Yarn: GPG error: https://dl.yarnpkg.com/debian stable InRelease NO_PUBKEY E074D16EB6FF4DE3

69

fails at apt-get update since this morning(European time) with:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E074D16EB6FF4DE3
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E074D16EB6FF4DE3
W: Some index files failed to download. They have been ignored, or old ones used instead.

Tried readding the key from:
https://dl.yarnpkg.com/debian/pubkey.gpg

no change...

guess some key timedout or got thrown out.

OS:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

atm installed Package version:
dpkg -s yarn
Package: yarn
Status: install ok installed
Priority: optional
Section: devel
Installed-Size: 3824
Maintainer: Yarn Developers yarn@dan.cx
Architecture: all
Version: 1.0.1-1
Recommends: nodejs
Conflicts: nodejs (<< 4.0.0)

boscowitch picture boscowitch  ·  14 Sep 2017

Most helpful comment

697

Doing curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - again was enough.

viktorku picture viktorku  ·  14 Sep 2017

All comments

42

I'm having the same issue:

# Added the key
root@a7b7b8f09d84:/# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1646B01B86E50310
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.1YxGw8HlmN --no-auto-check-trustdb --trust-model always --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1646B01B86E50310
gpg: requesting key 86E50310 from hkp server keyserver.ubuntu.com
gpg: key 86E50310: public key "Yarn Packaging <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

# Confirming the key exists
root@a7b7b8f09d84:/# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   4096R/86E50310 2016-10-05
uid                  Yarn Packaging <[email protected]>
sub   4096R/D50AF136 2016-10-05
sub   4096R/9D41F3C3 2016-10-05 [expires: 2017-10-05]
sub   4096R/FD2497F5 2016-10-30

# Updated my sources
root@a7b7b8f09d84:/# echo 'deb https://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list

# Updating package index fails
root@a7b7b8f09d84:/# apt-get update -y
Hit http://security.debian.org jessie/updates InRelease
Get:1 https://dl.yarnpkg.com stable InRelease [11.5 kB]
Get:2 http://security.debian.org jessie/updates/main amd64 Packages [546 kB]
Ign http://deb.debian.org jessie InRelease
Hit http://deb.debian.org jessie-updates InRelease
Hit http://deb.debian.org jessie Release.gpg
Ign https://dl.yarnpkg.com stable InRelease
Get:3 https://dl.yarnpkg.com stable/main amd64 Packages [5912 B]
Hit http://deb.debian.org jessie Release
Get:4 http://deb.debian.org jessie-updates/main amd64 Packages [23.1 kB]
Get:5 http://deb.debian.org jessie/main amd64 Packages [9063 kB]
Fetched 9649 kB in 5s (1618 kB/s)
Reading package lists... Done
W: GPG error: https://dl.yarnpkg.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E074D16EB6FF4DE3
itskingori picture itskingori  ·  14 Sep 2017
0

confirmed. Same here.

rzo1 picture rzo1  ·  14 Sep 2017
609

The signing key changed in yarnpkg/[email protected]

But that key isn't available (yet?) in keyservers.

gpg: requesting key B6FF4DE3 from hkp server keyserver.ubuntu.com
gpgkeys: key E074D16EB6FF4DE3 not found on keyserver

To add the latest key:
wget -qO - https://raw.githubusercontent.com/yarnpkg/releases/gh-pages/debian/pubkey.gpg | sudo apt-key add -

todeveni picture todeveni  ·  14 Sep 2017
697

Doing curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - again was enough.

viktorku picture viktorku  ·  14 Sep 2017
6

Confirmed they fixed it. But this moring even readding it def. didn't work! I readded it in the morning and checked it now with ansible same server.
Readding the key now reported no change (now in the afternoon)
but it works now with the readed the key from the morning, so i guess there was a change in the key file but it took a while for the releases to be adjusted ?:

ansible ad hoc command used:
ansible -m apt_key -a "url=https://dl.yarnpkg.com/debian/pubkey.gpg state=present" TESTHOST

boscowitch picture boscowitch  ·  14 Sep 2017
8

New key should be good until 2019-01-01 according to #4253

millette picture millette  ·  17 Sep 2017
2

Sorry about this! I'm not sure how to improve the process at the moment, so I'll have to get some advice on it. The best practice is to rotate your signing keys periodically (eg. every year, or every two years), but I might need to get advice from other people that maintain package repositories to see how they handle it. Debian and Ubuntu both rotate their keys on each release, but that works well for those projects as they have a separate repo per release.

Daniel15 picture Daniel15  ·  28 Sep 2017
2

@Daniel15, the deb-multimedia.org repository ships a deb-multimedia-keyring package, which contains and updates the keys.

