ROS Resources: Documentation | Support | Discussion Forum | Service Status | Q&A answers.ros.org

New GPG keys deployed for packages.ros.org

As a follow up to Security issue on ROS build farm we have now deployed new GPG keys to packages.ros.org. This will require anyone using packages.ros.org to update your trusted GPG keys to be able to update packages going forward.

tldr; At this point you should do the following 3 things:

  • Add the new ROS GPG key to your apt keyring if you have not already.
  • Revoke the old GPG key, it’s no longer used.
  • If using testing update the ros-shadow-fixed repository to refer to ros-testing repository.

How to transition

Below are instructions for how to update your GPG keys.

Adding the new ROS repository key

Who should do this?
Everyone who installs ROS packages from packages.ros.org

When should this be done?
Now

What to do?
Set up the new repository key

sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

Removing the old ROS repository key

Who should do this?
Everyone.

When must this be done?
Now

What to do?
Remove the key from your apt keyring

sudo apt-key del 421C365BD9FF1F717815A3895523BAEEB01FA116

Updating the testing repository url

Who should do this? Anyone who is currently using the ros-shadow-fixed repository to test ROS packages before a sync.

Check your /etc/apt/sources.list and /etc/apt/sources.list.d/*.list for http://packages.ros.org/ros-shadow-fixed and replace it with http://packages.ros.org/ros-testing

Migrating to Snapshots.ros.org for unsupported distribitions

For older unsupported distributions we have moved the debian packages to a new host. Details for how to set that up are in this post: Security issue on ROS build farm


More detailed explanations can be found in this post:

7 Likes

Excellent, thank you @tfoote. We’ve thus started the process of untrusting the old key in the snapcraft CLI (the new one has been trusted since the original news broke, no one should be broken).

2 Likes

FYI: ROS Docker images from the Official Library registry have also been updated to reflect the above key rotation. Please be sure to sure to pull the latest images before rebuilding any dependent tags.

As @gerkey mentioned in the original thread, a big thanks to @tfoote, @nuclearsandwich, and @jrivero for the many hours and late nights they put into getting us back on track. Cheers! :beers:


P.S. for tracking when update images get finally synced to the docker hub registry:

2 Likes

Thank you to @kyrofa @ruffsl @garyservin and everyone who’s helping propagate these changes quickly. If you’re updating tools and services that build on top of our packages please reply here or track it at https://github.com/ros-infrastructure/roswiki/issues/276 so that people can know which things have been updated.

3 Likes

For ubuntu 14.04 or earlier (e.g. indigo or jade), we should run

sudo apt-key del B01FA116

instead of

sudo apt-key del 421C365BD9FF1F717815A3895523BAEEB01FA116

since apt version is old.

B01FA116 is the last 8 characters of 421C365BD9FF1F717815A3895523BAEEB01FA116.

1 Like