Closed nicfab closed 1 month ago
We had the same issue today and the curl command fixed the apt update.
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
The environment is Ubuntu 18.04 as part of CodeBuild docker image : aws/codebuild/standard:4.0
https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
I saw in multiple posts that apt-key has been deprecated, because of a security related bug - https://manpages.debian.org/bullseye/apt/apt-key.8.en.html
I have this error with apt update
:
...
Err:7 https://dl.yarnpkg.com/debian stable InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
...
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
Manually checking, first import the GPG public key:
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --import
gpg: key 1646B01B86E50310: "Yarn Packaging <yarn@dan.cx>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Manually check the InRelease
file:
curl -sS https://dl.yarnpkg.com/debian/dists/stable/InRelease | gpg --verify
gpg: Signature made Sat 14 May 2022 23:00:18 UTC
gpg: using RSA key DEE0F07B347CD8202105B20C23E7166788B63E1E
gpg: Good signature from "Yarn Packaging <yarn@dan.cx>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
Subkey fingerprint: DEE0 F07B 347C D820 2105 B20C 23E7 1667 88B6 3E1E
No problem there, however, export the GPG public key:
gpg --export --armor 23E7166788B63E1E > /etc/apt/keyrings/yarn.gpg
And run apt-update
and the error remains, is the problem with the /etc/apt/sources.list.d/yarn.sources
file I have (which has been generated using a Ansible role I've just updated)? It contains:
# Ansible managed
Types: deb
URIs: https://dl.yarnpkg.com/debian
Suites: stable
Architectures: amd64
Components: main
Signed-By: /etc/apt/keyrings/yarn.gpg
# vim: ft=debsources
I have also tried with a old-style /etc/apt/sources.list.d/yarn.list
file containing:
deb [signed-by=/usr/share/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian stable main
But that makes no difference to the error.
The /etc/apt/preferences.d/yarn.pref
file contains:
# Ansible managed
Package: yarn
Pin: origin dl.yarnpkg.com
Pin-Priority: 500
# vim: ft=debsources
The /etc/apt/keyrings/yarn.gpg
file fingerprints:
gpg --show-keys --with-fingerprint /etc/apt/keyrings/yarn.gpg
pub rsa4096 2016-10-05 [SC]
72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
uid Yarn Packaging <yarn@dan.cx>
sub rsa4096 2016-10-05 [E]
sub rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub rsa4096 2016-10-30 [S] [expired: 2019-01-01]
sub rsa4096 2017-09-10 [S] [expired: 2019-01-01]
sub rsa4096 2019-01-02 [S] [expires: 2026-01-23]
sub rsa4096 2019-01-11 [S] [expires: 2026-01-23]
The full error trying to update the apt cache:
apt update
Hit:1 https://deb.debian.org/debian bullseye InRelease
Hit:2 https://deb.debian.org/debian bullseye-updates InRelease
Hit:3 https://deb.debian.org/debian bullseye-backports InRelease
Hit:4 https://security.debian.org/debian-security bullseye-security InRelease
Hit:5 https://download.docker.com/linux/debian bullseye InRelease
Get:6 https://packages.sury.org/php bullseye InRelease [6,841 B]
Get:7 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]
Hit:8 https://packages.icinga.com/debian icinga-bullseye InRelease
Hit:9 https://deb.nodesource.com/node_16.x bullseye InRelease
Err:7 https://dl.yarnpkg.com/debian stable InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
Fetched 24.0 kB in 2s (12.6 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Some index files failed to download. They have been ignored, or old ones used instead.
Can anyone spot my mistake? This is driving me nuts... :roll_eyes:
I omitted to de-armour the ASCII armoured GPG public key... I'm updating the Ansible role now... :roll_eyes:
same, preventing code from deploying
in my build script that was crashing when running apt update -y
i was able to get past my failed code deployment by moving the key upgrade above the update command
version: 0.2
phases:
install:
runtime-versions:
nodejs: 16.x
commands:
- echo Entered the install phase...
- curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
- apt update -y
+1 same scenario. Docker/Fargate/Codebuild.. Tried the above approaches, and still no luck.
`W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging yarn@dan.cx
2023-01-25T12:51:06.969-05:00 E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging yarn@dan.cx`
If you don't require yarn, you can get around this error by removing the repo.
rm /etc/apt/sources.list.d/yarn.list
Verified this works on CodeBuild Ubuntu 20.04
i.e. aws/codebuild/standard:5.0
https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
Same error, preventing code from deploying.
the same when assembling sentry
Verified this works on Sentry 23.01.
cron/Dockerfile
rm -rf /etc/apt/sources.list.d/yarn.list
Same issue in Ubuntu 18.04 LTS
I fixed it with apt-key adv --refresh-keys --keyserver keyserver.ubuntu.com
This one solved it for me...
curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/yarnkey.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list > /dev/null
This one solved it for me...
curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/yarnkey.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list > /dev/null
thank you
This one solved it for me...
curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/yarnkey.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list > /dev/null
Thank you. It worked for me too.
I found the GPG key is updated at this commit: https://github.com/yarnpkg/releases/commit/4ad43f2c6258c58a6bbb3a51caf3283fd1448e02. And https://github.com/yarnpkg/yarn/issues/8918#issuecomment-1426703368 will resolve the bad signature issue if you don't know how to resolve it (Details: https://wiki.debian.org/DebianRepository/UseThirdParty).
@nicfab This issue could be closed :)
thanks @boeboe, Worked for me too.
This one solved it for me...
curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/yarnkey.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list > /dev/null
This worked for me, updating WSL ubuntu
the same when assembling sentry
Verified this works on Sentry 23.01. cron/Dockerfile
rm -rf /etc/apt/sources.list.d/yarn.list
Thanks, you save my life.
For those using Docker, since apt-key was deprecated, this works for me:
ENV YARNKEY=yarn-keyring.gpg
RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --dearmour -o /usr/share/keyrings/$YARNKEY && \
echo "deb [signed-by=/usr/share/keyrings/$YARNKEY] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
RUN apt-get update
Source: https://tickets.dominodatalab.com/hc/en-us/articles/12830637385364-Yarn-Package-invalid-key
OS: Ubuntu server 20.04.05
Running
apt update
I see:and
If I check the file
/etc/apt/sources.list.d/yarn.list
it contains the following row:deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main
I tried running
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
but I didn't solve the issue.How can I solve?