Maybe you should get in contact with Christian Marillat (marillat at deb-multimedia.org), or better yet, drop a line into the dmo-discussion mailing list and ask for advice from someone who has done this in the past.

dmke picture dmke  ·  5 Oct 2017
4

This might be late to this "bug", but can you please:

  • Provide a signature of the new key, signed with the old key.
  • Give some advice how to check this against the old key.
  • And please show this procedure on your webpage, too.

Because without, the whole purpose of signed repositories is voided, as any hacker can provide the exact same information as you, but with some forged key.

Thanks.

PS: I think of some simple client procedure like following:

  • First, create some scratchdir:

    mkdir scratchdir
    cd scratchdir
    
  • Then download the new key along with it's sig:

    wget https://dl.yarnpkg.com/debian/pubkey.gpg
    wget https://dl.yarnpkg.com/debian/pubkey.gpg.sig
    
  • Now check integrity:

    gpg --keyring /etc/apt/trusted.gpg pubkey.gpg.sig

  • Then, do only if satisfied:

    sudo apt-key add pubkey.gpg
    

FYI: You are the only trustworthy source to authenticate the new key! So please provide some clear and secure upgrade path. Downloading the key from some "obscure" website (which might got hacked in the meanwhile, as https is no trustworthy source by itself, it only authenticates the transport, not the source) re-introduces the initial hen-egg-problem again, which already should have been solved, thanks to the existing (old and expired, but this is not really the problem here) key.

hilbix picture hilbix  ·  1 Nov 2017
1

Provide a signature of the new key, signed with the old key.

@hilbix - I can do this, but is it actually necessary? The new key is a subkey under exactly the same master key as the old one, so there's already implicit trust between the two. Anyone that can sign a message using the key can also add a subkey.

For future key rotations, I can post a Github issue containing the fingerprint of the new key, signed with the old one. Would that be sufficient?

. Downloading the key from some "obscure" website (which might got hacked in the meanwhile, as https is no trustworthy source by itself, it only authenticates the transport, not the source)

What about loading it from a key server (like https://pgp.mit.edu)? You could do that if you prefer.

Daniel15 picture Daniel15  ·  1 Nov 2017
5

Thank you for noting the SubKey-Feature of OpenPGP which I was not aware of until today. I now read about it from https://wiki.debian.org/Subkeys (Beware! Here be Dragons!) and I can agree, you are completely right in what you say. The new subkey can be authenticated by the master-key of the expired old subkey.

But this is not very obvious (not to tell: Very well hidden in the most secret basement ever) for people, who know everything behind the Mathematics of PKI but so far nothing about GnuPG in special (is this only me in the entire universe?).

For other, who want to know, too, here is what I came up for Debian after several hours of googling around and reading manuals about GPG and so on, but for no much avail. Hence I did trial and error, so beware again: Here be dragons, too!

This solution:

  • Does not use the intransparent /etc/apt/trusted.gpg, as I think, this should be avoided at all cost if possible.
  • Instead it installs the pubkey into /etc/apt/trusted.gpg.d/ where it truely belongs in a portable and easy to manage way.
  • This also makes etckeeper very happy. You all use etckeeper already, right?

First, get everything in a scratch directory:

$ mkdir scratch
$ cd scratch
$ curl -o yarnpkg.gpg.pub https://dl.yarnpkg.com/debian/pubkey.gpg

Now verify it:

$ gpg yarnpkg.gpg.pub
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid           Yarn Packaging <[email protected]>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S]
sub   rsa4096 2017-09-10 [S] [expires: 2019-01-01]

$ gpg /etc/apt/trusted.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid           Yarn Packaging <[email protected]>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S]

Check, that both fingerprints of the master key are the same (here 72ECF46A56B4AD39C907BBB71646B01B86E50310).

If so, remove the old key and install the new one and commit etckeeper (please note that the sequence of the two apt-key-calls matters):

sudo apt-key del 72ECF46A56B4AD39C907BBB71646B01B86E50310
sudo apt-key --keyring /etc/apt/trusted.gpg.d/yarnpkg.gpg add yarnpkg.gpg.pub
sudo etckeeper commit 'updated key of yarnpkg.com'

Now the issues of apt-get update should be gone.

For me my question is answered, thank you very much ;)

hilbix picture hilbix  ·  2 Nov 2017
7

To automatically refresh all current apt-secure repository PGP keys with the gpg --refresh-keys command, invoked via apt-key adv:

(as root or via sudo, replacing ha.pool.sks-keyservers.net with the PGP keyserver of choice)

apt-key adv --refresh-keys --keyserver ha.pool.sks-keyservers.net
wjordan picture wjordan  ·  28 Apr 2018
0

just an wget...

it was fun...! thank you

mrgab0 picture mrgab0  ·  9 May 2018
-2

I solved the problem with the alternative installation script:
curl -o- -L https://yarnpkg.com/install.sh | bash
Then followed the suggestions in it.

