Key rotation for ROS 2 apt repositories

General
, , ,
1

In light of the build.ros.org security issue we have decided to retire the key previously used to sign ROS 2 apt repositories.

We believe the ROS 2 repositories to be intact. We have no reason to believe that any malicious access or use of the GPG key occurred. To be abundantly cautious we are updating the repository signing key to curb future abuse of the potentially exposed key but the packages in the repository are unchanged. When we perform the first sync for Dashing later today it will update the signing key for all ROS 2 repositories.

Adding the new repository key

You may get the key from the GPG keyserver network, which requires apt-key and GnuPG

sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

or from the ROS 2 build repository host

curl http://repo.ros2.org/repos.key | sudo apt-key add -

Removing the old key from your apt keyring

:warning: This key is still used for ROS 1 packages on packages.ros.org and the key has not been updated there yet. Removing the key will prevent updates from the ROS and ROS testing (shadow fixed) repositories until they are redeployed.

If you’re only using packages from ROS 2, you can safely remove this key now. No package updates will be pushed to repositories signed with this key. Unless you need to install ROS 1 packages not previously installed on your system, you could remove it now to be as safe as possible.

sudo apt-key del 421C365BD9FF1F717815A3895523BAEEB01FA116

After the ROS 1 repository has been redeployed there will be no future legitimate use of this key and you should remove it from your systems. When that redeployment occurs we will make another announcement and update this thread.

4 Likes
2

Hi, I have updated the key for my Indigo docker container and try to rebuild it, but get this:

Get:3 http://packages.ros.org trusty/main i386 Packages [891 kB]
Fetched 1786 kB in 6s (282 kB/s)
Reading package lists...
W: GPG error: http://packages.ros.org trusty InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5523BAEEB01FA116
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
  bzr docutils-common libapr1 libaprutil1 libserf-1-1 libsvn1 libyaml-0-2
  mercurial mercurial-common python-bzrlib python-catkin-pkg
  python-catkin-pkg-modules python-chardet python-chardet-whl python-colorama
  python-colorama-whl python-configobj python-dateutil python-distlib
  python-distlib-whl python-docutils python-html5lib python-html5lib-whl
  python-pip-whl python-pkg-resources python-pyparsing python-requests
  python-requests-whl python-roman python-rosdistro python-rosdistro-modules
  python-rospkg python-rospkg-modules python-setuptools python-setuptools-whl
  python-six python-six-whl python-urllib3 python-urllib3-whl python-wstool
  python-yaml python3-pkg-resources subversion
Suggested packages:
  bzr-doc bzrtools python-bzrlib.tests qct vim emacs kdiff3 kdiff3-qt kompare
  meld tkcvs mgdiff python-mysqldb python-pygments python-openssl
  python-bzrlib-dbg python-kerberos python-pycurl xdg-utils
  texlive-latex-recommended texlive-latex-base texlive-lang-french
  fonts-linuxlibertine ttf-linux-libertine python-genshi python-lxml
  python-distribute python-distribute-doc python3-setuptools subversion-tools
  db5.3-util
Recommended packages:
  python-gpgme openssh-client wish python-launchpadlib python-paramiko
  python-pil libpaper-utils docutils-doc python-dev-all python-wheel
The following NEW packages will be installed:
  bzr docutils-common libapr1 libaprutil1 libserf-1-1 libsvn1 libyaml-0-2
  mercurial mercurial-common python-bzrlib python-catkin-pkg
  python-catkin-pkg-modules python-chardet python-chardet-whl python-colorama
  python-colorama-whl python-configobj python-dateutil python-distlib
  python-distlib-whl python-docutils python-html5lib python-html5lib-whl
  python-pip python-pip-whl python-pkg-resources python-pyparsing
  python-requests python-requests-whl python-roman python-rosdep
  python-rosdistro python-rosdistro-modules python-rosinstall python-rospkg
  python-rospkg-modules python-setuptools python-setuptools-whl python-six
  python-six-whl python-urllib3 python-urllib3-whl python-vcstools
  python-wstool python-yaml python3-pkg-resources subversion
0 upgraded, 47 newly installed, 0 to remove and 24 not upgraded.
Need to get 7434 kB of archives.
After this operation, 34.3 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  python-catkin-pkg-modules python-catkin-pkg python-rospkg-modules
  python-rospkg python-rosdistro-modules python-rosdistro python-rosdep
  python-vcstools python-wstool python-rosinstall
E: There are problems and -y was used without --force-yes
The command '/bin/sh -c apt-get update && apt-get install --no-install-recommends -y     python-rosdep     python-rosinstall     python-vcstools     python-pip     && rm -rf /var/lib/apt/lists/*' returned a non-zero code: 100

I know Indigo is EOL now, but we still use it.
What is the way to install it in a docker container?

UPDATE: just realised that all still works with Indigo with the old key

3

The keys for ROS 1 repositories have now been rotated as well. New GPG keys deployed for packages.ros.org

3 Likes