ROS Resources: Documentation | Support | Discussion Forum | Service Status | Q&A answers.ros.org

ROS GPG Key Expiration Incident

Maybe I’m jumping the gun, but it doesn’t look like the focal/noetic images were updated. I don’t see a new GitCommit in the above PR for the focal noetic-ros-core.

I was looking at the dockerhub, seems like the noetic and focal image tags were updated:
Focal
Noetic

Noetic images still do not work.

16:30 $ docker pull ros:noetic-robot
noetic-robot: Pulling from library/ros
Digest: sha256:61660593caa87bb2a0299c363a2a408998362502e38ba2acf88f8801d0576548
Status: Image is up to date for ros:noetic-robot
docker.io/library/ros:noetic-robot
16:30 $ docker run -it  ros:noetic-robot bash
root@52910c874989:/# sudo apt-get update
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:2 http://packages.ros.org/ros/ubuntu focal InRelease [4676 B]              
Get:3 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]                           
Err:2 http://packages.ros.org/ros/ubuntu focal InRelease          
  The following signatures were invalid: EXPKEYSIG F42ED6FBAB17C654 Open Robotics <info@osrfoundation.org>
Get:4 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [27.6 kB]
Get:5 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [728 kB]
Get:6 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [836 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]      
Get:8 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [275 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]     
Get:10 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:11 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:13 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [315 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [975 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1272 kB]
Get:17 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [29.8 kB]
Get:18 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [4305 B]
Reading package lists... Done                               
W: GPG error: http://packages.ros.org/ros/ubuntu focal InRelease: The following signatures were invalid: EXPKEYSIG F42ED6FBAB17C654 Open Robotics <info@osrfoundation.org>
E: The repository 'http://packages.ros.org/ros/ubuntu focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

foxy images still do not work. In fact, the last update in Dockerhub is 7 days ago: Docker Hub

2 Likes

More updates here:

3 Likes

The new key has now propagated to all ros:* and osrf/ros:* images. Thanks all for your patience.

If you encounter any issues don’t hesitate to open a ticket here

Happy containing

4 Likes

@cottsay : You’re right, the key wasn’t changed, only the expiration date was extended, so we don’t need to change the installation instructions. Thanks for clearing that up!

Would it be possible to please simplify the ROS key and install process with:

sudo apt-add-repository ppa:ros/foxy
sudo apt update && sudo apt install ros-foxy-desktop

This is much more memorizable then the current curl/tee/foo and a lot of other software is this easy to install.

We have now published this:

Unfortunately the shorthand used for the PPA is only valid for the official Ubuntu hosted PPAs which cannot support our use cases. If you’re not using the Canonical hosted PPAs you still have to fetch the keys explicitly which is important to make clear as this is your source of trust.

Thus you could use it instead of the echoing the source line like this: apt-add-repository "http://packages.ros.org/ros2/ubuntu focal main"

Limitations of apt-add-repository:

  • It requires a larger dependency requirements for base installation
  • Doesn’t support signed-by argument
  • Doesn’t support arch arguments
  • You can’t control the name of the file

Thus sticking with the lower level tools is both more powerful and more transparent as to what’s happening which is especially important at a point when you have to trust the results to install software on your system.

1 Like

For ROS Noetic with Debian Buster I still see some problems with the GPG keys in armhf using:

curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | apt-key add -
echo "deb http://packages.ros.org/noetic/ubuntu `lsb_release -cs` main" \
  > /etc/apt/sources.list.d/noetic-latest.list;

Error:

gpg: no valid OpenPGP data found.

and

W: GPG error: http://packages.ros.org/ros/ubuntu buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F42ED6FBAB17C654
E: The repository 'http://packages.ros.org/ros/ubuntu buster InRelease' is not signed.

For Ubuntu-Mate 16.04 /ROS Kinetic (Turtlebot3 Burger), same error:
~$ curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | sudo apt-key add -
gpg: no valid OpenPGP data found.

There’s no know issues with infrastructure and the keys available have been validate. @TSC21 @Red24dog These both look like problems with the download. Most commonly being missing CA Certificates, or your clock being incorrectly set on the system to invalidate the SSL certificates. If anyone is still having issues please ask a question on answers.ros.org to get help.

My reproduction

I validated it’s work, then removed the keys to show how the error can be reproduced. And showed the error output that’s being piped into the gpg instance instead of the key itself.

root@c4606cbad79c:/# curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | apt-key add -
OK
root@c4606cbad79c:/# sudo apt-get remove ca-certificates
bash: sudo: command not found
root@c4606cbad79c:/# apt-get remove ca-certificates
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  openssl
Use 'apt autoremove' to remove it.
The following packages will be REMOVED:
  ca-certificates
0 upgraded, 0 newly installed, 1 to remove and 1 not upgraded.
After this operation, 412 kB disk space will be freed.
Do you want to continue? [Y/n] 
(Reading database ... 7449 files and directories currently installed.)
Removing ca-certificates (20200601~deb10u2) ...
Removing dangling symlinks from /etc/ssl/certs... done.
root@c4606cbad79c:/# curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | apt-key add -
gpg: no valid OpenPGP data found.
root@c4606cbad79c:/# history
    1  apt-get update  && apt-get install curl
    2  curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | apt-key add -
    3  apt-get install gnupg
    4  curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | apt-key add -
    5  sudo apt-get remove ca-certificates
    6  apt-get remove ca-certificates
    7  curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | apt-key add -
    8  history
root@c4606cbad79c:/# curl https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc 
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
1 Like

How would I do this on a windows machine? The apt-key add command doesn’t work on windows.

Windows does not apt for installing ROS and was not affected by this incident.

Hi,please I am new to ROS and tried the command for ROS1. It did not work. I run the command and the terminal dsiplays “OK”, but when I do a sudo apt update I still see errors involving the GPG key and I can’t install anything. I am using ubuntu version 18.04 and ROS melodic. Is there something I am doing wrong?

Hi,please I am new to ROS and tried the command for ROS1. It did not work. I run the command and the terminal dsiplays “OK”, but when I do a sudo apt update I still see errors involving the GPG key and I can’t install anything. I am using ubuntu version 18.04 and ROS melodic. Is there something I am doing wrong?

It’s likely that there’s something not quite setup correctly. As directed above, please ask for help on answers.ros.org first looking to see if anyone else has had the same problem. And if not please ask your own question. Make sure to include full details of what you’ve done, as well as the full commands you’re running with the commands as well as the full console outputs so that we can reproduce your issue. We can help you there without emailing most of the community.