search

yarnpkg / yarn

The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
https://classic.yarnpkg.com
Other
41.37k stars 2.72k forks source link

Bad GPG signature "The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>" #8918

Closed nicfab closed 1 month ago

nicfab commented 1 year ago

OS: Ubuntu server 20.04.05

Running apt update I see:

Err:6 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>

and 

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease  The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
W: Some index files failed to download. They have been ignored, or old ones used instead.

If I check the file /etc/apt/sources.list.d/yarn.list it contains the following row: deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main

I tried running curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - but I didn't solve the issue.

How can I solve?

dgoranov commented 1 year ago

We had the same issue today and the curl command fixed the apt update.

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

The environment is Ubuntu 18.04 as part of CodeBuild docker image : aws/codebuild/standard:4.0

https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html

GokulRajakumarTR commented 1 year ago

I saw in multiple posts that apt-key has been deprecated, because of a security related bug - https://manpages.debian.org/bullseye/apt/apt-key.8.en.html

chriscroome commented 1 year ago

I have this error with apt update:

...
Err:7 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
...
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.

Manually checking, first import the GPG public key:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --import
gpg: key 1646B01B86E50310: "Yarn Packaging <yarn@dan.cx>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Manually check the InRelease file:

curl -sS https://dl.yarnpkg.com/debian/dists/stable/InRelease | gpg --verify 
gpg: Signature made Sat 14 May 2022 23:00:18 UTC
gpg:                using RSA key DEE0F07B347CD8202105B20C23E7166788B63E1E
gpg: Good signature from "Yarn Packaging <yarn@dan.cx>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
     Subkey fingerprint: DEE0 F07B 347C D820 2105  B20C 23E7 1667 88B6 3E1E

No problem there, however, export the GPG public key:

gpg --export --armor 23E7166788B63E1E > /etc/apt/keyrings/yarn.gpg

And run apt-update and the error remains, is the problem with the /etc/apt/sources.list.d/yarn.sources file I have (which has been generated using a Ansible role I've just updated)? It contains:

# Ansible managed

Types: deb
URIs: https://dl.yarnpkg.com/debian
Suites: stable
Architectures: amd64
Components: main
Signed-By: /etc/apt/keyrings/yarn.gpg

# vim: ft=debsources

I have also tried with a old-style /etc/apt/sources.list.d/yarn.list file containing:

deb [signed-by=/usr/share/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian stable main

But that makes no difference to the error.

The /etc/apt/preferences.d/yarn.pref file contains:

# Ansible managed

Package: yarn
Pin: origin dl.yarnpkg.com
Pin-Priority: 500

# vim: ft=debsources

The /etc/apt/keyrings/yarn.gpg file fingerprints:

gpg --show-keys --with-fingerprint  /etc/apt/keyrings/yarn.gpg
pub   rsa4096 2016-10-05 [SC]
      72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
uid                      Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S] [expired: 2019-01-01]
sub   rsa4096 2017-09-10 [S] [expired: 2019-01-01]
sub   rsa4096 2019-01-02 [S] [expires: 2026-01-23]
sub   rsa4096 2019-01-11 [S] [expires: 2026-01-23]

The full error trying to update the apt cache:

apt update
Hit:1 https://deb.debian.org/debian bullseye InRelease
Hit:2 https://deb.debian.org/debian bullseye-updates InRelease                                                                                                                                                                                                                 
Hit:3 https://deb.debian.org/debian bullseye-backports InRelease                                                                                                                                                                                                               
Hit:4 https://security.debian.org/debian-security bullseye-security InRelease                                                                                                                                                                                                  
Hit:5 https://download.docker.com/linux/debian bullseye InRelease                                                                                                                                                                                                              
Get:6 https://packages.sury.org/php bullseye InRelease [6,841 B]                                                                                                                                                                                                               
Get:7 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]                                                         
Hit:8 https://packages.icinga.com/debian icinga-bullseye InRelease                                                     
Hit:9 https://deb.nodesource.com/node_16.x bullseye InRelease              
Err:7 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
Fetched 24.0 kB in 2s (12.6 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Some index files failed to download. They have been ignored, or old ones used instead.

Can anyone spot my mistake? This is driving me nuts... :roll_eyes:

I omitted to de-armour the ASCII armoured GPG public key... I'm updating the Ansible role now... :roll_eyes:

alilland commented 1 year ago

same, preventing code from deploying

alilland commented 1 year ago

in my build script that was crashing when running apt update -y i was able to get past my failed code deployment by moving the key upgrade above the update command

version: 0.2

phases:
  install:
    runtime-versions:
      nodejs: 16.x
    commands:
      - echo Entered the install phase...
      - curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
      - apt update -y
cbake6807 commented 1 year ago

+1 same scenario. Docker/Fargate/Codebuild.. Tried the above approaches, and still no luck.

`W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging yarn@dan.cx

2023-01-25T12:51:06.969-05:00 E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.

The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging yarn@dan.cx`

tsantoyo23 commented 1 year ago

If you don't require yarn, you can get around this error by removing the repo.

rm /etc/apt/sources.list.d/yarn.list

Verified this works on CodeBuild Ubuntu 20.04 i.e. aws/codebuild/standard:5.0

https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html

ShNURoK42 commented 1 year ago

Same error, preventing code from deploying.

nuBacuk commented 1 year ago

the same when assembling sentry

Verified this works on Sentry 23.01. cron/Dockerfile rm -rf /etc/apt/sources.list.d/yarn.list

collimarco commented 1 year ago

Same issue in Ubuntu 18.04 LTS

ddebin commented 1 year ago

I fixed it with apt-key adv --refresh-keys --keyserver keyserver.ubuntu.com

boeboe commented 1 year ago

This one solved it for me...


curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/yarnkey.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list > /dev/null
damien-crypto commented 1 year ago

This one solved it for me...

curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/yarnkey.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list > /dev/null

thank you

wallace-sf commented 1 year ago

This one solved it for me...

curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/yarnkey.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list > /dev/null

Thank you. It worked for me too.

nekketsuuu commented 1 year ago

I found the GPG key is updated at this commit: https://github.com/yarnpkg/releases/commit/4ad43f2c6258c58a6bbb3a51caf3283fd1448e02. And https://github.com/yarnpkg/yarn/issues/8918#issuecomment-1426703368 will resolve the bad signature issue if you don't know how to resolve it (Details: https://wiki.debian.org/DebianRepository/UseThirdParty).

@nicfab This issue could be closed :)

achmatch commented 1 year ago

thanks @boeboe, Worked for me too.

paul-nagorney-icrossing commented 1 year ago

This one solved it for me...

curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/yarnkey.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list > /dev/null

This worked for me, updating WSL ubuntu

weiliang903 commented 11 months ago

the same when assembling sentry

Verified this works on Sentry 23.01. cron/Dockerfile rm -rf /etc/apt/sources.list.d/yarn.list

Thanks, you save my life.

gzamaury commented 3 months ago

For those using Docker, since apt-key was deprecated, this works for me: 

ENV YARNKEY=yarn-keyring.gpg
RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --dearmour -o /usr/share/keyrings/$YARNKEY && \
echo "deb [signed-by=/usr/share/keyrings/$YARNKEY] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
RUN apt-get update

Source: https://tickets.dominodatalab.com/hc/en-us/articles/12830637385364-Yarn-Package-invalid-key