Carlos Mora's picture

Hi,

apt update output:

Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://deb.debian.org/debian stretch InRelease
Hit:4 http://deb.debian.org/debian stretch Release
Err:3 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures couldn't be verified because the public 
     key is not available: NO_PUBKEY 23E7166788B63E1E
<more lines>

W: An error occurred during the signature verification. The repository is not updated
and the previous index files will be used. 
GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures 
couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease The following 
signatures couldn't be verified because the public key is not available: NO_PUBKEY 
23E7166788B63E1E

An attempt to get the pubkey from yarnpkg didn't help

wget https://dl.yarnpkg.com/debian/pubkey.gpg
apt-key add pubkey.gpg

After that, the new key appears in apt-key-list, but the key is still missing.

Did someone got this solved?

KR

 

 

Forum: 
Jeremy Davis's picture

We lock down third party repos as per best practice. To update the key, try this:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key --keyring /usr/share/keyrings/yarn.gpg add -

FWIW this has occurred because the yarn key is rotated annually, and the old one expired 1st Jan 2019.

[Update] It was pointed out that in some TurnKey appliances, the key name is yarn-repository.gpg (rather than yarn.gpg). We aim to make this consistent in future releases so that all 3rd party gpg keys should be /usr/share/keyrings/APP.gpg. Also, this name name should match both the sources.list.d file and the pinning file (in preferences.d), i.e. the matching yarn sources list file would be /etc/apt/sources.list.d/yarn.list and the pinning would be located in /etc/apt/preferences.d/yarn.pref.

Carlos Mora's picture

Hi Jeremy,

Sorry, I did as sugested, but still the same result.

root@GitLab-Server ~/scratchdir# apt-key --keyring /usr/share/keyrings/yarn.gpg list
/usr/share/keyrings/yarn.gpg
----------------------------
pub   rsa4096 2016-10-05 [SC]
      72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
uid           [ unknown] Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2019-01-02 [S] [expires: 2020-02-02]
sub   rsa4096 2019-01-11 [S] [expires: 2020-02-02]

the key seems to be there but still


root@GitLab-Server ~/scratchdir# apt update
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://deb.debian.org/debian stretch InRelease
Hit:4 http://deb.debian.org/debian stretch Release
Err:3 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
Ign:5 http://archive.turnkeylinux.org/debian stretch-security InRelease
Ign:7 http://archive.turnkeylinux.org/debian stretch InRelease
Hit:8 http://archive.turnkeylinux.org/debian stretch-security Release
Hit:10 http://archive.turnkeylinux.org/debian stretch Release
Reading package lists... Done
Building dependency tree
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Some index files failed to download. They have been ignored, or old ones used instead.

-----

last minute update. Success!!!

the name of the keyring is yarn-repository.gpg, so the command to update it should be:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key --keyring /usr/share/keyrings/yarn-repository.gpg add -

I found out looking into /etc/apt/sources/list.d/yarn.list

Thanks!

 

Jeremy Davis's picture

Yes you are absolutely correct! Apologies on that and glad to hear that you worked it out.

FWIW there is a TurnKey convention for 3rd party apt repos, of consistently naming the sources.list file, the preferences file and the gpg key all the same (with the relevant file extension). Generally, this is a descriptive name which should make it relatively obvious what it is or who it's supplied by. Whilst "yarn-repository.gpg" is descriptive, it doesn't match the name of the sources.list file, nor the preferences file, so it appears that the convention is sort of broken in the GitLab appliance! In retrospect I probably should have double checked rather than relying on memory...

FWIW, I've been working on updating the Canvas appliance (which also installs Yarn) and that does comply with the convention, hence the gpg key file is named /usr/share/keyrings/yarn.gpg.

Also it's worth noting that we're currently in the process of a major overhaul of the GitLab appliance. The current one installs from source, but we've decided to change the install to be use the Omnibus package. It's proving a little more complex than I'd hoped, so is still not ready, but there is progress. You can check out the outline plan, discussion and progress here. I hope to release that ASAP, but no hard ETA currently.

David Sweeney's picture

I ran Carlos' command:  
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key --keyring /usr/share/keyrings/yarn-repository.gpg add -
Didn't work. I get the same error even though the keys seem to be there:\
#>apt-key --keyring /usr/share/keyrings/yarn.gpg list                                            
/usr/share/keyrings/yarn.gpg
----------------------------
pub   4096R/86E50310 2016-10-05
uid                  Yarn Packaging 
sub   4096R/D50AF136 2016-10-05
sub   4096R/88B63E1E 2019-01-02 [expires: 2020-02-02]
sub   4096R/69475BAA 2019-01-11 [expires: 2020-02-02]
Jeremy Davis's picture

What version of TurnKey are you running? If you're not sure, please give the output of the following:

turnkey-version

Also please give the output of the following commands:

ls -l /etc/apt/sources.list.d/
cat /etc/apt/sources.list.d/*
David Sweeney's picture


