Yarn: GPG error: https://dl.yarnpkg.com/debian stable InRelease NO_PUBKEY E074D16EB6FF4DE3

I'm having the same issue:

# Added the key
root@a7b7b8f09d84:/# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1646B01B86E50310
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.1YxGw8HlmN --no-auto-check-trustdb --trust-model always --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1646B01B86E50310
gpg: requesting key 86E50310 from hkp server keyserver.ubuntu.com
gpg: key 86E50310: public key "Yarn Packaging <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

# Confirming the key exists
root@a7b7b8f09d84:/# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   4096R/86E50310 2016-10-05
uid                  Yarn Packaging <[email protected]>
sub   4096R/D50AF136 2016-10-05
sub   4096R/9D41F3C3 2016-10-05 [expires: 2017-10-05]
sub   4096R/FD2497F5 2016-10-30

# Updated my sources
root@a7b7b8f09d84:/# echo 'deb https://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list

# Updating package index fails
root@a7b7b8f09d84:/# apt-get update -y
Hit http://security.debian.org jessie/updates InRelease
Get:1 https://dl.yarnpkg.com stable InRelease [11.5 kB]
Get:2 http://security.debian.org jessie/updates/main amd64 Packages [546 kB]
Ign http://deb.debian.org jessie InRelease
Hit http://deb.debian.org jessie-updates InRelease
Hit http://deb.debian.org jessie Release.gpg
Ign https://dl.yarnpkg.com stable InRelease
Get:3 https://dl.yarnpkg.com stable/main amd64 Packages [5912 B]
Hit http://deb.debian.org jessie Release
Get:4 http://deb.debian.org jessie-updates/main amd64 Packages [23.1 kB]
Get:5 http://deb.debian.org jessie/main amd64 Packages [9063 kB]
Fetched 9649 kB in 5s (1618 kB/s)
Reading package lists... Done
W: GPG error: https://dl.yarnpkg.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E074D16EB6FF4DE3

confirmed. Same here.

The signing key changed in yarnpkg/releases@d926b591b4c3a4d95ba92a2c3178d97a6ca551f3

But that key isn't available (yet?) in keyservers.

gpg: requesting key B6FF4DE3 from hkp server keyserver.ubuntu.com
gpgkeys: key E074D16EB6FF4DE3 not found on keyserver

To add the latest key:
wget -qO - https://raw.githubusercontent.com/yarnpkg/releases/gh-pages/debian/pubkey.gpg | sudo apt-key add -

Doing curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - again was enough.

Confirmed they fixed it. But this moring even readding it def. didn't work! I readded it in the morning and checked it now with ansible same server.
Readding the key now reported no change (now in the afternoon)
but it works now with the readed the key from the morning, so i guess there was a change in the key file but it took a while for the releases to be adjusted ?:

ansible ad hoc command used:
ansible -m apt_key -a "url=https://dl.yarnpkg.com/debian/pubkey.gpg state=present" TESTHOST

New key should be good until 2019-01-01 according to #4253

Sorry about this! I'm not sure how to improve the process at the moment, so I'll have to get some advice on it. The best practice is to rotate your signing keys periodically (eg. every year, or every two years), but I might need to get advice from other people that maintain package repositories to see how they handle it. Debian and Ubuntu both rotate their keys on each release, but that works well for those projects as they have a separate repo per release.

@Daniel15, the deb-multimedia.org repository ships a deb-multimedia-keyring package, which contains and updates the keys.

Maybe you should get in contact with Christian Marillat (marillat at deb-multimedia.org), or better yet, drop a line into the dmo-discussion mailing list and ask for advice from someone who has done this in the past.

This might be late to this "bug", but can you please:

• Provide a signature of the new key, signed with the old key.
• Give some advice how to check this against the old key.
• And please show this procedure on your webpage, too.

Because without, the whole purpose of signed repositories is voided, as any hacker can provide the exact same information as you, but with some forged key.

Thanks.

PS: I think of some simple client procedure like following:

• First, create some scratchdir:

  mkdir scratchdir
  cd scratchdir
  

• Then download the new key along with it's sig:

  wget https://dl.yarnpkg.com/debian/pubkey.gpg
  wget https://dl.yarnpkg.com/debian/pubkey.gpg.sig
  

• Now check integrity:

  gpg --keyring /etc/apt/trusted.gpg pubkey.gpg.sig

• Then, do only if satisfied:

  sudo apt-key add pubkey.gpg
  

FYI: You are the only trustworthy source to authenticate the new key! So please provide some clear and secure upgrade path. Downloading the key from some "obscure" website (which might got hacked in the meanwhile, as https is no trustworthy source by itself, it only authenticates the transport, not the source) re-introduces the initial hen-egg-problem again, which already should have been solved, thanks to the existing (old and expired, but this is not really the problem here) key.

Provide a signature of the new key, signed with the old key.

@hilbix - I can do this, but is it actually necessary? The new key is a subkey under exactly the same master key as the old one, so there's already implicit trust between the two. Anyone that can sign a message using the key can also add a subkey.

For future key rotations, I can post a Github issue containing the fingerprint of the new key, signed with the old one. Would that be sufficient?

. Downloading the key from some "obscure" website (which might got hacked in the meanwhile, as https is no trustworthy source by itself, it only authenticates the transport, not the source)

What about loading it from a key server (like https://pgp.mit.edu)? You could do that if you prefer.

Thank you for noting the SubKey-Feature of OpenPGP which I was not aware of until today. I now read about it from https://wiki.debian.org/Subkeys (Beware! Here be Dragons!) and I can agree, you are completely right in what you say. The new subkey can be authenticated by the master-key of the expired old subkey.

But this is not very obvious (not to tell: Very well hidden in the most secret basement ever) for people, who know everything behind the Mathematics of PKI but so far nothing about GnuPG in special (is this only me in the entire universe?).

For other, who want to know, too, here is what I came up for Debian after several hours of googling around and reading manuals about GPG and so on, but for no much avail. Hence I did trial and error, so beware again: Here be dragons, too!

This solution:

• Does not use the intransparent /etc/apt/trusted.gpg, as I think, this should be avoided at all cost if possible.
• Instead it installs the pubkey into /etc/apt/trusted.gpg.d/ where it truely belongs in a portable and easy to manage way.
• This also makes etckeeper very happy. You all use etckeeper already, right?

First, get everything in a scratch directory:

$ mkdir scratch
$ cd scratch
$ curl -o yarnpkg.gpg.pub https://dl.yarnpkg.com/debian/pubkey.gpg

Now verify it:

$ gpg yarnpkg.gpg.pub
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid           Yarn Packaging <[email protected]>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S]
sub   rsa4096 2017-09-10 [S] [expires: 2019-01-01]

$ gpg /etc/apt/trusted.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid           Yarn Packaging <[email protected]>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S]

Check, that both fingerprints of the master key are the same (here 72ECF46A56B4AD39C907BBB71646B01B86E50310).

If so, remove the old key and install the new one and commit etckeeper (please note that the sequence of the two apt-key-calls matters):

sudo apt-key del 72ECF46A56B4AD39C907BBB71646B01B86E50310
sudo apt-key --keyring /etc/apt/trusted.gpg.d/yarnpkg.gpg add yarnpkg.gpg.pub
sudo etckeeper commit 'updated key of yarnpkg.com'

Now the issues of apt-get update should be gone.

For me my question is answered, thank you very much ;)

To automatically refresh all current apt-secure repository PGP keys with the gpg --refresh-keys command, invoked via apt-key adv:

(as root or via sudo, replacing ha.pool.sks-keyservers.net with the PGP keyserver of choice)

apt-key adv --refresh-keys --keyserver ha.pool.sks-keyservers.net

just an wget...

it was fun...! thank you

I solved the problem with the alternative installation script:
curl -o- -L https://yarnpkg.com/install.sh | bash
Then followed the suggestions in it.

Latest keys are expired:

# curl -o yarnpkg.gpg.pub https://raw.githubusercontent.com/yarnpkg/releases/gh-pages/debian/pubkey.gpg
# gpg yarnpkg.gpg.pub
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid           Yarn Packaging <[email protected]>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S] [expired: 2019-01-01]
sub   rsa4096 2017-09-10 [S] [expired: 2019-01-01]

That's being tracked in #6865

The gpg key at the official site has been updated, just follow the commands below to add it.

wget -O yarnpkg.gpg.pub https://dl.yarnpkg.com/debian/pubkey.gpg
gpg yarnpkg.gpg.pub #just check the expired date of the key
sudo apt-key add yarnpkg.gpg.pub

This solution is working. Thanks @viktorku

@millette your comment about the key expiring january 1 probably helps explain why my OS just exploded.. thanks! all fixed now (thanks @viktorku)

None of the solutions posted above work for me on Linux 4.4.0-17763-Microsoft #253-Microsoft Mon Dec 31 17:49:00 PST 2018 x86_64 x86_64 x86_64 GNU/Linux.

W: GPG error: https://dl.bintray.com/sbt/debian  Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 99E82A75642AC823
E: The repository 'https://dl.bintray.com/sbt/debian  Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: Target Packages (Packages) is configured multiple times in /etc/apt/sources.list.d/sbt.list:1 and /etc/apt/sources.list.d/sbt.list:2
W: Target Translations (en) is configured multiple times in /etc/apt/sources.list.d/sbt.list:1 and /etc/apt/sources.list.d/sbt.list:2

@zzvara That's a completely different repo (dl.bintray.com/sbt/) that's unrelated to Yarn. Speak to the owner of that repo. :)

This is the second biggest embarrassment of my life probably. (However, the package still not found, I have to look into it some more.)

I'm having a trouble with this on Ubuntu 16.04.6.
All the above solutions failed.

@i-fail Please post the exact output.

# apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Hit:2 http://archive.canonical.com/ubuntu xenial InRelease
Hit:3 http://ppa.launchpad.net/ondrej/apache2/ubuntu xenial InRelease
Hit:4 http://archive.ubuntu.com/ubuntu xenial InRelease
Get:5 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Hit:6 http://ppa.launchpad.net/ondrej/php/ubuntu xenial InRelease
Fetched 218 kB in 1s (176 kB/s)
Reading package lists... Done
...
E: The method driver /usr/lib/apt/methods/https could not be found.
N: Is the package apt-transport-https installed?
E: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease
E: Some index files failed to download. They have been ignored, or old ones used instead.
...

The error message literally tells you what's wrong :)

E: The method driver /usr/lib/apt/methods/https could not be found.
N: Is the package apt-transport-https installed?

apt install apt-transport-https will fix that.

Thank you! That worked, but now I'm getting this error:
https://github.com/yarnpkg/yarn/issues/6900

Doing curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - again was enough.

@viktorku thank you! that was the only thing that worked for me.

Yes, this is currently mentioned in #7866 which is (temporarily) pinned in the repo.

@viktorku Thank you!!

The gpg key at the official site has been updated, just follow the commands below to add it.

wget -O yarnpkg.gpg.pub https://dl.yarnpkg.com/debian/pubkey.gpg
gpg yarnpkg.gpg.pub #just check the expired date of the key
sudo apt-key add yarnpkg.gpg.pub

It's worked!! thks

For anyone who saw this:

I also encountered this problem on Windows 10 version 1909, wsl 1.
Following this guide https://docs.microsoft.com/en-us/windows/wsl/install-win10 to upgrade to Windows 10 version 2004 and wsl2 resolved it.