Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPG error: following signatures were invalid: EXPKEYSIG 84ACD5B2D02945ED home:scylladb OBS Project <home:scylladb@build.opensuse.org> #5174

Closed
amoskong opened this issue Oct 15, 2019 · 17 comments
Closed

GPG error: following signatures were invalid: EXPKEYSIG 84ACD5B2D02945ED home:scylladb OBS Project <home:scylladb@build.opensuse.org> #5174

amoskong opened this issue Oct 15, 2019 · 17 comments

Comments

@amoskong
Copy link
Contributor

Installation details
Scylla version (or git commit hash): latest 2.3, using private repo of 2.3
Cluster size:
OS (RHEL/CentOS/Ubuntu/AWS AMI):

Description:

Failed to install scylla 2.3 by private repo for auth issue, but it doesn't work from Oct 10, 2019.

ERROR:

10-15 08:38:03| [stderr] W: GPG error: http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release: The following signatures were invalid: EXPKEYSIG 84ACD5B2D02945ED home:scylladb OBS Project <home:scylladb@build.opensuse.org>
10-15 08:38:03| [stderr] W: The repository 'http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release' is not signed.

Full logs:

10-15 08:38:51| Running 'apt-get install gnupg1-curl dirmngr -y'
10-15 08:38:52| [stdout] Reading package lists...
10-15 08:38:52| [stdout] Building dependency tree...
10-15 08:38:52| [stdout] Reading state information...
10-15 08:38:52| [stdout] gnupg1-curl is already the newest version (1.4.21-4+deb9u1).
10-15 08:38:52| [stdout] dirmngr is already the newest version (2.1.18-8~deb9u4).
10-15 08:38:52| [stdout] 0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

10-15 08:38:52| Running 'apt-key adv --fetch-keys https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key'
10-15 08:38:52| [stderr] Warning: apt-key output should not be parsed (stdout is not a terminal)
10-15 08:38:52| [stdout] Executing: /tmp/apt-key-gpghome.cofLPRzptf/gpg.1.sh --fetch-keys https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key
10-15 08:38:52| [stderr] gpg: requesting key from 'https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key'
10-15 08:38:54| [stderr] gpg: key 84ACD5B2D02945ED: 1 signature not checked due to a missing key
10-15 08:38:54| [stderr] gpg: key 84ACD5B2D02945ED: "home:scylladb OBS Project <home:scylladb@build.opensuse.org>" not changed
10-15 08:38:54| [stderr] gpg: Total number processed: 1
10-15 08:38:54| [stderr] gpg:              unchanged: 1

10-15 08:38:54| Running 'sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 17723034C56D4B19'
10-15 08:38:54| [stderr] Warning: apt-key output should not be parsed (stdout is not a terminal)
10-15 08:38:54| [stdout] Executing: /tmp/apt-key-gpghome.msryZzFIJB/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 17723034C56D4B19
10-15 08:38:56| [stderr] gpg: key 17723034C56D4B19: "ScyllaDB Package Signing Key 2018 <security@scylladb.com>" not changed
10-15 08:38:56| [stderr] gpg: Total number processed: 1
10-15 08:38:56| [stderr] gpg:              unchanged: 1
10-15 08:38:56| Running 'echo 'deb http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/ /' > /etc/apt/sources.list.d/scylla-3rdparty.list'
10-15 08:38:56| [stdout] deb http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/ / > /etc/apt/sources.list.d/scylla-3rdparty.list

10-15 08:38:56| Running 'sudo apt-get update'
10-15 08:38:56| [stdout] Ign:1 http://mirror.isoc.org.il/pub/debian stretch InRelease
10-15 08:38:56| [stdout] Hit:2 http://mirror.isoc.org.il/pub/debian stretch-updates InRelease
10-15 08:38:56| [stdout] Hit:3 http://mirror.isoc.org.il/pub/debian stretch Release
10-15 08:38:56| [stdout] Hit:4 http://security.debian.org/debian-security stretch/updates InRelease
10-15 08:38:56| [stdout] Ign:5 http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ InRelease
10-15 08:38:56| [stdout] Get:7 http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release [1,066 B]
10-15 08:38:56| [stdout] Get:8 http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release.gpg [481 B]
10-15 08:38:56| [stdout] Ign:8 http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release.gpg
10-15 08:38:56| [stdout] Hit:9 http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Packages
10-15 08:38:57| [stdout] Hit:10 https://s3.amazonaws.com/downloads.scylladb.com/downloads/scylla/deb/debian/scylladb-2.3 stretch InRelease
10-15 08:38:58| [stdout] Fetched 1,547 B in 1s (1,125 B/s)
10-15 08:38:58| [stdout] Reading package lists...
10-15 08:38:58| [stderr] W: GPG error: http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release: The following signatures were invalid: EXPKEYSIG 84ACD5B2D02945ED home:scylladb OBS Project <home:scylladb@build.opensuse.org>
10-15 08:38:58| [stderr] W: The repository 'http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release' is not signed.
10-15 08:38:58| Wait until package list is up to date... (0.000006 secs)

