You are here
Carlos Mora - Mon, 2019/02/04 - 11:26
Hi,
apt update output:
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://deb.debian.org/debian stretch InRelease
Hit:4 http://deb.debian.org/debian stretch Release
Err:3 https://dl.yarnpkg.com/debian stable InRelease
The following signatures couldn't be verified because the public
key is not available: NO_PUBKEY 23E7166788B63E1E
<more lines>
W: An error occurred during the signature verification. The repository is not updated
and the previous index files will be used.
GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures
couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease The following
signatures couldn't be verified because the public key is not available: NO_PUBKEY
23E7166788B63E1E
An attempt to get the pubkey from yarnpkg didn't help
wget https://dl.yarnpkg.com/debian/pubkey.gpg apt-key add pubkey.gpg
After that, the new key appears in apt-key-list, but the key is still missing.
Did someone got this solved?
KR
Forum:
We lock down third party repos
We lock down third party repos as per best practice. To update the key, try this:
FWIW this has occurred because the yarn key is rotated annually, and the old one expired 1st Jan 2019.
[Update] It was pointed out that in some TurnKey appliances, the key name is yarn-repository.gpg (rather than yarn.gpg). We aim to make this consistent in future releases so that all 3rd party gpg keys should be /usr/share/keyrings/APP.gpg. Also, this name name should match both the sources.list.d file and the pinning file (in preferences.d), i.e. the matching yarn sources list file would be /etc/apt/sources.list.d/yarn.list and the pinning would be located in /etc/apt/preferences.d/yarn.pref.
Hi Jeremy,
Hi Jeremy,
Sorry, I did as sugested, but still the same result.
root@GitLab-Server ~/scratchdir# apt-key --keyring /usr/share/keyrings/yarn.gpg list /usr/share/keyrings/yarn.gpg ---------------------------- pub rsa4096 2016-10-05 [SC] 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310 uid [ unknown] Yarn Packaging <yarn@dan.cx> sub rsa4096 2016-10-05 [E] sub rsa4096 2019-01-02 [S] [expires: 2020-02-02] sub rsa4096 2019-01-11 [S] [expires: 2020-02-02]the key seems to be there but still
-----
last minute update. Success!!!
the name of the keyring is yarn-repository.gpg, so the command to update it should be:
I found out looking into /etc/apt/sources/list.d/yarn.list
Thanks!
Oops, apologies on the misdirection. My bad!
Yes you are absolutely correct! Apologies on that and glad to hear that you worked it out.
FWIW there is a TurnKey convention for 3rd party apt repos, of consistently naming the sources.list file, the preferences file and the gpg key all the same (with the relevant file extension). Generally, this is a descriptive name which should make it relatively obvious what it is or who it's supplied by. Whilst "yarn-repository.gpg" is descriptive, it doesn't match the name of the sources.list file, nor the preferences file, so it appears that the convention is sort of broken in the GitLab appliance! In retrospect I probably should have double checked rather than relying on memory...
FWIW, I've been working on updating the Canvas appliance (which also installs Yarn) and that does comply with the convention, hence the gpg key file is named /usr/share/keyrings/yarn.gpg.
Also it's worth noting that we're currently in the process of a major overhaul of the GitLab appliance. The current one installs from source, but we've decided to change the install to be use the Omnibus package. It's proving a little more complex than I'd hoped, so is still not ready, but there is progress. You can check out the outline plan, discussion and progress here. I hope to release that ASAP, but no hard ETA currently.
What version of TurnKey are you running?
What version of TurnKey are you running? If you're not sure, please give the output of the following:
Also please give the output of the following commands:
Looks like you aren't using TurnKey!
As you aren't using TurnKey, it's likely that apt isn't looking for your Yarn key in /usr/share/keyrings. It's likely in the default keyring (/etc/apt/trusted.gpg).
That leaves you with 2 choices. You can just continue to use the default keyring file (which is likely what its already pre-configured). Or alternatively, you can update your sources.list entry to use the new keyring file that you have already created (as per best practice).
To update the yarn key in the default keyring, re-run the command but this time, omit the the --keyring location. I.e.:
Alternatively, you can reconfigure the relevant sources.list entry to use the new (separate) keyring file you've already created. To do that, you'll need to update the relevant apt repo line in the relevant sources.list (I assume it's /etc/apt/sources.list.d/yarn.list?!). This is what the relevant line should look like:
Your sudo is in the wrong spot.
As a non-root user, your sudo is in the wrong spot. Apologies if that was my misdirection. As the error message is hinting, it's the apt-key command (after the pipe; the '|' character) that needs root privileges (i.e. needs a sudo prefix when run as a non root user). Please try this instead:
Hopefully that should get you going.
You need the square brackets! Not sure on your zsh error?!
In your /etc/apt/sources.list.d/yarn.list you need it to look like this:
I'm not sure why you got a zsh error though? zsh shouldn't be trying to interpret the file?! apt should!
After updating the list file, please share the full output of the following for me:
Just put the text in a file
For future reference, to assist with troubleshooting and to understand what is going on, it's often important to know the commands that are being used.
You can possibly use add-apt-repository but I am unfamiliar with it or how it works. Just put it in a raw text file. You can use a text editor, or echo it straight into the file. E.g. this should work:
Although it looks like you aren't running as root, so above will error and you'll need to do it slightly differently to work around that:
So if you check '/etc/apt/sources.list.d/yarn.list' you should the single line starting with deb. Give that a try...
Note too, you'll need to remove the yarn line from any other soruces.list files that you have. You can find them all like this:
Excellent, glad that worked. Also, you should probably pin it.
Great work! Glad that's fixed it.
For what it's worth, as an additional security measure you should pin yarn, so no other packages can be auto installed from the yarn repo. Do that by creating a '/etc/apt/preferences.d/yarn.pref' file with these contents:
The first section will pin any/all packages from the yarn repo to a value of '1' - which means it will never be installed unless explicitly noted. The second section pins the package 'yarn' to a priority of '500' (the same as default Debian packages) so it will be installed (or upgraded) without any special config.
This config protect against a malicious actor uploading malicious packages with the same name as default Debian packages - that could overwrite existing legitimate packages. So only the 'yarn' package itself can be installed (or upgraded) on the system.
Add new comment