Installing Yarn on Ubuntu 18.04.1 LTS gives invalid signature error. Possible expired key?

[Hates]

What is the current behavior?

Attempting to install yarn on a new Ubuntu 18.04.1 LTS server and I get the following errors:

root@vps631721:~# curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
OK
root@vps631721:~# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2016-10-05 [SC]
      72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
uid           [ unknown] Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-30 [S] [expires: 2019-01-01]

.................

root@vps631721:~# echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
deb https://dl.yarnpkg.com/debian/ stable main
root@vps631721:~# sudo apt-get update
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Hit:3 http://nova.clouds.archive.ubuntu.com/ubuntu bionic InRelease
Hit:4 http://nova.clouds.archive.ubuntu.com/ubuntu bionic-updates InRelease
Get:5 https://dl.yarnpkg.com/debian stable InRelease [13.3 kB]
Hit:6 http://nova.clouds.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:7 http://apt.postgresql.org/pub/repos/apt bionic-pgdg InRelease
Err:5 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures were invalid: EXPKEYSIG E074D16EB6FF4DE3 Yarn Packaging <yarn@dan.cx>
Reading package lists... Done
W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG E074D16EB6FF4DE3 Yarn Packaging <yarn@dan.cx>
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I don't know if the line sub rsa4096 2016-10-30 [S] [expires: 2019-01-01] (which is today) when doing the apt-key list is of any note?

What is the expected behavior?

Yarn installs.

Please mention your node.js, yarn and operating system version.

Ubuntu 18.04.1 LTS

[Daniel15]

Ohh, the key may have expired today! I'll have to take a look once I'm back from vacation (later today or tomorrow).

[sharkeyryan]

We are having this issue as of today as well.

Thanks for all your help @Daniel15.

[lukasjuhrich]

@DanBuild Indeed: I also experience an EXPKEYSIG E074D16EB6FF4DE3 Yarn Packaging <yarn@dan.cx> when adding the repo and running apt-get update on debian stretch.

Note the key you provide:

$ curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --keyid-format 0xlong                                                                                                                 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096/0x1646B01B86E50310 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid                             Yarn Packaging <yarn@dan.cx>
sub   rsa4096/0x02820C39D50AF136 2016-10-05 [E]
sub   rsa4096/0xD101F7899D41F3C3 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096/0x46C2130DFD2497F5 2016-10-30 [S] [expires: 2019-01-01]
sub   rsa4096/0xE074D16EB6FF4DE3 2017-09-10 [S] [expired: 2019-01-01]

Note that the expired subkey is precisely the one referenced the error.

[gbrusella]

@Daniel15 The key is valid until 2019-01-01 as per #4253

[AliSawari]

I had the same issue few moments ago, it seems it was valid till 2018.
and oh... by the way, Happy new year guys, great job at Yarn!

[Daniel15]

The installation script should still work, so you can use that for now. I'll fix it as soon as I can, but that won't be until tonight as I'm currently travelling.

I usually create a Github issue for key rotation, but I forgot to do that in 2018. I'm going to add a reminder in my calendar so I don't forget about this next year too.

[guyguy333]

As a temporary fix, adding [trusted=yes] will remove GPG error:

deb [trusted=yes] https://dl.yarnpkg.com/debian/ stable main

[daveomcd]

As a temporary fix, adding [trusted=yes] will remove GPG error:

deb [trusted=yes] https://dl.yarnpkg.com/debian/ stable main
``

I added this to my /etc/apt/sources.list.d/yarn.list file... but running sudo apt update still gives me the error. Is there something else I need to do?

[Hates]

@daveomcd I believe it just comes up as a warning once that's added, try running the sudo apt-get install yarn. It was able to install after that.

[rromanchuk]

This caused failures in my auto provisioning (aws autoscaling spot fleet) when an ansible tower callback that ran a playbook that updated the cache and caused provision failures. Time to harden up my playbooks, be careful out there folks!

[Daniel15]

I'm really sorry for breaking it. This is 100% my fault. I usually create a Github issue for the yearly key rotation (see #4253 for the previous issue) but forgot to create one last year and it just slipped my mind this year.

