[Resolved] Debian Repo - Apt Update Fails, New GPG Keys

jacob.greenbow_u · January 23, 2023, 5:10pm

Update: Mostly resolved. Main security page lists both updated and rotated key fingerprints, PRs in place to update remaining docs. Just pull the new keys, as per the regular installation docs for your specific tool.

I was running my apt update this morning (as one does on Mondays) and got a complete failure due to the the Debian GPG signing key rotation for Hashicorp. When I pulled the latest key from Hashicorp servers, I could not find any reference to the fingerprint in the docs. Here is what I got

798A EC65 4E5C 1542 8C8E 42EE AA16 FCBC A621 E701

Here is where I looked for key fingerprints.

I assume that those docs are being updated rapidly, but this requires urgent attention. Users cannot run apt update until resolved. User path is:

apt update
fails due to GPG mismatch
one of the following:
- A. user deletes/disables repo
- B. user finds non-specific guide to use apt-key
- C. user finds Hashicorp docs
Hashicorp docs do not show new fingerprint yet, alarming

Just want to start a public thread, since I am probably not the only one with this issue.

JACOB

tanadeau · January 23, 2023, 7:50pm

I’m seeing a similar issue with the AmazonLinux yum repos.

Public key for terraform-1.3.7-1.x86_64.rpm is not installed
(3/3): terraform-1.3.7-1.x86_64.rpm                                                                                                                                                                                  |  13 MB  00:00:01
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                       2.9 MB/s |  14 MB  00:00:04
Retrieving key from https://rpm.releases.hashicorp.com/gpg


Invalid GPG Key from https://rpm.releases.hashicorp.com/gpg: No key found in given key data

A similar issue happens if I try to import the GPG key manually:

bash-4.2# rpm --import https://rpm.releases.hashicorp.com/gpg
error: https://rpm.releases.hashicorp.com/gpg: key 1 not an armored public key.

amtrack · January 23, 2023, 8:13pm

It looks like there was a scheduled maintenance for the APT Repository and RPM Repository.

tanadeau · January 23, 2023, 8:15pm

Yep. I did the above tests after the maintenance was complete. It appears that there’s an issue with the new GPG key.

brett.clifford · January 23, 2023, 8:54pm

Same issue here
New gpg key not working

if you do follow the instructions just getting a binary file printed so the dearmour not working.

mpoirier · January 23, 2023, 9:04pm

Opened YUM install failure? before seeing this one. We also get the same GPG error.

amtrack · January 23, 2023, 9:05pm

There was just an update to this site: Official Packaging Guide

The fingerprint must match 798A EC65 4E5C 1542 8C8E 42EE AA16 FCBC A621 E701 , which can also be verified at Security at HashiCorp under “Linux Package Checksum Verification”. Please note that there was a previous signing key used prior to January 23, 2022, which had the fingerprint E8A0 32E0 94D8 EB4E A189 D270 DA41 8C88 A321 9F7B . Details about this change are available at HashiCorp Services Status - Scheduled Maintenance | APT Repository.

loz-hurst · January 23, 2023, 9:52pm

Still showing the old fingerprint in the docs - I guess there’s more updates needed:

The fingerprint must match E8A0 32E0 94D8 EB4E A189 D270 DA41 8C88 A321 9F7B, which can also be verified at Security at HashiCorp under “Linux Package Checksum Verification”.

(This is at Install Vault | Vault | HashiCorp Developer which is where the vault documentation took me when I clicked ‘Installation’ and then the ‘tutorial’ link under ‘Linux package manager’)

mdeggies · January 23, 2023, 10:12pm

Hey- Thanks for the report. This has been updated at Official Packaging Guide and is reflected on the security page. Let us know if you see any other lingering references to the old fingerprint. Thanks!

Edit: I see some other places the fingerprint is listed. We have PR’s up to address these.

tanadeau · January 23, 2023, 10:53pm

I’m now getting a different error from Yum:

warning: /var/cache/yum/x86_64/2/hashicorp/packages/terraform-1.3.7-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 69c085e9: NOKEY=============================================================     ] 4.8 MB/s |  14 MB  00:00:00 ETA
Public key for terraform-1.3.7-1.x86_64.rpm is not installed
(8/8): terraform-1.3.7-1.x86_64.rpm                                                                                                                                                                                  |  13 MB  00:00:01
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                       3.4 MB/s |  15 MB  00:00:04
Retrieving key from https://rpm.releases.hashicorp.com/gpg
Importing GPG key 0xA621E701:
 Userid     : "HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>"
 Fingerprint: 798a ec65 4e5c 1542 8c8e 42ee aa16 fcbc a621 e701
 From       : https://rpm.releases.hashicorp.com/gpg


Public key for terraform-1.3.7-1.x86_64.rpm is not installed


 Failing package is: terraform-1.3.7-1.x86_64
 GPG Keys are configured as: https://rpm.releases.hashicorp.com/gpg

tanadeau · January 24, 2023, 3:23pm

It looks like the GPG key issue has been resolved.