~ » turnkey-version                                               pi@adaptibrew
zsh: command not found: turnkey-version
------------------------------------------------------------
~ » ls -l /etc/apt/sources.list.d/                                pi@adaptibrew
total 16
-rw-r--r-- 1 root root  73 Jun  9  2017 docker.list
-rw-r--r-- 1 root root 108 Sep  4  2017 nodesource.list
-rw-r--r-- 1 root root 193 Nov 25  2016 raspi.list
-rw-r--r-- 1 root root  47 Sep  4  2017 yarn.list
------------------------------------------------------------
~ » apt-key --keyring /usr/share/keyrings/yarn.gpg list           pi@adaptibrew
/usr/share/keyrings/yarn.gpg
----------------------------
pub   4096R/86E50310 2016-10-05
uid                  Yarn Packaging <yarn@dan.cx>
sub   4096R/D50AF136 2016-10-05
sub   4096R/88B63E1E 2019-01-02 [expires: 2020-02-02]
sub   4096R/69475BAA 2019-01-11 [expires: 2020-02-02]

------------------------------------------------------------
~ »    
Jeremy Davis's picture

As you aren't using TurnKey, it's likely that apt isn't looking for your Yarn key in /usr/share/keyrings. It's likely in the default keyring (/etc/apt/trusted.gpg).

That leaves you with 2 choices. You can just continue to use the default keyring file (which is likely what its already pre-configured). Or alternatively, you can update your sources.list entry to use the new keyring file that you have already created (as per best practice).

To update the yarn key in the default keyring, re-run the command but this time, omit the the --keyring location. I.e.:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -

Alternatively, you can reconfigure the relevant sources.list entry to use the new (separate) keyring file you've already created. To do that, you'll need to update the relevant apt repo line in the relevant sources.list (I assume it's /etc/apt/sources.list.d/yarn.list?!). This is what the relevant line should look like:

deb [signed-by=/usr/share/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main
David Sweeney's picture

That fixed it. Thank you!
Athy G's picture

Hi Jeremy,

Thanks for directing me to the forum with the solution to this yarn package signature verification error. Unfortunately I'm receiving an error when I attempted running the command - see below

admin@canvas .../www/canvas$ sudo curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key --keyring /usr/share/keyrings/yarn-repository.gpg add -
E: This command can only be used by root.

Jeremy Davis's picture

As a non-root user, your sudo is in the wrong spot. Apologies if that was my misdirection. As the error message is hinting, it's the apt-key command (after the pipe; the '|' character) that needs root privileges (i.e. needs a sudo prefix when run as a non root user). Please try this instead:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key --keyring /usr/share/keyrings/yarn-repository.gpg add -

Hopefully that should get you going.

Fagner's picture

Hi Jeremy,   I tried to follow the command to update the key    
	curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key --keyring /usr/share/keyrings/yarn-repository.gpg add -
  However I still continued with the same problem of signature verification error.   Then I checked if the downloaded keys were added. I verified that it was there:  
apt-key --keyring /usr/share/keyrings/yarn-repository.gpg list
/usr/share/keyrings/yarn-repository.gpg
---------------------------------------
pub rsa4096 2016-10-05 [SC]
       72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
uid [unknown] Yarn Packaging 
sub rsa4096 2016-10-05 [E]
sub rsa4096 2019-01-02 [S] [expires: 2023-01-24]
sub rsa4096 2019-01-11 [S] [expires: 2023-01-24]
I later checked my sources.list.d directory to see if it contains yarn.list, and it was there:     (note: I'm not using TurnKey)    
ls -l /etc/apt/sources.list.d 
total 36
-rw-r--r-- 1 root root 140 out  2 19:55 dawidd0811-ubuntu-neofetch-focal.list
-rw-r--r-- 1 root root 189 out  2 19:55 google-chrome.list
-rw-r--r-- 1 root root 189 out  2 19:55 google-chrome.list.save
-rw-r--r-- 1 root root 146 out  2 19:55 peek-developers-ubuntu-stable-focal.list
-rw-r--r-- 1 root root 146 out  2 19:55 peek-developers-ubuntu-stable-focal.list.save
-rw-r--r-- 1 root root 203 fev 14 20:25 vscode.list
-rw-r--r-- 1 root root 193 out  2 19:55 vscode.list.save
-rw-r--r-- 1 root root  47 out  2 19:55 yarn.list
-rw-r--r-- 1 root root  47 out  2 19:55 yarn.list.save
So as per your explanation I tried alternatively to update my sources.list entry to use the new keyring file that I created. (as per best practice). I tried to reconfigure the sources.list entry by updating the apt repository line, so my command was this:
deb [signed-by=/usr/share/keyrings/yarn-repository.gpg] https://dl.yarnpkg.com/debian/pubkey.gpg stable main
zsh: no matches found: [signed-by=/usr/share/keyrings/yarn-repository.gpg]
In that case he didn't find the directory even though the file was there. So I tried the command by removing the brackets:
deb signed-by=/usr/share/keyrings/yarn-repository.gpg https://dl.yarnpkg.com/debian/pubkey.gpg stable main 
zsh: command not found: deb
He did not accept that the deb command does not exist. So I tried to add to sorces.list with another command as an alternative:
sudo add-apt-repository 'deb signed-by=/usr/share/keyrings/yarn-repository.gpg https://dl.yarnpkg.com/debian/pubkey.gpg stable main'
[sudo] password for user:
E: Malformed entry 58 in list file /etc/apt/sources.list (URI parse)
E: The list of sources cannot be read.
He then gave this error malformed entry 58. I then checked the sources.list file to see if anything was added, I noticed that in the last lines exactly from line 58 the following lines were added:
deb signed-by=/usr/share/keyrings/yarn-repository.gpg https://dl.yarnpkg.com/debian/pubkey.gpg stable main
# deb-src signed-by=/usr/share/keyrings/yarn-repository.gpg https://dl.yarnpkg.com/debian/pubkey.gpg stable main
The entry was then added to sources.list but it is giving this error maformed entry 58, it seems that it was not added correctly and he cannot read it. How can I solve this problem?
Jeremy Davis's picture