@daveomcd's workaround is good. I'm still a few hours away from home but I'll rotate the key and publish the new one as soon as possible. I'm also going to configure some monitoring so we get alerts if the key is within 90 days of expiry.

Note that for CI systems, ideally you should not install Yarn fresh on each build. Instead, use a Docker image with all your build tools installed. :)

[kojiromike]

@Daniel15 No worries, we all appreciate the time you devote entirely voluntarily and for free to maintaining open source software.

[generalredneck]

Note that for CI systems, ideally you should not install Yarn fresh on each build. Instead, use a Docker image with all your build tools installed. :)

Or cache it... That's the way I got around this problem on Circle CI... that way if install of newest fails, I still gots a yarn to fallback on.

[Daniel15]

I think CircleCI's Node.js Docker container comes with Yarn pre-installed. Sent from my phone.

…

On Tue, Jan 1, 2019, 4:12 PM Allan Chappell ***@***.*** wrote: Note that for CI systems, ideally you should not install Yarn fresh on each build. Instead, use a Docker image with all your build tools installed. :) Or cache it... That's the way I got around this problem on Circle CI... that way if install of newest fails, I still gots a yarn to fallback on. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6865 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAFnHUwhfyQicMQpS_8ikFZ5NfcoI1iyks5u-_ligaJpZM4ZmBF5> .

[generalredneck]

Correct,
and now apparently they have a node-browsers variant on the PHP containers too which also includes yarn... which wasn't always the case... time to go update some docker container tags.

[jleclanche]

I usually create a Github issue for key rotation, but I forgot to do that in 2018. I'm going to add a reminder in my calendar so I don't forget about this next year too.

I'd like to recommend expiring the key on a date other than January 1st… that way if it does expire, it's not during a holiday period :)

[traceypooh]

think this may have been reported earlier than jan1 even..
#6861

[Daniel15]

Should be fixed by yarnpkg/releases@0f3e4b2.

Please redownload the key as it now contains a new subkey:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

The new subkey expires on 2020-02-02 (thanks for the suggestion of not using January 1st, @jleclanche)

[jleclanche]

@Daniel15 Thanks for the quick response time, I can confirm it works =)

[Daniel15]

Yeah I just double checked with fresh Debian and Ubuntu VMs and verified that it's working now. Thanks for your patience!

My mistake here was assuming that apt/dpkg would still be fine with the key/signature even though it's expired, as the repo was signed while the key was still valid (since the last update was in November). I think this is what 'vanilla' GPG does, and is also how it works on Windows:

Signing tools from Microsoft allow developers to affix time stamps at the same time as they affix Authenticode signatures. Time stamping allows Authenticode signatures to be verifiable even after the certificates used for signature have expired.

https://docs.microsoft.com/en-us/windows/desktop/seccrypto/time-stamping-authenticode-signatures

I'll follow up on this by creating some monitoring scripts that will alert us when the key is getting dangerously close to expiring.

[raphaelpereira]

Signing tools from Microsoft allow developers to affix time stamps at the same time as they affix Authenticode signatures. Time stamping allows Authenticode signatures to be verifiable even after the certificates used for signature have expired.

I think it should work like that! Probably a bug report on Debian?

[Daniel15]

I generated a new GPG subkey for the nightly repo, but I'm having issues with Aptly (#6904) which is making it impossible to republish the repo :/

18:00 daniel@vps03 /var/www/nightly.yarnpkg.com
% ./update-deb.sh
+ aptly repo add -remove-files=true yarn-nightly ./nightly/deb-incoming/
Loading packages...
+ aptly publish update -gpg-key=4F77679369475BAA nightly yarn-nightly
ERROR: unable to update: local repo with uuid 55ff60af-263a-4df6-8f97-2c09ad7a4995 not found

[Daniel15]

This should be fixed now!

[manuel-uberti]

Hi,

the problem is still here with this in my /etc/apt/sources.list.d:

deb https://dl.yarnpkg.com/debian/ stable main

Edit: never mind, re-downloading the key fixed it. :)

[bvnierop]

I can second the above comment. The key changed since the previous rotation 9 days ago and had to be re-downloaded.