Result

2019-10-15 08:38:16,627 process          L0333 INFO | Running '/usr/bin/apt-get --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install scylla'
2019-10-15 08:38:16,663 process          L0420 DEBUG| [stdout] Reading package lists...
2019-10-15 08:38:16,770 process          L0420 DEBUG| [stdout] Building dependency tree...
2019-10-15 08:38:16,771 process          L0420 DEBUG| [stdout] Reading state information...
2019-10-15 08:38:16,857 process          L0420 DEBUG| [stdout] The following additional packages will be installed:
2019-10-15 08:38:16,858 process          L0420 DEBUG| [stdout]   default-jre-headless hwloc-nox libcrypto++6 libgnutlsxx28 libhwloc-plugins
2019-10-15 08:38:16,858 process          L0420 DEBUG| [stdout]   libhwloc5 libjsoncpp1 libopts25 libprotobuf10 libsnappy1v5 ntp
2019-10-15 08:38:16,858 process          L0420 DEBUG| [stdout]   ocl-icd-libopencl1 python-chardet python-openssl python-requests
2019-10-15 08:38:16,859 process          L0420 DEBUG| [stdout]   python-urllib3 python-urwid python-yaml python3-pyudev python3-yaml realpath
2019-10-15 08:38:16,859 process          L0420 DEBUG| [stdout]   scylla-conf scylla-env scylla-gcc73-gcc-7-base scylla-gcc73-libgcc1
2019-10-15 08:38:16,859 process          L0420 DEBUG| [stdout]   scylla-gcc73-libstdc++6 scylla-jmx scylla-kernel-conf scylla-server
2019-10-15 08:38:16,859 process          L0420 DEBUG| [stdout]   scylla-tools scylla-tools-core uuid-runtime
2019-10-15 08:38:16,860 process          L0420 DEBUG| [stdout] Suggested packages:
2019-10-15 08:38:16,860 process          L0420 DEBUG| [stdout]   default-jre libhwloc-contrib-plugins ntp-doc opencl-icd python-openssl-doc
2019-10-15 08:38:16,860 process          L0420 DEBUG| [stdout]   python-openssl-dbg python-socks python-ntlm
2019-10-15 08:38:16,880 process          L0420 DEBUG| [stdout] The following NEW packages will be installed:
2019-10-15 08:38:16,881 process          L0420 DEBUG| [stdout]   default-jre-headless hwloc-nox libcrypto++6 libgnutlsxx28 libhwloc-plugins
2019-10-15 08:38:16,881 process          L0420 DEBUG| [stdout]   libhwloc5 libjsoncpp1 libopts25 libprotobuf10 libsnappy1v5 ntp
2019-10-15 08:38:16,881 process          L0420 DEBUG| [stdout]   ocl-icd-libopencl1 python-chardet python-openssl python-requests
2019-10-15 08:38:16,882 process          L0420 DEBUG| [stdout]   python-urllib3 python-urwid python-yaml python3-pyudev python3-yaml realpath
2019-10-15 08:38:16,882 process          L0420 DEBUG| [stdout]   scylla scylla-conf scylla-env scylla-gcc73-gcc-7-base scylla-gcc73-libgcc1
2019-10-15 08:38:16,882 process          L0420 DEBUG| [stdout]   scylla-gcc73-libstdc++6 scylla-jmx scylla-kernel-conf scylla-server
2019-10-15 08:38:16,882 process          L0420 DEBUG| [stdout]   scylla-tools scylla-tools-core uuid-runtime
2019-10-15 08:38:16,885 process          L0420 DEBUG| [stdout] 0 upgraded, 33 newly installed, 0 to remove and 1 not upgraded.
2019-10-15 08:38:16,885 process          L0420 DEBUG| [stdout] Need to get 55.8 MB of archives.
2019-10-15 08:38:16,885 process          L0420 DEBUG| [stdout] After this operation, 149 MB of additional disk space will be used.
2019-10-15 08:38:16,886 process          L0420 DEBUG| [stdout] WARNING: The following packages cannot be authenticated!
2019-10-15 08:38:16,886 process          L0420 DEBUG| [stdout]   scylla-env scylla-gcc73-gcc-7-base scylla-gcc73-libgcc1
2019-10-15 08:38:16,886 process          L0420 DEBUG| [stdout]   scylla-gcc73-libstdc++6
2019-10-15 08:38:16,888 process          L0420 DEBUG| [stderr] E: There were unauthenticated packages and -y was used without --allow-unauthenticated

