New GPG keys deployed for packages.ros.org

As a follow up to Security issue on ROS build farm we have now deployed new GPG keys to packages.ros.org. This will require anyone using packages.ros.org to update your trusted GPG keys to be able to update packages going forward.

tldr; At this point you should do the following 3 things:

  • Add the new ROS GPG key to your apt keyring if you have not already.
  • Revoke the old GPG key, it’s no longer used.
  • If using testing update the ros-shadow-fixed repository to refer to ros-testing repository.

How to transition

Below are instructions for how to update your GPG keys.

Adding the new ROS repository key

Who should do this?
Everyone who installs ROS packages from packages.ros.org

When should this be done?
Now

What to do?
Set up the new repository key

sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

Removing the old ROS repository key

Who should do this?
Everyone.

When must this be done?
Now

What to do?
Remove the key from your apt keyring

sudo apt-key del 421C365BD9FF1F717815A3895523BAEEB01FA116

Updating the testing repository url

Who should do this? Anyone who is currently using the ros-shadow-fixed repository to test ROS packages before a sync.

Check your /etc/apt/sources.list and /etc/apt/sources.list.d/*.list for http://packages.ros.org/ros-shadow-fixed and replace it with http://packages.ros.org/ros-testing

Migrating to Snapshots.ros.org for unsupported distribitions

For older unsupported distributions we have moved the debian packages to a new host. Details for how to set that up are in this post: Security issue on ROS build farm - #8 by nuclearsandwich


More detailed explanations can be found in this post:

9 Likes

Excellent, thank you @tfoote. We’ve thus started the process of untrusting the old key in the snapcraft CLI (the new one has been trusted since the original news broke, no one should be broken).

2 Likes

FYI: ROS Docker images from the Official Library registry have also been updated to reflect the above key rotation. Please be sure to sure to pull the latest images before rebuilding any dependent tags.

As @gerkey mentioned in the original thread, a big thanks to @tfoote, @nuclearsandwich, and @jrivero for the many hours and late nights they put into getting us back on track. Cheers! :beers:


P.S. for tracking when update images get finally synced to the docker hub registry:

2 Likes

Thank you to @kyrofa @ruffsl @garyservin and everyone who’s helping propagate these changes quickly. If you’re updating tools and services that build on top of our packages please reply here or track it at https://github.com/ros-infrastructure/roswiki/issues/276 so that people can know which things have been updated.

3 Likes

For ubuntu 14.04 or earlier (e.g. indigo or jade), we should run

sudo apt-key del B01FA116

instead of

sudo apt-key del 421C365BD9FF1F717815A3895523BAEEB01FA116

since apt version is old.

B01FA116 is the last 8 characters of 421C365BD9FF1F717815A3895523BAEEB01FA116.

1 Like
$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2019-05-30 [SC] [expired: 2021-05-29]
      C1CF 6E31 E6BA DE88 68B1  72B4 F42E D6FB AB17 C654
uid           [ expired] Open Robotics <info@osrfoundation.org>

Today, the key released 2 years ago is expired. Is the new key on the way?

1 Like

See also: Key for downloading ros2 source showing expired - #3 by Katherine_Scott

1 Like

Hey you all, the recommended solution is not working for me.

I already had

sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

as described above in my Docker container’s Dockerfile, but it was failing due to expired keys during installation of ROS packages.

Then I added the line

curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | sudo apt-key add -

and everything worked.

Unless I’m reading the documentation wrong, it seems that it should work with the first line, and the second line should not be required. Why may I have success only when I add the second line?

To summarize, my failing code is this:

sh -c 'echo "deb http://packages.ros.org/ros/ubuntu $(lsb_release -sc) main" > /etc/apt/sources.list.d/ros-latest.list' >/dev/null 2>&1 \
    && apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

which results in the key error when trying to install ROS packages, but the following code works:

sh -c 'echo "deb http://packages.ros.org/ros/ubuntu $(lsb_release -sc) main" > /etc/apt/sources.list.d/ros-latest.list' >/dev/null 2>&1 \
    && apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | sudo apt-key add -

I have a feeling the first line is not needed if I have the second one, but the main issue is that it does not work for me if I use only the first.

Sorry, I wasn’t checking the date of the original post, and I thought this thread was for the new incident described at

Does that mean that the following page is outdated and should list a new value there instead of C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654?

http://wiki.ros.org/Installation/Ubuntu/Sources

Surely many people are hitting that page, and it’s not working…

The new public key uses the same private key as before, so that fingerprint is still correct.

From a fresh docker pull, I ran these commands and they worked correctly for Ubuntu Bionic and Focal, targeting Melodic and Noetic respectively:

$ docker pull ubuntu:focal
$ docker run --rm -it ubuntu:focal
# apt update
# apt install -y gnupg lsb-release
# sh -c 'echo "deb http://packages.ros.org/ros/ubuntu $(lsb_release -sc) main" > /etc/apt/sources.list.d/ros-latest.list' >/dev/null 2>&1 \
    && apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654
# apt update
# apt install -y ros-noetic-catkin

Perhaps try removing any existing key prior to running the import step?

apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --delete-keys C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

Moving this discussion over to the new thread: Ubuntu installation doc needs to be updated for use with new GPG keys?

And closing this one for clarity.