[Resolved] Debian Repo - Apt Update Fails, New GPG Keys

Terraform
1

Update: Mostly resolved. Main security page lists both updated and rotated key fingerprints, PRs in place to update remaining docs. Just pull the new keys, as per the regular installation docs for your specific tool.

I was running my apt update this morning (as one does on Mondays) and got a complete failure due to the the Debian GPG signing key rotation for Hashicorp. When I pulled the latest key from Hashicorp servers, I could not find any reference to the fingerprint in the docs. Here is what I got

798A EC65 4E5C 1542 8C8E 42EE AA16 FCBC A621 E701

Here is where I looked for key fingerprints.

I assume that those docs are being updated rapidly, but this requires urgent attention. Users cannot run apt update until resolved. User path is:

  • apt update
  • fails due to GPG mismatch
  • one of the following:
    • A. user deletes/disables repo
    • B. user finds non-specific guide to use apt-key
    • C. user finds Hashicorp docs
  • Hashicorp docs do not show new fingerprint yet, alarming

Just want to start a public thread, since I am probably not the only one with this issue.

JACOB

1 Like
2

Iā€™m seeing a similar issue with the AmazonLinux yum repos.

Public key for terraform-1.3.7-1.x86_64.rpm is not installed
(3/3): terraform-1.3.7-1.x86_64.rpm                                                                                                                                                                                  |  13 MB  00:00:01
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                       2.9 MB/s |  14 MB  00:00:04
Retrieving key from https://rpm.releases.hashicorp.com/gpg


Invalid GPG Key from https://rpm.releases.hashicorp.com/gpg: No key found in given key data

A similar issue happens if I try to import the GPG key manually:

bash-4.2# rpm --import https://rpm.releases.hashicorp.com/gpg
error: https://rpm.releases.hashicorp.com/gpg: key 1 not an armored public key.
3

It looks like there was a scheduled maintenance for the APT Repository and RPM Repository.

4

Yep. I did the above tests after the maintenance was complete. It appears that thereā€™s an issue with the new GPG key.

2 Likes
5

Same issue here
New gpg key not working

if you do follow the instructions just getting a binary file printed so the dearmour not working.

6

Opened YUM install failure? before seeing this one. We also get the same GPG error.

7

There was just an update to this site: Official Packaging Guide

The fingerprint must match 798A EC65 4E5C 1542 8C8E 42EE AA16 FCBC A621 E701 , which can also be verified at Security at HashiCorp under ā€œLinux Package Checksum Verificationā€. Please note that there was a previous signing key used prior to January 23, 2022, which had the fingerprint E8A0 32E0 94D8 EB4E A189 D270 DA41 8C88 A321 9F7B . Details about this change are available at HashiCorp Services Status - Scheduled Maintenance | APT Repository.

8

Still showing the old fingerprint in the docs - I guess thereā€™s more updates needed:

The fingerprint must match E8A0 32E0 94D8 EB4E A189 D270 DA41 8C88 A321 9F7B, which can also be verified at Security at HashiCorp under ā€œLinux Package Checksum Verificationā€.

(This is at Install Vault | Vault | HashiCorp Developer which is where the vault documentation took me when I clicked ā€˜Installationā€™ and then the ā€˜tutorialā€™ link under ā€˜Linux package managerā€™)

9

Hey- Thanks for the report. This has been updated at Official Packaging Guide and is reflected on the security page. Let us know if you see any other lingering references to the old fingerprint. Thanks!

Screen Shot 2023-01-23 at 2.11.32 PM
Screen Shot 2023-01-23 at 2.11.32 PM2538Ɨ550 102 KB

Edit: I see some other places the fingerprint is listed. We have PRā€™s up to address these.

1 Like
10

Iā€™m now getting a different error from Yum:

warning: /var/cache/yum/x86_64/2/hashicorp/packages/terraform-1.3.7-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 69c085e9: NOKEY=============================================================     ] 4.8 MB/s |  14 MB  00:00:00 ETA
Public key for terraform-1.3.7-1.x86_64.rpm is not installed
(8/8): terraform-1.3.7-1.x86_64.rpm                                                                                                                                                                                  |  13 MB  00:00:01
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                       3.4 MB/s |  15 MB  00:00:04
Retrieving key from https://rpm.releases.hashicorp.com/gpg
Importing GPG key 0xA621E701:
 Userid     : "HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>"
 Fingerprint: 798a ec65 4e5c 1542 8c8e 42ee aa16 fcbc a621 e701
 From       : https://rpm.releases.hashicorp.com/gpg


Public key for terraform-1.3.7-1.x86_64.rpm is not installed


 Failing package is: terraform-1.3.7-1.x86_64
 GPG Keys are configured as: https://rpm.releases.hashicorp.com/gpg
12

It looks like the GPG key issue has been resolved.

1 Like
13

It started to fail again just now:

Err:3 https://apt.releases.hashicorp.com jammy InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DA418C88A3219F7B

(repository is signed by old key)

3 Likes
14

Iā€™m experiencing the same issue :frowning_face:

2 Likes
15

We are also experiencing the issue here.

1 Like
16

I thought I was crazy for the past hour until I see the replies here now. Definitely something wrong with the repos because yesterday this was fine as I was doing vagrant install on a new instance. Today is not when I am doing one more new install. the signature checked fine compared to the latest documentation.

17

We are also seeing similar error again:

Reading package lists...
W: GPG error: https://apt.releases.hashicorp.com focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DA418C88A3219F7B
E: The repository 'https://apt.releases.hashicorp.com focal InRelease' is not signed.
Error: Process completed with exit code 100.

DA418C88A3219F7B (fingerprint E8A032E094D8EB4EA189D270DA418C88A3219F7B) is in fact actually the old key before it was rotated last month.

Not sure why suddenly it is being used again (to be fair itā€™s scheduled to be revoked on 24th April 2023), so I guess we should still trust the old gpg key (again)?

1 Like
18

Iā€™ve submitted a case for this issue, and Hashicorp opened new incident for that: HashiCorp Services Status - GPG failures for apt repos

2 Likes
19

The issue got resolved ! :slight_smile:

20

Hi all,

Iā€™m sorry for the late response. Unfortunately the folks who commonly monitor this forum are mostly in the Pacific timezone and so Iā€™m only just getting online now.

The team which maintains the APT repository has been working on it and it should now be back to functioning correctly again.

21

Hi,

I guess thatā€™s one of the reasons why Debian/Ubuntu switch to keyring files (referenced via ā€œsigned-byā€ in sources.list), as they can easily be managed by a package after initial setup.

See DebianRepository/UseThirdParty - Debian Wiki