Yarn: Installing Yarn on Ubuntu 18.04.1 LTS gives invalid signature error. Possible expired key?

Ohh, the key may have expired today! I'll have to take a look once I'm back from vacation (later today or tomorrow).

We are having this issue as of today as well.

Thanks for all your help @Daniel15.

@DanBuild Indeed: I also experience an EXPKEYSIG E074D16EB6FF4DE3 Yarn Packaging <[email protected]> when adding the repo and running apt-get update on debian stretch.

Note the key you provide:

$ curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --keyid-format 0xlong                                                                                                                 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096/0x1646B01B86E50310 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid                             Yarn Packaging <[email protected]>
sub   rsa4096/0x02820C39D50AF136 2016-10-05 [E]
sub   rsa4096/0xD101F7899D41F3C3 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096/0x46C2130DFD2497F5 2016-10-30 [S] [expires: 2019-01-01]
sub   rsa4096/0xE074D16EB6FF4DE3 2017-09-10 [S] [expired: 2019-01-01]

Note that the expired subkey is precisely the one referenced the error.

@Daniel15 The key is valid until 2019-01-01 as per https://github.com/yarnpkg/yarn/issues/4253

I had the same issue few moments ago, it seems it was valid till 2018.
and oh... by the way, Happy new year guys, great job at Yarn!

The installation script should still work, so you can use that for now. I'll fix it as soon as I can, but that won't be until tonight as I'm currently travelling.

I usually create a Github issue for key rotation, but I forgot to do that in 2018. I'm going to add a reminder in my calendar so I don't forget about this next year too.

As a temporary fix, adding [trusted=yes] will remove GPG error:

deb [trusted=yes] https://dl.yarnpkg.com/debian/ stable main

As a temporary fix, adding [trusted=yes] will remove GPG error:

` deb [trusted=yes] https://dl.yarnpkg.com/debian/ stable main

I added this to my /etc/apt/sources.list.d/yarn.list file... but running sudo apt update still gives me the error. Is there something else I need to do?

@daveomcd I believe it just comes up as a warning once that's added, try running the sudo apt-get install yarn. It was able to install after that.

This caused failures in my auto provisioning (aws autoscaling spot fleet) when an ansible tower callback that ran a playbook that updated the cache and caused provision failures. Time to harden up my playbooks, be careful out there folks!

I'm really sorry for breaking it. This is 100% my fault. I usually create a Github issue for the yearly key rotation (see #4253 for the previous issue) but forgot to create one last year and it just slipped my mind this year.

@daveomcd's workaround is good. I'm still a few hours away from home but I'll rotate the key and publish the new one as soon as possible. I'm also going to configure some monitoring so we get alerts if the key is within 90 days of expiry.

Note that for CI systems, ideally you should not install Yarn fresh on each build. Instead, use a Docker image with all your build tools installed. :)

@Daniel15 No worries, we all appreciate the time you devote entirely voluntarily and for free to maintaining open source software.

Note that for CI systems, ideally you should not install Yarn fresh on each build. Instead, use a Docker image with all your build tools installed. :)

Or cache it... That's the way I got around this problem on Circle CI... that way if install of newest fails, I still gots a yarn to fallback on.

I think CircleCI's Node.js Docker container comes with Yarn pre-installed.

Sent from my phone.

On Tue, Jan 1, 2019, 4:12 PM Allan Chappell <[email protected] wrote:

Note that for CI systems, ideally you should not install Yarn fresh on
each build. Instead, use a Docker image with all your build tools
installed. :)

Or cache it... That's the way I got around this problem on Circle CI...
that way if install of newest fails, I still gots a yarn to fallback on.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/yarnpkg/yarn/issues/6865#issuecomment-450767431, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAFnHUwhfyQicMQpS_8ikFZ5NfcoI1iyks5u-_ligaJpZM4ZmBF5
.

Correct,
and now apparently they have a node-browsers variant on the PHP containers too which also includes yarn... which wasn't always the case... time to go update some docker container tags.

I usually create a Github issue for key rotation, but I forgot to do that in 2018. I'm going to add a reminder in my calendar so I don't forget about this next year too.