[DanBuild]

I added a new subkey for the nightly builds, however that should NOT have affected the stable repo. I'll have to look into what happened here... Sent from my phone.

…

On Fri, Jan 11, 2019, 1:37 AM bvnierop ***@***.*** wrote: I can second the above comment. The key changed since the previous rotation 9 days ago and had to be re-downloaded. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6865 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AEuWKj1tM5EhRflgriBWQ-iOw9gIhmSzks5vCFtngaJpZM4ZmBF5> .

[Daniel15]

The key changed since the previous rotation 9 days ago

Investigating in #6916. Currently it looks like an Aptly bug: aptly-dev/aptly#805

[LukasTsunami]

I resolved here with the commands:
sudo pkill dirmngr; dirmngr --debug-all --daemon --standard-resolver
sudo apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys 4F77679369475BAA
wget https://yum.dockerproject.org/gpg
sudo apt-key add gpg

[bvnierop]

The revised key that I downloaded 4 days ago (which included the new subkey) stopped working again today.

[Daniel15]

Sorry about that... It should be okay now. That was tracked in #6916.

[Daniel15]

I've got a dashboard monitoring the key expiry dates now: https://dash.d.sb/d/0PYZ8W_iz/yarn and will configure monitoring for it.

[Thumpxr]

expired again.

The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>

[ygModesto]

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

solved the problem

[Daniel15]

I extended the expiry a few weeks ago, but you need to manually update it since I haven't configured it to auto update yet. See #7866

[mekinney]

Is this a problem for 2021 now?

[Daniel15]

@mekinney It shouldn't be. The old key hasn't expired yet (expires 2nd February 2021, which is next week) but I extended the expiry to 2023. Is it possible your system has the old key which expired in Feb 2020? Please run this:

gpg --list-keys 23E7166788B63E1E

and let me know the output.

[AbeCole]

@Daniel15 I have this issue occurring today (2nd Feb 2021), output of that command is gpg: error reading key: No public key. Don't know if it matter but my server sits behind a firewall so needs to use a proxy for external requests

[Daniel15]

@AbeCole It sounds like the key isn't in your keychain. Try run this command:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

[AbeCole]

@Daniel15 Worked for me, thanks!

[rmourey26]

Both commands also worked for me @Daniel15 thanks!!

[plinss]

Downloading a new key worked for me as well, however I just wanted to say that installing third-party gpg keys into the system keystore is generally a bad idea (which is what running apt-key add - does). I know it's recommend all over the place, but there's a better way to handle this.

First, download repository keys into individual files in a directory dedicated for them. On Debian the standard convention is /usr/share/keyrings but any directory works (aside from /etc/apt/trusted.gpg.d, that's the system keystore). If the key is provided in ascii-armor format, like Yarn's is, you'll need to dearmor the key to create a binary version, e.g.:

mkdir -p /usr/share/keyrings
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /usr/share/keyrings/yarnpkg-archive-keyring.gpg

Then update your source file to refer to the key. E.g., in /etc/apt/sources.list.d have a file named yarnpkg.list with the contents:

deb [signed-by=/usr/share/keyrings/yarnpkg-archive-keyring.gpg] https://dl.yarnpkg.com/debian/ stable main

This ensures that only files downloaded from the yarnpkg repository can be signed by the yarnpkg gpg key. Having the key in the system keystore allows any package in any repository to be singed by the yarnpkg key. Should that key ever be compromised, it could be used to sign anything, coming from anywhere, like a hacked version of your kernel.

For further security, create a preferences file. E.g. in /etc/apt/preferences.d have a file named yarnpkg with the contents:

Package: *
Pin: origin "dl.yarnpkg.com"
Pin-Priority: 100

Setting the Pin-Priority to a value less than other repositories (the Debian repositories have a priority of 500) prevents packages in the yarnpkg repository from overriding packages with the same name from other repositories with a higher priority. So for example, should the yarnpkg repository start offering a new version of openssl or some other standard system package, you won't pick it up unless you specifically request it.

More detailed information can be found here: https://wiki.debian.org/DebianRepository/UseThirdParty