Jenkins LTS Debian signing key?
766 views
Skip to first unread message
alan.l...@gmail.com
Mar 30, 2023, 1:13:20 PM3/30/23
to Jenkins Users
Tried to build a Jenkins image here this morning and getting signing errors on the repo:
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://pkg.jenkins.io/debian-stable binary/ Release: The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project <jenkins...@googlegroups.com>
W: Failed to fetch http://pkg.jenkins.io/debian-stable/binary/Release.gpg The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project <jenkins...@googlegroups.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.
W: Failed to fetch http://pkg.jenkins.io/debian-stable/binary/Release.gpg The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project <jenkins...@googlegroups.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.
I see a post on the Jenkins blog about the key changing, but it says April 5, and we're not then yet. What has changed for Ubuntu users? the old key doesn't seem to work, nor does the new one. I'm using the same repo configuration:
deb https://pkg.jenkins.io/debian-stable binary/
What has changed?
Following instructions for 2.387.1at:
Alex Earl
Mar 30, 2023, 1:36:25 PM3/30/23
to jenkins...@googlegroups.com
I just ran into the same thing, I updated to the new key and it works fine now.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/54ae60e4-9408-482f-844d-5abb50abc4den%40googlegroups.com.
Website: http://earl-of-code.com
Alex Earl
Mar 30, 2023, 1:39:21 PM3/30/23
to jenkins...@googlegroups.com
I take that back, it only works for the weekly release, not the stable.
Website: http://earl-of-code.com
Mark Waite
Mar 30, 2023, 1:44:11 PM3/30/23
to Jenkins Users
On Thursday, March 30, 2023 at 11:13:20 AM UTC-6 Alan Sparks wrote:
Tried to build a Jenkins image here this morning and getting signing errors on the repo:
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://pkg.jenkins.io/debian-stable binary/ Release: The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project
W: Failed to fetch http://pkg.jenkins.io/debian-stable/binary/Release.gpg The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project
W: Some index files failed to download. They have been ignored, or old ones used instead.
I see a post on the Jenkins blog about the key changing, but it says April 5, and we're not then yet. What has changed for Ubuntu users? the old key doesn't seem to work, nor does the new one. I'm using the same repo configuration:deb https://pkg.jenkins.io/debian-stable binary/What has changed?
The GPG private key that signs the Jenkins 2.387.1 deb file expired March 30, 2023. A comment to the blog post says:
> Users installing Jenkins LTS 2.387.1 after March 31, 2023 may see a warning or an error noting that the PGP key has expired.
> Jenkins LTS 2.387.2 (April 5, 2023) will resolve that warning, so long as the new PGP public key has been installed by following the instructions in the Linux installation page
You're correct that the old key does not work (because it has expired) and that the new key does not work with the old releases (because they were not signed with the new key).
The new key works with new releases (like Jenkins 2.397 released March 28, 2023 and Jenkins 2.387.2 that will be released April 5, 2023).
If you need to install Jenkins LTS with the Linux installer between now and April 5, your choices include:
- Override the package manager to ignore the expired PGP key
- Use a container image like jenkins/jenkins:2.387.1-jdk11
- Install the war file without the Linux installer
Mark Waite
alan.l...@gmail.com
Mar 30, 2023, 4:12:22 PM3/30/23
to Jenkins Users
Thanks. I'll disable the checks and wait for the release. Thanks for the info.
Dirk Heinrichs
Mar 31, 2023, 1:40:34 AM3/31/23
to jenkins...@googlegroups.com
Am Donnerstag, dem 30.03.2023 um 10:44 -0700 schrieb Mark Waite:
> Jenkins LTS 2.387.2 (April 5, 2023) will resolve that warning, so long as the new PGP public key has been installed by following the instructions in the Linux installation page
Please note that these instructions contain a small mistake. The key should be downloaded to "/etc/apt/keyrings", unless it is later managed by a package, which is not the case here (see https://wiki.debian.org/DebianRepository/UseThirdParty).
Would be great if that could be corrected (or, as recommended by Debian, a package be provided for managing the keyring after the initial setup).
If you need to install Jenkins LTS with the Linux installer between now and April 5, your choices include:
- Override the package manager to ignore the expired PGP key
- Use a container image like jenkins/jenkins:2.387.1-jdk11
- Install the war file without the Linux installer
- Download the deb directly and install via "apt-get install /path/to/file"
HTH...
Dirk
--
Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Phone: +49 2226 15966 18
Email: dhei...@opentext.com
Website: www.recommind.de
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is strictly forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten
Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.
