For those frequently pulling supported docker images from the osrf official repos, is this step necessary? i.e. does the command sudo apt update && sudo apt install ros2-apt-source need to be run after the FROM statement or will this be included/backported to the default docker images?
2 Likes
will this be included/backported to the default docker images?
The change has been submitted to the official docker images repo: [ros] install dedicated deb to setup apt gpg key instead of installing keys the old way by mikaelarguedas ¡ Pull Request #19162 ¡ docker-library/official-images ¡ GitHub
It might take a couple days to take effect (review/merge/rebuild/rebuild of downstream images)
Thanks @tfoote for the help getting this out promptly!
6 Likes
In the meantime the following workaround can be used:
ROS 2
RUN rm /etc/apt/sources.list.d/ros2-latest.list \
&& rm /usr/share/keyrings/ros2-latest-archive-keyring.gpg
RUN apt-get update \
&& apt-get install -y ca-certificates curl
RUN export ROS_APT_SOURCE_VERSION=$(curl -s https://api.github.com/repos/ros-infrastructure/ros-apt-source/releases/latest | grep -F "tag_name" | awk -F\" '{print $4}') ;\
curl -L -s -o /tmp/ros2-apt-source.deb "https://github.com/ros-infrastructure/ros-apt-source/releases/download/${ROS_APT_SOURCE_VERSION}/ros2-apt-source_${ROS_APT_SOURCE_VERSION}.$(. /etc/os-release && echo $VERSION_CODENAME)_all.deb" \
&& apt-get update \
&& apt-get install /tmp/ros2-apt-source.deb \
&& rm -f /tmp/ros2-apt-source.deb
ROS 1
RUN rm /etc/apt/sources.list.d/ros1-latest.list \
&& rm /usr/share/keyrings/ros1-latest-archive-keyring.gpg
RUN apt-get update \
&& apt-get install -y ca-certificates curl
RUN export ROS_APT_SOURCE_VERSION=$(curl -s https://api.github.com/repos/ros-infrastructure/ros-apt-source/releases/latest | grep -F "tag_name" | awk -F\" '{print $4}') ;\
curl -L -s -o /tmp/ros-apt-source.deb "https://github.com/ros-infrastructure/ros-apt-source/releases/download/${ROS_APT_SOURCE_VERSION}/ros-apt-source_${ROS_APT_SOURCE_VERSION}.$(. /etc/os-release && echo $VERSION_CODENAME)_all.deb" \
&& apt-get update \
&& apt-get install /tmp/ros-apt-source.deb \
&& rm -f /tmp/ros-apt-source.deb
6 Likes
Hi,
On ROS1 Ubuntu/Debian, donât you miss a:
apt-key add /usr/share/keyrings/ros-archive-keyring.gpg
after the curl of the new GPG key ?
1 Like
Hi there,
The key hasnât been renewed on keyserver.ubuntu.com, is there a plan to do so ??
Thanks.
4 Likes
I noticed that they key used to sign the ROS snapshot repo at snapshots.ros.org expired yesterday too (itâs the one listed in the usage section on the wiki page about the snapshot repo). Thereâs also a comment in the ROS 2 Dockerfiles about the new approach not being applicable to the snapshot repo. What is the right way to use the snapshot repo with the new keys?
edit: In case it makes a difference, Iâm trying to use the 2025-01-20 Jazzy snapshot.
4 Likes
I was using the ros-iron image and, due to this commit, I had to change hte file to remove as follows:
RUN rm /etc/apt/sources.list.d/ros2-snapshots.list && \
rm /usr/share/keyrings/ros2-snapshots-archive-keyring.gpg
Snapshot repo key expired â ros2-apt-source doesnât work with snapshots
the key used for the snapshot repository at snapshots.ros.org expired recently, and itâs currently not possible to use it with the default GPG key mechanism.
