We are again upon the brink of the ROS signing key expiration (June 1st) and from the Infrastructure PMC we are happy to announce a new package for ROS key and repository management.
The set of packages ros-apt-source
and ros2-apt-source
for Ubuntu and ros2-release
for RHEL provide both the signing key and the repository configuration for ROS and ROS 2 .
This a big step towards a simpler key update path allowing the ROS project to rotate keys while keeping ROS users in sync as long as the they keep their system up to date! From a security stand-point, having the ability to rotate keys without breaking ROS users has been a longtime goal for the Infrastructure PMC and this is the first step towards it.
The are two flavors of the package for Ubuntu/Debian distributions:
ros-apt-source
andros2-apt-source
: provides key and repository configuration for ROS and ROS 2 main repositories (http://packages.ros.org/ros, http://packages.ros.org/ros2) correspondingly.ros-testing-apt-source
andros2-testing-apt-source
: provides key and repository configuration for ROS and ROS 2 testing repositories (http://packages.ros.org/ros-testing,http://packages.ros.org/ros2-testing) correspondingly.
For RHEL there is a single package ros2-release
that configures both main and testing repositories and enables the main repository as the default behavior.
How to migrate (before June 1st)
Given a setup that has the ros key and repository configuration following the former installation steps, you need to perform the following steps
Ubuntu/Debian
Install new package using the previous repository configuration
# if ROS 1
sudo apt update && sudo apt install ros-apt-source
# if ROS 2
sudo apt update && sudo apt install ros2-apt-source
Remove old repository configuration files otherwise apt will be broken due to key conflict (these files might be different in your system if you did not follow the installation steps):
# If using ROS 1
sudo rm /etc/apt/sources.list.d/ros-latest.list
sudo apt-key del "C1CF 6E31 E6BA DE88 68B1 72B4 F42E D6FB AB17 C654"
# If using ROS 2
sudo rm /etc/apt/sources.list.d/ros2.list
sudo rm /usr/share/keyrings/ros-archive-keyring.gpg
Test that packages are still discovered and thus installable:
sudo apt update
sudo apt search ^package_name (for example ros-rolling-desktop-full)
RHEL
Install new package
sudo dnf install ros2-release
Due to name conflict you will see that the new configuration is created under /etc/yum.repos.d/ros2.repo.rpmnew
Replace the old configuration with the new one :
sudo rm /etc/yum.repos.d/ros2.repo
sudo mv /etc/yum.repos.d/ros2.repo.rpmnew /etc/yum.repos.d/ros2.repo
Test that packages are still discovered and thus installable:
sudo dnf update
sudo dnf search package_name #for example ros-rolling-desktop
How do I migrate (after June 1st)?
There are two ways you can get the new package after June 1st:
- Update manually to the new key and run the migration guide above. To get the updated key run:
sudo rm /usr/share/keyrings/ros-archive-keyring.gpg
sudo curl -sSL https://raw.githubusercontent.com/ros/rosdistro/master/ros.key -o /usr/share/keyrings/ros-archive-keyring.gpg
- Remove the previous configuration by running the following commands and follow the new installation instructions for your ROS distribution.
# If using ROS 1
sudo rm /etc/apt/sources.list.d/ros-latest.list
sudo apt-key del "C1CF 6E31 E6BA DE88 68B1 72B4 F42E D6FB AB17 C654" # This is the old key fingerprint, you should see by running apt-key list
# If using ROS 2
sudo rm /etc/apt/sources.list.d/ros2.list
sudo rm /usr/share/keyrings/ros-archive-keyring.gpg
FAQ
-
Does it support ROS 1?
The package supports both ROS 1 and ROS 2 for the declared supported platforms on REP-2000. The list of ROS-OS pairs supported can be found here. -
What happens if I want to use a mirror of packages.ros.org?
For debian based systems (Ubuntu, Debian)
The package configures the source onetc/apt/sources.list.d/
directory but does not set a preference file. Itâs possible to add an additional source file (copying from the one provided by the package and modifying the source) that configures a different repository (the mirror url) with a higher preference (See apt_preferences documentation) so that packages are being sourced from the mirror. -
I have already downloaded the package for the tutorial party/kilted testing, do I need to do anything else?
If you downloaded the package for the release party then you have the testing repository configured. You will need to:Debian
sudo apt remove ros2-testing-apt-source
Follow the instructions to setup from scratch Ubuntu (deb packages) â ROS 2 Documentation: Kilted documentation
RHEL
In RHEL the package configures both repositories, you will need to disable the ros2-testing repo and enable the main one
sudo dnf config-manager --disable ros2-testing sudo dnf config-manager --enable ros2
-
Can I still source the key the old way?
Even though this is the new recommended way of getting the ROS key it does not prevent ROS users from using the previous way of setting up ROS repositories. The goal of this package is to provide an ergonomic way of configuring ROS repositories and an improved update pathway.
There is still some pending work to update the installation instructions across the docs that will be addressed during this week as well as updates to the key hosted on rosdistro
repository and packages.ros.org
, but we encourage you to start the migration as soon as possible.
As always feel free to ask questions here or in the #infra-help channel on Discord.