I'd like to recommend expiring the key on a date other than January 1st… that way if it does expire, it's not during a holiday period :)

think this may have been reported earlier than jan1 even..
https://github.com/yarnpkg/yarn/issues/6861

Should be fixed by https://github.com/yarnpkg/releases/commit/0f3e4b26cd64fda47e46d82bf3ab458935deb36a.

Please redownload the key as it now contains a new subkey:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

The new subkey expires on 2020-02-02 (thanks for the suggestion of not using January 1st, @jleclanche)

@Daniel15 Thanks for the quick response time, I can confirm it works =)

Yeah I just double checked with fresh Debian and Ubuntu VMs and verified that it's working now. Thanks for your patience!

My mistake here was assuming that apt/dpkg would still be fine with the key/signature even though it's expired, as the repo was signed while the key was still valid (since the last update was in November). I think this is what 'vanilla' GPG does, and is also how it works on Windows:

Signing tools from Microsoft allow developers to affix time stamps at the same time as they affix Authenticode signatures. Time stamping allows Authenticode signatures to be verifiable even after the certificates used for signature have expired.

https://docs.microsoft.com/en-us/windows/desktop/seccrypto/time-stamping-authenticode-signatures

I'll follow up on this by creating some monitoring scripts that will alert us when the key is getting dangerously close to expiring.

Signing tools from Microsoft allow developers to affix time stamps at the same time as they affix Authenticode signatures. Time stamping allows Authenticode signatures to be verifiable even after the certificates used for signature have expired.

I think it should work like that! Probably a bug report on Debian?

Still have the warning with nightly repo
W: GPG error: https://nightly.yarnpkg.com/debian nightly InRelease: The following signatures were invalid: EXPKEYSIG E074D16EB6FF4DE3 Yarn Packaging <[email protected]> E: The repository 'https://nightly.yarnpkg.com/debian nightly InRelease' is not signed.

I generated a new GPG subkey for the nightly repo, but I'm having issues with Aptly (#6904) which is making it impossible to republish the repo :/

18:00 daniel@vps03 /var/www/nightly.yarnpkg.com
% ./update-deb.sh
+ aptly repo add -remove-files=true yarn-nightly ./nightly/deb-incoming/
Loading packages...
+ aptly publish update -gpg-key=4F77679369475BAA nightly yarn-nightly
ERROR: unable to update: local repo with uuid 55ff60af-263a-4df6-8f97-2c09ad7a4995 not found

This should be fixed now!

Hi,

the problem is still here with this in my /etc/apt/sources.list.d:

deb https://dl.yarnpkg.com/debian/ stable main

Edit: never mind, re-downloading the key fixed it. :)

I can second the above comment. The key changed since the previous rotation 9 days ago and had to be re-downloaded.

I added a new subkey for the nightly builds, however that should NOT have
affected the stable repo. I'll have to look into what happened here...

Sent from my phone.

On Fri, Jan 11, 2019, 1:37 AM bvnierop <[email protected] wrote:

I can second the above comment. The key changed since the previous
rotation 9 days ago and had to be re-downloaded.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/yarnpkg/yarn/issues/6865#issuecomment-453452379, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AEuWKj1tM5EhRflgriBWQ-iOw9gIhmSzks5vCFtngaJpZM4ZmBF5
.

The key changed since the previous rotation 9 days ago

Investigating in https://github.com/yarnpkg/yarn/issues/6916. Currently it looks like an Aptly bug: https://github.com/aptly-dev/aptly/issues/805

I resolved here with the commands:
sudo pkill dirmngr; dirmngr --debug-all --daemon --standard-resolver
sudo apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys 4F77679369475BAA
wget https://yum.dockerproject.org/gpg
sudo apt-key add gpg

The revised key that I downloaded 4 days ago (which included the new subkey) stopped working again today.

Sorry about that... It should be okay now. That was tracked in #6916.

I've got a dashboard monitoring the key expiry dates now: https://dash.d.sb/d/0PYZ8W_iz/yarn and will configure monitoring for it.

expired again.

The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <[email protected]>

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

solved the problem

I extended the expiry a few weeks ago, but you need to manually update it since I haven't configured it to auto update yet. See #7866