@roydahan
@amoskong
Copy link
Contributor Author

More serious issue touched in manual testing:

Prepare:

scylla-test@amos-debian9:~$ cat /etc/apt/sources.list.d/scylladb-2.3-stretch.list 
deb  [arch=amd64] https://repositories.scylladb.com/scylla/downloads/scylladb/amos-test-debian9/scylla/deb/debian/scylladb-2.3 stretch non-free
deb http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/ ./

scylla-test@amos-debian9:~$ sudo apt-key adv --fetch-keys https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key
Executing: /tmp/apt-key-gpghome.Jnsr72imD1/gpg.1.sh --fetch-keys https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key
gpg: requesting key from 'https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key'
gpg: key 84ACD5B2D02945ED: 1 signature not checked due to a missing key
gpg: key 84ACD5B2D02945ED: public key "home:scylladb OBS Project <home:scylladb@build.opensuse.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
scylla-test@amos-debian9:~$ echo $?
0
scylla-test@amos-debian9:~$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 17723034C56D4B19
Executing: /tmp/apt-key-gpghome.UGiGUxzbt4/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 17723034C56D4B19
gpg: key 17723034C56D4B19: public key "ScyllaDB Package Signing Key 2018 <security@scylladb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
scylla-test@amos-debian9:~$ echo $?
0

Failed to apt-get update

scylla-test@amos-debian9:~$ sudo apt-get update
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://deb.debian.org/debian stretch InRelease                                                  
Hit:3 http://deb.debian.org/debian stretch-updates InRelease                                                                     
Hit:4 http://deb.debian.org/debian stretch-backports InRelease                                                                   
Hit:5 http://deb.debian.org/debian stretch Release                                                                               
Hit:6 http://packages.cloud.google.com/apt cloud-sdk-stretch InRelease                                                           
Hit:7 http://packages.cloud.google.com/apt google-compute-engine-stretch-stable InRelease                  
Hit:8 http://packages.cloud.google.com/apt google-cloud-packages-archive-keyring-stretch InRelease         
Ign:9 http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ InRelease
Hit:10 http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release
Get:11 http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release.gpg [481 B]
Ign:11 http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release.gpg
Fetched 481 B in 0s (648 B/s)   
Reading package lists... Done
E: The method driver /usr/lib/apt/methods/https could not be found.
N: Is the package apt-transport-https installed?
W: GPG error: http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release: The following signatures were invalid: EXPKEYSIG 84ACD5B2D02945ED home:scylladb OBS Project <home:scylladb@build.opensuse.org>
W: The repository 'http://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0 ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://repositories.scylladb.com/scylla/downloads/scylladb/amos-test-debian9/scylla/deb/debian/scylladb-2.3/dists/stretch/InRelease  
E: Some index files failed to download. They have been ignored, or old ones used instead.
scylla-test@amos-debian9:~$ echo $?
100

scylla-test@amos-debian9:~$ sudo apt-get --yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install scylla
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package scylla

@amoskong
Copy link
Contributor Author

The key might be expired, please check and fix it.

@syuu1228

@penberg
Copy link
Contributor

penberg commented Oct 16, 2019

The issue should be fixed now. @amoskong, can you please retest?

@amoskong
Copy link
Contributor Author

The issue should be fixed now. @amoskong, can you please retest?

The problem still exists.

@avikivity
Copy link
Member

@amoskong which keyserver are you using to import the keys from?

I now updated pgp.mit.edu, so it should work if you import from there.

@avikivity
Copy link
Member

No, I see the problem. The key was extended but it was not propagated to the Release.key file.

I now triggered a rebuild of scylla-gdb, when it completes it should propagate the key.

@amoskong
Copy link
Contributor Author

@amoskong which keyserver are you using to import the keys from?

I now updated pgp.mit.edu, so it should work if you import from there.

I used keyserver.ubuntu.com -- same as https://www.scylladb.com/download/open-source/scylla-debian9/

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 17723034C56D4B19
Executing: /tmp/apt-key-gpghome.2zRSb88coU/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 17723034C56D4B19
gpg: key 17723034C56D4B19: "ScyllaDB Package Signing Key 2018 <security@scylladb.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1


scylla-test@amos-debian9:~$ sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 17723034C56D4B19
Executing: /tmp/apt-key-gpghome.tAMow0E6tb/gpg.1.sh --keyserver pgp.mit.edu --recv-keys 17723034C56D4B19
gpg: keyserver receive failed: No data

@avikivity
Copy link
Member

I updated keyserver.ubuntu.com now.

@avikivity
Copy link
Member

@amoskong the debian 9 repo is refreshed now.

@avikivity
Copy link
Member

avikivity commented Oct 16, 2019
edited

Debian 8 as well.

