New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Installing Yarn on Ubuntu 18.04.1 LTS gives invalid signature error. Possible expired key? #6865
Comments
Ohh, the key may have expired today! I'll have to take a look once I'm back from vacation (later today or tomorrow). |
We are having this issue as of today as well. Thanks for all your help @Daniel15. |
@DanBuild Indeed: I also experience an Note the key you provide:
Note that the expired subkey is precisely the one referenced the error. |
I had the same issue few moments ago, it seems it was valid till 2018. |
The installation script should still work, so you can use that for now. I'll fix it as soon as I can, but that won't be until tonight as I'm currently travelling. I usually create a Github issue for key rotation, but I forgot to do that in 2018. I'm going to add a reminder in my calendar so I don't forget about this next year too. |
As a temporary fix, adding
|
This is a quickfix so the biulds will work in spite of the expired gpg key. See yarnpkg/yarn#6865.
I added this to my /etc/apt/sources.list.d/yarn.list file... but running sudo apt update still gives me the error. Is there something else I need to do? |
@daveomcd I believe it just comes up as a warning once that's added, try running the |
This caused failures in my auto provisioning (aws autoscaling spot fleet) when an ansible tower callback that ran a playbook that updated the cache and caused provision failures. Time to harden up my playbooks, be careful out there folks! |
I'm really sorry for breaking it. This is 100% my fault. I usually create a Github issue for the yearly key rotation (see #4253 for the previous issue) but forgot to create one last year and it just slipped my mind this year. @daveomcd's workaround is good. I'm still a few hours away from home but I'll rotate the key and publish the new one as soon as possible. I'm also going to configure some monitoring so we get alerts if the key is within 90 days of expiry. Note that for CI systems, ideally you should not install Yarn fresh on each build. Instead, use a Docker image with all your build tools installed. :) |
@Daniel15 No worries, we all appreciate the time you devote entirely voluntarily and for free to maintaining open source software. |
Or cache it... That's the way I got around this problem on Circle CI... that way if install of newest fails, I still gots a yarn to fallback on. |
I think CircleCI's Node.js Docker container comes with Yarn pre-installed.
Sent from my phone.
…On Tue, Jan 1, 2019, 4:12 PM Allan Chappell ***@***.*** wrote:
Note that for CI systems, ideally you should not install Yarn fresh on
each build. Instead, use a Docker image with all your build tools
installed. :)
Or cache it... That's the way I got around this problem on Circle CI...
that way if install of newest fails, I still gots a yarn to fallback on.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6865 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAFnHUwhfyQicMQpS_8ikFZ5NfcoI1iyks5u-_ligaJpZM4ZmBF5>
.
|
Correct, |
I'd like to recommend expiring the key on a date other than January 1st… that way if it does expire, it's not during a holiday period :) |
think this may have been reported earlier than jan1 even.. |
Should be fixed by yarnpkg/releases@0f3e4b2. Please redownload the key as it now contains a new subkey:
The new subkey expires on 2020-02-02 (thanks for the suggestion of not using January 1st, @jleclanche) |
@Daniel15 Thanks for the quick response time, I can confirm it works =) |
Yeah I just double checked with fresh Debian and Ubuntu VMs and verified that it's working now. Thanks for your patience! My mistake here was assuming that apt/dpkg would still be fine with the key/signature even though it's expired, as the repo was signed while the key was still valid (since the last update was in November). I think this is what 'vanilla' GPG does, and is also how it works on Windows:
https://docs.microsoft.com/en-us/windows/desktop/seccrypto/time-stamping-authenticode-signatures I'll follow up on this by creating some monitoring scripts that will alert us when the key is getting dangerously close to expiring. |
I think it should work like that! Probably a bug report on Debian? |
I generated a new GPG subkey for the nightly repo, but I'm having issues with Aptly (#6904) which is making it impossible to republish the repo :/
|
This should be fixed now! |
Hi, the problem is still here with this in my
Edit: never mind, re-downloading the key fixed it. :) |
I can second the above comment. The key changed since the previous rotation 9 days ago and had to be re-downloaded. |
I added a new subkey for the nightly builds, however that should NOT have
affected the stable repo. I'll have to look into what happened here...
Sent from my phone.
…On Fri, Jan 11, 2019, 1:37 AM bvnierop ***@***.*** wrote:
I can second the above comment. The key changed since the previous
rotation 9 days ago and had to be re-downloaded.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6865 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AEuWKj1tM5EhRflgriBWQ-iOw9gIhmSzks5vCFtngaJpZM4ZmBF5>
.
|
Investigating in #6916. Currently it looks like an Aptly bug: aptly-dev/aptly#805 |
I resolved here with the commands: |
The revised key that I downloaded 4 days ago (which included the new subkey) stopped working again today. |
Sorry about that... It should be okay now. That was tracked in #6916. |
I've got a dashboard monitoring the key expiry dates now: https://dash.d.sb/d/0PYZ8W_iz/yarn and will configure monitoring for it. |
expired again.
|
solved the problem |
I extended the expiry a few weeks ago, but you need to manually update it since I haven't configured it to auto update yet. See #7866 |
@mekinney It shouldn't be. The old key hasn't expired yet (expires 2nd February 2021, which is next week) but I extended the expiry to 2023. Is it possible your system has the old key which expired in Feb 2020? Please run this:
and let me know the output. |
@Daniel15 I have this issue occurring today (2nd Feb 2021), output of that command is |
@AbeCole It sounds like the key isn't in your keychain. Try run this command:
|
@Daniel15 Worked for me, thanks! |
Both commands also worked for me @Daniel15 thanks!! |
Downloading a new key worked for me as well, however I just wanted to say that installing third-party gpg keys into the system keystore is generally a bad idea (which is what running First, download repository keys into individual files in a directory dedicated for them. On Debian the standard convention is
Then update your source file to refer to the key. E.g., in
This ensures that only files downloaded from the yarnpkg repository can be signed by the yarnpkg gpg key. Having the key in the system keystore allows any package in any repository to be singed by the yarnpkg key. Should that key ever be compromised, it could be used to sign anything, coming from anywhere, like a hacked version of your kernel. For further security, create a preferences file. E.g. in
Setting the More detailed information can be found here: https://wiki.debian.org/DebianRepository/UseThirdParty |
Summary: Yarn key had expired on 2nd of February. The owner has renewed it, but seems like Circle CI still has the old one cached. (see yarnpkg/yarn#6865 (comment)) Changelog: [Internal] Reviewed By: fkgozali Differential Revision: D26276386 fbshipit-source-id: 093c7de94445b6ff9beb5792b16564e5c3bd1234
as per yarnpkg/yarn#6865 (comment). Unsure if there is a better way of addressing this!
What is the current behavior?
Attempting to install yarn on a new Ubuntu 18.04.1 LTS server and I get the following errors:
I don't know if the line
sub rsa4096 2016-10-30 [S] [expires: 2019-01-01]
(which is today) when doing theapt-key list
is of any note?What is the expected behavior?
Yarn installs.
Please mention your node.js, yarn and operating system version.
Ubuntu 18.04.1 LTS
The text was updated successfully, but these errors were encountered: