apt broken on eresida
Closed, ResolvedPublic

Description

Currently we can't run apt update on eresida:

root@eresida ~ # aptitude update
Get: 1 https://dl.yarnpkg.com/debian stable InRelease [13.3 kB]
Err https://dl.yarnpkg.com/debian stable InRelease                                                                        
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4F77679369475BAA
Hit http://security.ubuntu.com/ubuntu bionic-security InRelease            
Hit http://archive.ubuntu.com/ubuntu bionic InRelease
Hit http://archive.ubuntu.com/ubuntu bionic-updates InRelease
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4F77679369475BAA
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4F77679369475BAA
W: Some index files failed to download. They have been ignored, or old ones used instead.

I don't even know why we use the yarn repo on this server so I'm not touching this...

nalvarez created this task.Jan 16 2019, 3:20 AM
nalvarez triaged this task as Normal priority.
Restricted Application added a subscriber: sysadmin. · View Herald TranscriptJan 16 2019, 3:20 AM

It's used for Gitlab, not sure why it would be invalid now, they must have changed their key.

bshah added a subscriber: bshah.Jan 16 2019, 7:03 AM

I looked at the current keyring on yarn website,

gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid           Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S] [expired: 2019-01-01]
sub   rsa4096 2017-09-10 [S] [expired: 2019-01-01]
sub   rsa4096 2019-01-02 [S] [expires: 2020-02-02]
sub   rsa4096 2019-01-11 [S] [expires: 2020-02-02]

And compared to the current key we have in apt keyring,

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
Warning: apt-key output should not be parsed (stdout is not a terminal)
pub   rsa4096 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid           Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S] [expired: 2019-01-01]
sub   rsa4096 2017-09-10 [S] [expired: 2019-01-01]

It seems current signing key is expired, and new key valid up-to 2020-02-02 is added in keyring. Both keys have master key

72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310

Given this I will update the key from yarn : https://dl.yarnpkg.com/debian/pubkey.gpg

bshah closed this task as Resolved.Jan 16 2019, 7:08 AM

Thanks for checking that @bshah.