I also tried using the new ros2-apt-source package, hoping it would fix the key issue, but it doesnât support the snapshot repo either. Even after installing ros2-apt-source and updating, I still canât add the snapshot repo in a clean way.
Is there an official way to use ROS snapshot repositories with the new key setup, or a recommended workaround that keeps the repository trusted securely?
Thanks
2 Likes
Not working for me. Got an error: Unable to locate package ros2-apt-source.
Ubuntu 18.04 with ROS2 Humble from âautoware:20240828-autoware-universe-cudaâ official image.
Is this suppose to be like this (no package for Ubuntu 18.04) or Iâm missing something?
[UPD]: Next day I realized that my whole comment is a bs:
- First of all there is Ubuntu 22 in âautoware:20240828-autoware-universe-cudaâ image.
- âros2-apt-sourceâ is there and available for apt.
- Everything is fine. You just need to update a correct gpg keyring, trigger apt update and install the package.
1 Like
Yes, the supported OS for the package are the ones describes in REP 2000 (for Humble that is 22.04) as listed in the migration guide
You can do a manual update of the key to keep fetching the packages by doing
sudo curl -ssL https://raw.githubusercontent.com/ros/rosdistro/master/ros.key -o /usr/share/keyrings/ros-archive-keyring.gpg
Assuming you followed the installation instructions from the docs.
The name of the file in my case was not the ros-archive-keyring.gpg, but ros2-latest-archive-keyring.gpg instead.
This helped in my case (Ubuntu 22.04.4 LTS + ROS2 Humble). Maybe this will be useful for someone else:
ROS2_LATEST_ARCHIVE_KEYRING="/usr/share/keyrings/ros2-latest-archive-keyring.gpg"
sudo rm -f ${ROS2_LATEST_ARCHIVE_KEYRING}
sudo curl -sSL https://raw.githubusercontent.com/ros/rosdistro/master/ros.key -o ${ROS2_LATEST_ARCHIVE_KEYRING}
2 Likes
Managed to bypass the snapshots.ros.org issue by doing this on my bionic melodic build:
RUN rm /etc/apt/sources.list.d/ros1-snapshots.list
RUN apt update && apt install curl
RUN curl -sSL https://raw.githubusercontent.com/ros/rosdistro/master/ros.key -o /usr/share/keyrings/ros-archive-keyring.gpg
RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/ros-archive-keyring.gpg] http://packages.ros.org/ros/ubuntu bionic main" | sudo tee /etc/apt/sources.list.d/ros1-snapshots.list
This has been renewed. Thanks 
1 Like
Thanks for your suggestion
Unfortunately, what you describe works for the official packages.ros.org repository, but not for the ROS snapshot repository hosted at snapshots.ros.org
Using the new signed-by=/usr/share/keyrings/ros-archive-keyring.gpg approach doesnât apply either, because itâs not designed for the snapshot repo
The Official Dockerhub ROS images have been updated.
New tags can be seen here:
https://hub.docker.com/_/ros/tags
Iâve verified the rebuilds can use the new GPG keys.
4 Likes
The snapshots repo has a different key and setup (wonât be using this package). Iâm working on updating it between today and tomorrow. I will follow-up on this thread. Thanks for reporting @Hamda_Kheemiri
5 Likes
The osrf/ros images (simulation, desktop, desktop-full images) are now available for all active ROS 2 distros
The noetic images will land later once the snapshots repo key is updated
7 Likes
Any news on the snapshot key update? This is pretty disruptive for us.
3 Likes
Yes, snapshots is causing us angst too, many of our CI/CD jobs failing for nearly a week now. many work streams on hold.
@Brian_Sidebotham and @bruce_chapman, the key is updated on the keyserver. To unblock it you would need to refetch the key by following the same steps as in the wiki :
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 4B63CF8FDE49746E98FA01DDAD19BAB3CBF125EA
(cc: @Hamda_Kheemiri, @schornakj as well 
)
5 Likes