ROS Resources: Documentation | Support | Discussion Forum | Service Status | Q&A

ROS GPG Key Expiration Incident

Done. Simply bump to ros-tooling/setup-ros@0.2.1. There is nothing to do for people using @v0.2.


Wonderful, works like a charme. Thanks!

1 Like

+1, worked fine. Thanks for the prompt update.

Any idea when are the ROS 2 Docker images going to be usable again?



@christophebedard Thanks a lot. Works great!

1 Like

Affected images should be rebuilt soon after this gets mered upstream by the librarians:



In the meantime you can setup the new key in your container before installing more packages.
For example:

docker run -it --rm ros:foxy
apt update || apt install -y curl && curl -s | apt-key add -

Just noticed the docker images were updated, thanks to everyone involved in fixing this!
Much appreciated.

Maybe I’m jumping the gun, but it doesn’t look like the focal/noetic images were updated. I don’t see a new GitCommit in the above PR for the focal noetic-ros-core.

I was looking at the dockerhub, seems like the noetic and focal image tags were updated:

Noetic images still do not work.

16:30 $ docker pull ros:noetic-robot
noetic-robot: Pulling from library/ros
Digest: sha256:61660593caa87bb2a0299c363a2a408998362502e38ba2acf88f8801d0576548
Status: Image is up to date for ros:noetic-robot
16:30 $ docker run -it  ros:noetic-robot bash
root@52910c874989:/# sudo apt-get update
Get:1 focal-security InRelease [114 kB]
Get:2 focal InRelease [4676 B]              
Get:3 focal InRelease [265 kB]                           
Err:2 focal InRelease          
  The following signatures were invalid: EXPKEYSIG F42ED6FBAB17C654 Open Robotics <>
Get:4 focal-security/multiverse amd64 Packages [27.6 kB]
Get:5 focal-security/universe amd64 Packages [728 kB]
Get:6 focal-security/main amd64 Packages [836 kB]
Get:7 focal-updates InRelease [114 kB]      
Get:8 focal-security/restricted amd64 Packages [275 kB]
Get:9 focal-backports InRelease [101 kB]     
Get:10 focal/universe amd64 Packages [11.3 MB]
Get:11 focal/main amd64 Packages [1275 kB]
Get:12 focal/multiverse amd64 Packages [177 kB]
Get:13 focal/restricted amd64 Packages [33.4 kB]
Get:14 focal-updates/restricted amd64 Packages [315 kB]
Get:15 focal-updates/universe amd64 Packages [975 kB]
Get:16 focal-updates/main amd64 Packages [1272 kB]
Get:17 focal-updates/multiverse amd64 Packages [29.8 kB]
Get:18 focal-backports/universe amd64 Packages [4305 B]
Reading package lists... Done                               
W: GPG error: focal InRelease: The following signatures were invalid: EXPKEYSIG F42ED6FBAB17C654 Open Robotics <>
E: The repository ' focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

foxy images still do not work. In fact, the last update in Dockerhub is 7 days ago: Docker Hub


More updates here:


The new key has now propagated to all ros:* and osrf/ros:* images. Thanks all for your patience.

If you encounter any issues don’t hesitate to open a ticket here

Happy containing


@cottsay : You’re right, the key wasn’t changed, only the expiration date was extended, so we don’t need to change the installation instructions. Thanks for clearing that up!

Would it be possible to please simplify the ROS key and install process with:

sudo apt-add-repository ppa:ros/foxy
sudo apt update && sudo apt install ros-foxy-desktop

This is much more memorizable then the current curl/tee/foo and a lot of other software is this easy to install.

We have now published this:

Unfortunately the shorthand used for the PPA is only valid for the official Ubuntu hosted PPAs which cannot support our use cases. If you’re not using the Canonical hosted PPAs you still have to fetch the keys explicitly which is important to make clear as this is your source of trust.

Thus you could use it instead of the echoing the source line like this: apt-add-repository " focal main"

Limitations of apt-add-repository:

  • It requires a larger dependency requirements for base installation
  • Doesn’t support signed-by argument
  • Doesn’t support arch arguments
  • You can’t control the name of the file

Thus sticking with the lower level tools is both more powerful and more transparent as to what’s happening which is especially important at a point when you have to trust the results to install software on your system.

1 Like

For ROS Noetic with Debian Buster I still see some problems with the GPG keys in armhf using:

curl -s | apt-key add -
echo "deb `lsb_release -cs` main" \
  > /etc/apt/sources.list.d/noetic-latest.list;


gpg: no valid OpenPGP data found.


W: GPG error: buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F42ED6FBAB17C654
E: The repository ' buster InRelease' is not signed.

For Ubuntu-Mate 16.04 /ROS Kinetic (Turtlebot3 Burger), same error:
~$ curl -s | sudo apt-key add -
gpg: no valid OpenPGP data found.