@amoskong
Copy link
Contributor Author

It works now, I saw the updated key.

scylla-test@amos-debian9:~$ sudo apt-key adv --fetch-keys https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key
Executing: /tmp/apt-key-gpghome.7vQxxoAph4/gpg.1.sh --fetch-keys https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key
gpg: requesting key from 'https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key'
gpg: key 84ACD5B2D02945ED: 1 signature not checked due to a missing key
gpg: key 84ACD5B2D02945ED: "home:scylladb OBS Project <home:scylladb@build.opensuse.org>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
 
scylla-test@amos-debian9:~$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 17723034C56D4B19
Executing: /tmp/apt-key-gpghome.w9ZNWSTNld/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 17723034C56D4B19
gpg: key 17723034C56D4B19: "ScyllaDB Package Signing Key 2018 <security@scylladb.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$ sudo apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2017-08-01 [SC] [expires: 2021-12-24]
      0C7B D5EF B64F 8D4F 9ACF  4D32 84AC D5B2 D029 45ED
uid           [ unknown] home:scylladb OBS Project <home:scylladb@build.opensuse.org>

pub   rsa4096 2017-12-31 [SC] [expires: 2020-01-01]
      C494 1AAE 38AC E858 E91F  928F 1772 3034 C56D 4B19
uid           [ unknown] ScyllaDB Package Signing Key 2018 <security@scylladb.com>
sub   rsa4096 2017-12-31 [E] [expires: 2020-01-01]

@amoskong
Copy link
Contributor Author

It works now, I saw the updated key.

scylla-test@amos-debian9:~$ sudo apt-key adv --fetch-keys https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key
Executing: /tmp/apt-key-gpghome.7vQxxoAph4/gpg.1.sh --fetch-keys https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key
gpg: requesting key from 'https://download.opensuse.org/repositories/home:/scylladb:/scylla-3rdparty-stretch/Debian_9.0/Release.key'
gpg: key 84ACD5B2D02945ED: 1 signature not checked due to a missing key
gpg: key 84ACD5B2D02945ED: "home:scylladb OBS Project <home:scylladb@build.opensuse.org>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
 
scylla-test@amos-debian9:~$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 17723034C56D4B19
Executing: /tmp/apt-key-gpghome.w9ZNWSTNld/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 17723034C56D4B19
gpg: key 17723034C56D4B19: "ScyllaDB Package Signing Key 2018 <security@scylladb.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$ sudo apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2017-08-01 [SC] [expires: 2021-12-24]
      0C7B D5EF B64F 8D4F 9ACF  4D32 84AC D5B2 D029 45ED
uid           [ unknown] home:scylladb OBS Project <home:scylladb@build.opensuse.org>

pub   rsa4096 2017-12-31 [SC] [expires: 2020-01-01]
      C494 1AAE 38AC E858 E91F  928F 1772 3034 C56D 4B19
uid           [ unknown] ScyllaDB Package Signing Key 2018 <security@scylladb.com>
sub   rsa4096 2017-12-31 [E] [expires: 2020-01-01]

I found the expired key is key 84ACD5B2D02945ED: "home:scylladb OBS Project <home:scylladb@build.opensuse.org>", it's extended to 2021-12-24.

BTW, the key 17723034C56D4B19: "ScyllaDB Package Signing Key 2018 <security@scylladb.com>" will also be expired when we & users celebrate new year.

It's better to set same expired data for all sign keys, then it's easy to maintain.

@tzach
Copy link
Contributor

tzach commented Oct 16, 2019

@amoskong @avikivity
To validate: the current key is extended, there is no new key.

@amoskong
Copy link
Contributor Author

@amoskong @avikivity
To validate: the current key is extended, there is no new key.

How about this one?

pub   rsa4096 2017-12-31 [SC] [expires: 2020-01-01]
      C494 1AAE 38AC E858 E91F  928F 1772 3034 C56D 4B19
uid           [ unknown] ScyllaDB Package Signing Key 2018 <security@scylladb.com>
sub   rsa4096 2017-12-31 [E] [expires: 2020-01-01]

@mehrdadpfg
Copy link

+1 same issue here with this key provided in documentation 17723034C56D4B19

@amoskong
Copy link
Contributor Author

+1 same issue here with this key provided in documentation 17723034C56D4B19

Hi @mehrdadpfg what's the error you touched?
The 17723034C56D4B19 will be expired in 2020-01-01, so it's valid right now.

@slivne
Copy link
Contributor

slivne commented Mar 12, 2020

this was resolved and fixed - if there is still an issue please create a new issue with specific scylla version information and procedure

@slivne slivne closed this as completed Mar 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@penberg @tzach @amoskong @avikivity @slivne @mehrdadpfg