Mark Waite
Apr 6, 2023, 8:33:36 AM4/6/23
to Jenkins Users
On Thursday, March 30, 2023 at 11:40:34 PM UTC-6 dheinric wrote:
Am Donnerstag, dem 30.03.2023 um 10:44 -0700 schrieb Mark Waite:
> Jenkins LTS 2.387.2 (April 5, 2023) will resolve that warning, so long as the new PGP public key has been installed by following the instructions in the Linux installation page
Please note that these instructions contain a small mistake. The key should be downloaded to "/etc/apt/keyrings", unless it is later managed by a package, which is not the case here (see https://wiki.debian.org/DebianRepository/UseThirdParty). Would be great if that could be corrected (or, as recommended by Debian, a package be provided for managing the keyring after the initial setup).
I'm hesitant to change those instructions based on the comment in the https://wiki.debian.org/DebianRepository/UseThirdParty page where it says:
> In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. It SHOULD be created with permissions 0755 if it is needed and does not already exist.
I'd rather not include extra instructions for Debian 10, Debian 11, Ubuntu 18, and Ubuntu 20, especially when those instructions involve creating directories as the root user and assuring those directories have correct ownership and permissions.
We'll discuss further in the retrospective to see which path we take to reduce the problems for Debian and Ubuntu administrators on the next GPG key rotation.
Mark Waite
Dirk Heinrichs
Apr 6, 2023, 8:56:31 AM4/6/23
to jenkins...@googlegroups.com
Am Donnerstag, dem 06.04.2023 um 05:33 -0700 schrieb Mark Waite:
I'd rather not include extra instructions for Debian 10, Debian 11, Ubuntu 18, and Ubuntu 20, especially when those instructions involve creating directories as the root user and assuring those directories have correct ownership and permissions.
People knowing that page might then (falsely) assume that the key will be managed by a package after initial setup if it is to be placed into /usr/share/keyrings. OTOH, creating the directory is just one more line, like
sudo sh -c "test -d /etc/apt/keyrings || mkdir -m 0755 /etc/apt/keyrings"We'll discuss further in the retrospective to see which path we take to reduce the problems for Debian and Ubuntu administrators on the next GPG key rotation.
Why wait (until next rotation)? Why not create a package which places the current key into /usr/share/keyrings and add that as a dependency to the main Jenkins package? This is how Element or PostgreSQL (to name a few) already do it. Would have the benefit
that no documentation change would be needed.
Bye...
Mark Waite
Apr 6, 2023, 1:15:28 PM4/6/23
to Jenkins Users
On Thursday, April 6, 2023 at 6:56:31 AM UTC-6 dheinric wrote:
Am Donnerstag, dem 06.04.2023 um 05:33 -0700 schrieb Mark Waite:
I'd rather not include extra instructions for Debian 10, Debian 11, Ubuntu 18, and Ubuntu 20, especially when those instructions involve creating directories as the root user and assuring those directories have correct ownership and permissions.
People knowing that page might then (falsely) assume that the key will be managed by a package after initial setup if it is to be placed into /usr/share/keyrings. OTOH, creating the directory is just one more line, likesudo sh -c "test -d /etc/apt/keyrings || mkdir -m 0755 /etc/apt/keyrings"
We'll discuss further in the retrospective to see which path we take to reduce the problems for Debian and Ubuntu administrators on the next GPG key rotation.
Why wait (until next rotation)? Why not create a package which places the current key into /usr/share/keyrings and add that as a dependency to the main Jenkins package? This is how Element or PostgreSQL (to name a few) already do it. Would have the benefit that no documentation change would be needed.
Agreed that if the decision from the retrospective and investigation is to implement an additional package as a dependency to the main Jenkins package, then there is no need to wait until the next key rotation. The bigger challenge is having someone implement that package and perform the necessary testing to confirm that it is well behaved on Debian 10, Debian 11, Ubuntu 18, Ubuntu 20, and Ubuntu 22. If that effort takes enough time that Debian 12 releases before it is done, then Debian 12 will also need to be tested.
Mark Waite
Dirk Heinrichs
Apr 11, 2023, 1:56:30 AM4/11/23
to jenkins...@googlegroups.com
Am Donnerstag, dem 06.04.2023 um 10:15 -0700 schrieb Mark Waite:
perform the necessary testing to confirm that it is well behaved
How misbehaving can a package be that stores a single file into a specific directory?
Reply all
Reply to author
Forward
0 new messages