxmmqkxyrfb8bki3nxp23-firefox-release-bin-unwrapped-90.0a1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/siywl3zf02fga525w461ndszpz89691l-firefox-bin-90.0a1.drv' failed to build
(1) 47s bb010g ~ %

[andersk]

It seems nightly builds 2021-05-26-21-17-56 and later are signed with a new subkey that can be fetched from the keyservers (gpg --recv-keys 14F26682D0916CDD81E37B6D61B7B526D98F0353) but does not seem to be present on the website. I opened https://bugzilla.mozilla.org/show_bug.cgi?id=1713258 and #258.

[colemickens]

Thanks all! 👍