apt update: signatures were invalid: F42ED6FBAB17C654

asked 2021-05-29 02:13:09 -0600

gvdhoorn
86574 ●283 ●1432 ●1054 http://cor.tudelft.nl/

updated 2021-05-31 02:46:21 -0600

Edit2: for full details, see ROS GPG Key Expiration Incident on ROS Discourse. For a summary of the fix, see the accepted answer below.

Edit: removed the work-around. Don't use it. See the answer below.

On 2021-05-28, the signing key of the ROS apt repositories expired.

apt update output will be like this:

$ apt update
...
Err:8 http://packages.ros.org/ros2/ubuntu focal InRelease                      
  The following signatures were invalid: EXPKEYSIG F42ED6FBAB17C654 Open Robotics <info@osrfoundation.org>
...
Reading package lists... Done                         
W: GPG error: http://packages.ros.org/ros2/ubuntu focal InRelease: The following signatures were invalid: EXPKEYSIG F42ED6FBAB17C654 Open Robotics <info@osrfoundation.org>
E: The repository 'http://packages.ros.org/ros2/ubuntu focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

This will cause CIs to fail and regular apt updates on user machines as well (ie: installing ROS using apt is currently not possible).

See Key for downloading ros2 source showing expired on ROS Discourse for where this is being discussed.

See GPG Key Expired for the incident report.

Work is underway to fix this -- which will likely be a replacement of the current key.

If/when more information is available, I'll update this Q&A.

Related issues:

ros/rosdistro#29715: key expiration
osrf/docker_images#535: Docker image updates

Comments

Discourse thread about the previous key change: New GPG keys deployed for packages.ros.org. Previous Q&A: #q325039.

Note: the information in those posts does not necessarily help with the current expired key.

gvdhoorn ( 2021-05-29 02:41:55 -0600 )edit

add a comment

41

answered 2021-05-29 02:43:25 -0600

gvdhoorn
86574 ●283 ●1432 ●1054 http://cor.tudelft.nl/

updated 2021-06-15 02:34:18 -0600

Edit 2: in case of Docker images/containers still complaining about expired keys: Docker's layer caching could be interfering there. As the key's signature hasn't changed (only it's expiration date), the command to import the key is identical to what it was before the key update.

This could cause Docker's caching to decide to not run the command, causing the expired key to still become part of the image.

Running docker build with --no-cache or introducing a change in the affected Dockerfile (before the key import) would invalidate the cache and should result in the new key getting imported.

Note: the official ros and osrf/ros Docker images have all been updated with the new key.

Edit: there are reports the ROS 2 specific mitigation doesn't work for some users.

The ROS 1 curl command should work in that case.

From ROS GPG Key Expiration Incident on ROS Discourse:

To fix this issue users need to update the public key used for ROS apt repositories. To do this for ROS 1 installations one needs to run a single command, namely:
curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | sudo apt-key add -
For ROS 2 installations you will need to run this command:
sudo curl -sSL https://raw.githubusercontent.com/ros/rosdistro/master/ros.key -o /usr/share/keyrings/ros-archive-keyring.gpg

edit flag offensive delete link

Comments

thank you worked

Arunbalaji ( 2021-08-17 01:07:18 -0600 )edit

This solved my issue, thanks! :)

yin-ye ( 2021-08-26 15:09:34 -0600 )edit

add a comment

13

answered 2021-05-29 03:07:03 -0600

kamal_nathan
143 ●4 ●6 ●9

I solved this issue referring this : https://github.com/ros2/ros2/issues/7...

$ curl http://repo.ros2.org/repos.key | sudo apt-key add -

edit flag offensive delete link

Comments

This answer helped me with my ROS2 docker image.

LSD ( 2021-06-03 06:34:27 -0600 )edit

2

Note: you're downloading over HTTP. That's not a secure way to download a key file.

gvdhoorn ( 2021-06-05 01:23:58 -0600 )edit

add a comment

1

answered 2021-05-29 02:56:48 -0600

kscottz

209 ●2 ●24 ●9

updated 2021-05-29 03:30:35 -0600

This is an issue relating to an expired key on the ROS build farm. We'll be posting updated instructions on ROS discourse shortly.

Update can be found here.

edit flag offensive delete link

Comments

https://discourse.ros.org/t/ros-gpg-k...

nuclearsandwich ( 2021-05-29 03:30:08 -0600 )edit

add a comment

0

answered 2021-09-15 14:06:51 -0600

twaddell
1 ●3 ●2

updated 2021-09-16 03:14:00 -0600

I expect some people to come across this thread when installing the latest version of foxy, this thread shows how to fix it:

https://discourse.ros.org/t/ros-gpg-k...

For ROS 2 installations you will need to run this command:

sudo curl -sSL https://raw.githubusercontent.com/ros... -o /usr/share/keyrings/ros-archive-keyring.gpg

edit flag offensive delete link

Comments

I'm a bit confused. Focal Fossa is an Ubuntu distribution, not ROS. The ROS repository key being expired or not wouldn't have any influence on whether or not you can install Ubuntu.

And the discourse post and curl command are already included in the answers posted earlier.

gvdhoorn ( 2021-09-16 01:50:55 -0600 )edit

OPE, sorry I meant foxy distribution, was running on low sleep when I sent that

twaddell ( 2021-09-16 03:13:38 -0600 )edit

add a comment

apt update: signatures were invalid: F42ED6FBAB17C654

Comments

4 Answers

Comments

Comments

Comments

Comments

Question Tools

Stats

Related questions

apt update: signatures were invalid: F42ED6FBAB17C654 edit

Comments

4 Answers

Comments

Comments

Comments

Comments

Question Tools

Stats

Related questions

apt update: signatures were invalid: F42ED6FBAB17C654