ROS Resources: Documentation | Support | Discussion Forum | Service Status | Q&A answers.ros.org

ROS GPG Key Expiration Incident

Done. Simply bump to ros-tooling/setup-ros@0.2.1. There is nothing to do for people using @v0.2.

3 Likes

Wonderful, works like a charme. Thanks!

1 Like

+1, worked fine. Thanks for the prompt update.

Any idea when are the ROS 2 Docker images going to be usable again?

Thanks!

9 Likes

@christophebedard Thanks a lot. Works great!

1 Like

Affected images should be rebuilt soon after this gets mered upstream by the librarians:

2 Likes

:+1:

In the meantime you can setup the new key in your container before installing more packages.
For example:

docker run -it --rm ros:foxy
apt update || apt install -y curl && curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | apt-key add -
3 Likes

Just noticed the docker images were updated, thanks to everyone involved in fixing this!
Much appreciated.

Maybe I’m jumping the gun, but it doesn’t look like the focal/noetic images were updated. I don’t see a new GitCommit in the above PR for the focal noetic-ros-core.

I was looking at the dockerhub, seems like the noetic and focal image tags were updated:
Focal
Noetic

Noetic images still do not work.

16:30 $ docker pull ros:noetic-robot
noetic-robot: Pulling from library/ros
Digest: sha256:61660593caa87bb2a0299c363a2a408998362502e38ba2acf88f8801d0576548
Status: Image is up to date for ros:noetic-robot
docker.io/library/ros:noetic-robot
16:30 $ docker run -it  ros:noetic-robot bash
root@52910c874989:/# sudo apt-get update
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:2 http://packages.ros.org/ros/ubuntu focal InRelease [4676 B]              
Get:3 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]                           
Err:2 http://packages.ros.org/ros/ubuntu focal InRelease          
  The following signatures were invalid: EXPKEYSIG F42ED6FBAB17C654 Open Robotics <info@osrfoundation.org>
Get:4 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [27.6 kB]
Get:5 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [728 kB]
Get:6 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [836 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]      
Get:8 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [275 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]     
Get:10 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:11 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:13 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [315 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [975 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1272 kB]
Get:17 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [29.8 kB]
Get:18 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [4305 B]
Reading package lists... Done                               
W: GPG error: http://packages.ros.org/ros/ubuntu focal InRelease: The following signatures were invalid: EXPKEYSIG F42ED6FBAB17C654 Open Robotics <info@osrfoundation.org>
E: The repository 'http://packages.ros.org/ros/ubuntu focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

foxy images still do not work. In fact, the last update in Dockerhub is 7 days ago: Docker Hub

2 Likes

More updates here:

3 Likes

The new key has now propagated to all ros:* and osrf/ros:* images. Thanks all for your patience.

If you encounter any issues don’t hesitate to open a ticket here

Happy containing

4 Likes

@cottsay : You’re right, the key wasn’t changed, only the expiration date was extended, so we don’t need to change the installation instructions. Thanks for clearing that up!

Would it be possible to please simplify the ROS key and install process with:

sudo apt-add-repository ppa:ros/foxy
sudo apt update && sudo apt install ros-foxy-desktop

This is much more memorizable then the current curl/tee/foo and a lot of other software is this easy to install.

We have now published this:

Unfortunately the shorthand used for the PPA is only valid for the official Ubuntu hosted PPAs which cannot support our use cases. If you’re not using the Canonical hosted PPAs you still have to fetch the keys explicitly which is important to make clear as this is your source of trust.

Thus you could use it instead of the echoing the source line like this: apt-add-repository "http://packages.ros.org/ros2/ubuntu focal main"

Limitations of apt-add-repository:

  • It requires a larger dependency requirements for base installation
  • Doesn’t support signed-by argument
  • Doesn’t support arch arguments
  • You can’t control the name of the file

Thus sticking with the lower level tools is both more powerful and more transparent as to what’s happening which is especially important at a point when you have to trust the results to install software on your system.

1 Like

For ROS Noetic with Debian Buster I still see some problems with the GPG keys in armhf using:

curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | apt-key add -
echo "deb http://packages.ros.org/noetic/ubuntu `lsb_release -cs` main" \
  > /etc/apt/sources.list.d/noetic-latest.list;

Error:

gpg: no valid OpenPGP data found.

and

W: GPG error: http://packages.ros.org/ros/ubuntu buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F42ED6FBAB17C654
E: The repository 'http://packages.ros.org/ros/ubuntu buster InRelease' is not signed.

For Ubuntu-Mate 16.04 /ROS Kinetic (Turtlebot3 Burger), same error:
~$ curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | sudo apt-key add -
gpg: no valid OpenPGP data found.