Carlos Mora's picture

Hi,

apt update output:

Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://deb.debian.org/debian stretch InRelease
Hit:4 http://deb.debian.org/debian stretch Release
Err:3 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures couldn't be verified because the public 
     key is not available: NO_PUBKEY 23E7166788B63E1E
<more lines>

W: An error occurred during the signature verification. The repository is not updated
and the previous index files will be used. 
GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures 
couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease The following 
signatures couldn't be verified because the public key is not available: NO_PUBKEY 
23E7166788B63E1E

An attempt to get the pubkey from yarnpkg didn't help

wget https://dl.yarnpkg.com/debian/pubkey.gpg
apt-key add pubkey.gpg

After that, the new key appears in apt-key-list, but the key is still missing.

Did someone got this solved?

KR

 

 

Forum: 
Jeremy Davis's picture

We lock down third party repos as per best practice. To update the key, try this:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key --keyring /usr/share/keyrings/yarn.gpg add -

FWIW this has occurred because the yarn key is rotated annually, and the old one expired 1st Jan 2019.

Carlos Mora's picture

Hi Jeremy,

Sorry, I did as sugested, but still the same result.

root@GitLab-Server ~/scratchdir# apt-key --keyring /usr/share/keyrings/yarn.gpg list
/usr/share/keyrings/yarn.gpg
----------------------------
pub   rsa4096 2016-10-05 [SC]
      72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
uid           [ unknown] Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2019-01-02 [S] [expires: 2020-02-02]
sub   rsa4096 2019-01-11 [S] [expires: 2020-02-02]

the key seems to be there but still


root@GitLab-Server ~/scratchdir# apt update
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://deb.debian.org/debian stretch InRelease
Hit:4 http://deb.debian.org/debian stretch Release
Err:3 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
Ign:5 http://archive.turnkeylinux.org/debian stretch-security InRelease
Ign:7 http://archive.turnkeylinux.org/debian stretch InRelease
Hit:8 http://archive.turnkeylinux.org/debian stretch-security Release
Hit:10 http://archive.turnkeylinux.org/debian stretch Release
Reading package lists... Done
Building dependency tree
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Some index files failed to download. They have been ignored, or old ones used instead.

-----

last minute update. Success!!!

the name of the keyring is yarn-repository.gpg, so the command to update it should be:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key --keyring /usr/share/keyrings/yarn-repository.gpg add -

I found out looking into /etc/apt/sources/list.d/yarn.list

Thanks!

 

Jeremy Davis's picture

Yes you are absolutely correct! Apologies on that and glad to hear that you worked it out.

FWIW there is a TurnKey convention for 3rd party apt repos, of consistently naming the sources.list file, the preferences file and the gpg key all the same (with the relevant file extension). Generally, this is a descriptive name which should make it relatively obvious what it is or who it's supplied by. Whilst "yarn-repository.gpg" is descriptive, it doesn't match the name of the sources.list file, nor the preferences file, so it appears that the convention is sort of broken in the GitLab appliance! In retrospect I probably should have double checked rather than relying on memory...

FWIW, I've been working on updating the Canvas appliance (which also installs Yarn) and that does comply with the convention, hence the gpg key file is named /usr/share/keyrings/yarn.gpg.

Also it's worth noting that we're currently in the process of a major overhaul of the GitLab appliance. The current one installs from source, but we've decided to change the install to be use the Omnibus package. It's proving a little more complex than I'd hoped, so is still not ready, but there is progress. You can check out the outline plan, discussion and progress here. I hope to release that ASAP, but no hard ETA currently.

Add new comment