In your /etc/apt/sources.list.d/yarn.list you need it to look like this:

deb [signed-by=/usr/share/keyrings/yarn-repository.gpg] https://dl.yarnpkg.com/debian/ stable main

I'm not sure why you got a zsh error though? zsh shouldn't be trying to interpret the file?! apt should!

After updating the list file, please share the full output of the following for me:

apt update
Fagner's picture

Hi Jeremy. I tried to change my sources.list but I couldn't, I removed the line that was having a problem which in this case was line 58 with this command:
sudo sed -i -e '58d' /etc/apt/sources.list
Then I tried again to add the line to sources.list but now as mentioned, but he did not accept this time and gave an error:
sudo add-apt-repository 'deb [signed-by=/usr/share/keyrings/yarn-repository.gpg] https://dl.yarnpkg.com/debian/pubkey.gpg stable main'
Error: 'deb [signed-by=/usr/share/keyrings/yarn-repository.gpg] https://dl.yarnpkg.com/debian/pubkey.gpg stable main' invalid
I also don't know why zsh is being called, so I tried the other alternative but it is also not working now. But I think if I remove the brackets it works again and adds the line again.
Jeremy Davis's picture

For future reference, to assist with troubleshooting and to understand what is going on, it's often important to know the commands that are being used.

You can possibly use add-apt-repository but I am unfamiliar with it or how it works. Just put it in a raw text file. You can use a text editor, or echo it straight into the file. E.g. this should work:

echo "deb [signed-by=/usr/share/keyrings/yarn-repository.gpg] https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list

Although it looks like you aren't running as root, so above will error and you'll need to do it slightly differently to work around that:

echo "deb [signed-by=/usr/share/keyrings/yarn-repository.gpg] https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list

So if you check '/etc/apt/sources.list.d/yarn.list' you should the single line starting with deb. Give that a try...

Note too, you'll need to remove the yarn line from any other soruces.list files that you have. You can find them all like this:

grep -r yarnpkg /etc/apt/sources.list*
Fagner's picture

This command the add-apt-repository as I understand it is how PPA uses to add the repository to sources.list, that's why I tried to use it here. But I followed these new guidelines and it worked. And as expected the first command did not give permission, but the second command worked and the line was updated in yarn.list, and now it's like this:
deb [signed-by=/usr/share/keyrings/yarn-repository.gpg] https://dl.yarnpkg.com/debian/ stable main
The lines in my sources.list with yarn I had already deleted, so I updated the system with apt-update which resulted in:
sudo apt update           
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Get:2 https://dl.yarnpkg.com/debian stable InRelease [17,1 kB]               
Hit:3 http://br.archive.ubuntu.com/ubuntu focal InRelease                 
Hit:4 http://packages.microsoft.com/repos/code stable InRelease           
Hit:5 http://security.ubuntu.com/ubuntu focal-security InRelease          
Hit:6 http://ppa.launchpad.net/dawidd0811/neofetch/ubuntu focal InRelease 
Hit:7 http://br.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:8 http://br.archive.ubuntu.com/ubuntu focal-backports InRelease       
Hit:9 http://ppa.launchpad.net/peek-developers/stable/ubuntu focal InRelease
Fetched 17,1 kB in 2s (9.148 B/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
Now it's working. Thank you very much.
Jeremy Davis's picture

Great work! Glad that's fixed it.

For what it's worth, as an additional security measure you should pin yarn, so no other packages can be auto installed from the yarn repo. Do that by creating a '/etc/apt/preferences.d/yarn.pref' file with these contents:

Package: *
Pin: origin dl.yarnpkg.com
Pin-Priority: 1

Package: yarn
Pin: origin dl.yarnpkg.com
Pin-Priority: 500

The first section will pin any/all packages from the yarn repo to a value of '1' - which means it will never be installed unless explicitly noted. The second section pins the package 'yarn' to a priority of '500' (the same as default Debian packages) so it will be installed (or upgraded) without any special config.

This config protect against a malicious actor uploading malicious packages with the same name as default Debian packages - that could overwrite existing legitimate packages. So only the 'yarn' package itself can be installed (or upgraded) on the system.

Fagner's picture

This suggestion of protection is very good. I created and added the yarn.pref file in my preferences.d folder. I didn't know I could add this extra protection to Yarn Package. Very grateful for the recommendation.

Add new comment