-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dl.yarnpkg.com/debianv is missing GPG NO_PUBKEY #6885
Comments
You're missing the public key. Run this to get it:
Please let me know if you still encounter issues after doing that. |
Following the commands described here: #4453 (comment) Seem to fix the issue. |
@Daniel15 does apt not have an auto update GPG key feature? I can't believe I have to fix all expiring keys manually. |
I don't think there is, unfortunately. 😢 Debian distribute all their keys in a package (https://packages.debian.org/buster/debian-archive-keyring) so whenever they need to roll out a new key (eg. for a new Debian release, or if they rotate them for some other reason), they add it to that package, but keep signing with the old key for a while such that most people will have the new key by the time they switch across. That's not really doable in our case though, as the problem with having the keys in a package is that the repo that package is in also needs to be signed. In Debian's case they include the package on the installation CD, which bootstraps the initial version. For custom repos, you always need some custom steps to get the signing key. |
Wow. I thought at least you had a field in a debian package that could point to a key server to auto update key close to expiring. I guess I see the security flaw in pointing to the Internet for a public key but it would not be much different than Gonna write down your one-liner for next time. |
You can also find that command on the installation page (https://yarnpkg.com/en/docs/install#debian-stable) if you ever need it again 😃 |
You're right but |
You could still distribute your keys with a package. You would still need to install the current key first when adding the repository but the day you decide to change your signing key, everything is handled automatically by the package. Right now, apt complain your repo is not safe because the key changed and need manual (re)configuration. |
Do the same using only
or (currently):
|
@Daniel15 I've noticed
Now that I think about it, you've still got to install their key manually the first time. But then it gets updated automatically. Or so I think. |
@x-yuri, that is the way to go if you want to automatically keep your repository keys updated. Having such a package for this repo, |
@r4co0n Could you file an issue? You seem to better understand how it works, and what exact benefits it would bring. |
@x-yuri: I have filed an issue. Please check it and see if you have anything to add. G'day |
It resolved the issue for me. Many thanks. |
I am unable to fix this following the suggestions here on Ubuntu 20.04 |
Same here |
Reporting it here since https://github.com/yarnpkg/releases does not have an issue list.
Possible duplicate of #4453 and #6865. But I just got this error, I wouldn't call it fixed.
An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1EFailed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1ESome index files failed to download. They have been ignored, or old ones used instead.
The text was updated successfully, but these errors were encountered: