Ask Your Question
15

apt update: signatures were invalid: F42ED6FBAB17C654

asked 2021-05-29 02:13:09 -0500

gvdhoorn gravatar image

updated 2021-05-31 02:46:21 -0500

Edit2: for full details, see ROS GPG Key Expiration Incident on ROS Discourse. For a summary of the fix, see the accepted answer below.


Edit: removed the work-around. Don't use it. See the answer below.


On 2021-05-28, the signing key of the ROS apt repositories expired.

apt update output will be like this:

$ apt update
...
Err:8 http://packages.ros.org/ros2/ubuntu focal InRelease                      
  The following signatures were invalid: EXPKEYSIG F42ED6FBAB17C654 Open Robotics <info@osrfoundation.org>
...
Reading package lists... Done                         
W: GPG error: http://packages.ros.org/ros2/ubuntu focal InRelease: The following signatures were invalid: EXPKEYSIG F42ED6FBAB17C654 Open Robotics <info@osrfoundation.org>
E: The repository 'http://packages.ros.org/ros2/ubuntu focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

This will cause CIs to fail and regular apt updates on user machines as well (ie: installing ROS using apt is currently not possible).

See Key for downloading ros2 source showing expired on ROS Discourse for where this is being discussed.

See GPG Key Expired for the incident report.

Work is underway to fix this -- which will likely be a replacement of the current key.

If/when more information is available, I'll update this Q&A.

Related issues:

Related PRs:

edit retag flag offensive close merge delete

Comments

Discourse thread about the previous key change: New GPG keys deployed for packages.ros.org. Previous Q&A: #q325039.

Note: the information in those posts does not necessarily help with the current expired key.

gvdhoorn gravatar image gvdhoorn  ( 2021-05-29 02:41:55 -0500 )edit

4 Answers

Sort by ยป oldest newest most voted
32

answered 2021-05-29 02:43:25 -0500

gvdhoorn gravatar image

updated 2021-06-15 02:34:18 -0500

Edit 2: in case of Docker images/containers still complaining about expired keys: Docker's layer caching could be interfering there. As the key's signature hasn't changed (only it's expiration date), the command to import the key is identical to what it was before the key update.

This could cause Docker's caching to decide to not run the command, causing the expired key to still become part of the image.

Running docker build with --no-cache or introducing a change in the affected Dockerfile (before the key import) would invalidate the cache and should result in the new key getting imported.

Note: the official ros and osrf/ros Docker images have all been updated with the new key.


Edit: there are reports the ROS 2 specific mitigation doesn't work for some users.

The ROS 1 curl command should work in that case.


From ROS GPG Key Expiration Incident on ROS Discourse:

To fix this issue users need to update the public key used for ROS apt repositories. To do this for ROS 1 installations one needs to run a single command, namely:

curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | sudo apt-key add -

For ROS 2 installations you will need to run this command:

sudo curl -sSL https://raw.githubusercontent.com/ros/rosdistro/master/ros.key -o /usr/share/keyrings/ros-archive-keyring.gpg
edit flag offensive delete link more

Comments

thank you worked

Arunbalaji gravatar image Arunbalaji  ( 2021-08-17 01:07:18 -0500 )edit

This solved my issue, thanks! :)

yin-ye gravatar image yin-ye  ( 2021-08-26 15:09:34 -0500 )edit
9

answered 2021-05-29 03:07:03 -0500

kamal_nathan gravatar image

I solved this issue referring this : https://github.com/ros2/ros2/issues/7...

$ curl http://repo.ros2.org/repos.key | sudo apt-key add -

edit flag offensive delete link more

Comments

This answer helped me with my ROS2 docker image.

LSD gravatar image LSD  ( 2021-06-03 06:34:27 -0500 )edit
2

Note: you're downloading over HTTP. That's not a secure way to download a key file.

gvdhoorn gravatar image gvdhoorn  ( 2021-06-05 01:23:58 -0500 )edit
1

answered 2021-05-29 02:56:48 -0500

kscottz gravatar image

updated 2021-05-29 03:30:35 -0500

This is an issue relating to an expired key on the ROS build farm. We'll be posting updated instructions on ROS discourse shortly.

Update can be found here.

edit flag offensive delete link more

Comments

0

answered 2021-09-15 14:06:51 -0500

twaddell gravatar image

updated 2021-09-16 03:14:00 -0500

I expect some people to come across this thread when installing the latest version of foxy, this thread shows how to fix it:

https://discourse.ros.org/t/ros-gpg-k...

For ROS 2 installations you will need to run this command:

sudo curl -sSL https://raw.githubusercontent.com/ros... -o /usr/share/keyrings/ros-archive-keyring.gpg

edit flag offensive delete link more

Comments

I'm a bit confused. Focal Fossa is an Ubuntu distribution, not ROS. The ROS repository key being expired or not wouldn't have any influence on whether or not you can install Ubuntu.

And the discourse post and curl command are already included in the answers posted earlier.

gvdhoorn gravatar image gvdhoorn  ( 2021-09-16 01:50:55 -0500 )edit

OPE, sorry I meant foxy distribution, was running on low sleep when I sent that

twaddell gravatar image twaddell  ( 2021-09-16 03:13:38 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

4 followers

Stats

Asked: 2021-05-29 02:13:09 -0500

Seen: 21,042 times

Last updated: Sep 16