Koli14 picture Koli14  ·  1 Jan 2019
-2

Latest keys are expired:

# curl -o yarnpkg.gpg.pub https://raw.githubusercontent.com/yarnpkg/releases/gh-pages/debian/pubkey.gpg
# gpg yarnpkg.gpg.pub
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid           Yarn Packaging <[email protected]>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S] [expired: 2019-01-01]
sub   rsa4096 2017-09-10 [S] [expired: 2019-01-01]
nitrag picture nitrag  ·  2 Jan 2019
0

That's being tracked in #6865

Daniel15 picture Daniel15  ·  2 Jan 2019
47

The gpg key at the official site has been updated, just follow the commands below to add it.

wget -O yarnpkg.gpg.pub https://dl.yarnpkg.com/debian/pubkey.gpg
gpg yarnpkg.gpg.pub #just check the expired date of the key
sudo apt-key add yarnpkg.gpg.pub

a-lang picture a-lang  ·  6 Jan 2019
3

This solution is working. Thanks @viktorku

Tpojka picture Tpojka  ·  11 Jan 2019
0

@millette your comment about the key expiring january 1 probably helps explain why my OS just exploded.. thanks! all fixed now (thanks @viktorku)

benwiley4000 picture benwiley4000  ·  15 Jan 2019
0

None of the solutions posted above work for me on Linux 4.4.0-17763-Microsoft #253-Microsoft Mon Dec 31 17:49:00 PST 2018 x86_64 x86_64 x86_64 GNU/Linux.

W: GPG error: https://dl.bintray.com/sbt/debian  Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 99E82A75642AC823
E: The repository 'https://dl.bintray.com/sbt/debian  Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: Target Packages (Packages) is configured multiple times in /etc/apt/sources.list.d/sbt.list:1 and /etc/apt/sources.list.d/sbt.list:2
W: Target Translations (en) is configured multiple times in /etc/apt/sources.list.d/sbt.list:1 and /etc/apt/sources.list.d/sbt.list:2
zzvara picture zzvara  ·  17 Jan 2019
0

@zzvara That's a completely different repo (dl.bintray.com/sbt/) that's unrelated to Yarn. Speak to the owner of that repo. :)

Daniel15 picture Daniel15  ·  17 Jan 2019
5

This is the second biggest embarrassment of my life probably. (However, the package still not found, I have to look into it some more.)

zzvara picture zzvara  ·  17 Jan 2019
0

I'm having a trouble with this on Ubuntu 16.04.6.
All the above solutions failed.

i-fail picture i-fail  ·  3 Mar 2019
0

@i-fail Please post the exact output.

Daniel15 picture Daniel15  ·  3 Mar 2019
0
# apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Hit:2 http://archive.canonical.com/ubuntu xenial InRelease
Hit:3 http://ppa.launchpad.net/ondrej/apache2/ubuntu xenial InRelease
Hit:4 http://archive.ubuntu.com/ubuntu xenial InRelease
Get:5 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Hit:6 http://ppa.launchpad.net/ondrej/php/ubuntu xenial InRelease
Fetched 218 kB in 1s (176 kB/s)
Reading package lists... Done
...
E: The method driver /usr/lib/apt/methods/https could not be found.
N: Is the package apt-transport-https installed?
E: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease
E: Some index files failed to download. They have been ignored, or old ones used instead.
...

i-fail picture i-fail  ·  3 Mar 2019
0

The error message literally tells you what's wrong :)

E: The method driver /usr/lib/apt/methods/https could not be found.
N: Is the package apt-transport-https installed?

apt install apt-transport-https will fix that.

Daniel15 picture Daniel15  ·  3 Mar 2019
1

Thank you! That worked, but now I'm getting this error:
https://github.com/yarnpkg/yarn/issues/6900

i-fail picture i-fail  ·  3 Mar 2019
0

Doing curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - again was enough.

@viktorku thank you! that was the only thing that worked for me.

WebAhmed picture WebAhmed  ·  4 Feb 2020
0

Yes, this is currently mentioned in #7866 which is (temporarily) pinned in the repo.

Daniel15 picture Daniel15  ·  4 Feb 2020
0

@viktorku Thank you!!

jaeminkim87 picture jaeminkim87  ·  18 Feb 2020
19

The gpg key at the official site has been updated, just follow the commands below to add it.

wget -O yarnpkg.gpg.pub https://dl.yarnpkg.com/debian/pubkey.gpg
gpg yarnpkg.gpg.pub #just check the expired date of the key
sudo apt-key add yarnpkg.gpg.pub

It's worked!! thks

lohhans picture lohhans  ·  19 Feb 2020
0

For anyone who saw this:

I also encountered this problem on Windows 10 version 1909, wsl 1.
Following this guide https://docs.microsoft.com/en-us/windows/wsl/install-win10 to upgrade to Windows 10 version 2004 and wsl2 resolved it.

Jonathan0wh picture Jonathan0wh  ·  3 Jun 2020