--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/54ae60e4-9408-482f-844d-5abb50abc4den%40googlegroups.com.
Tried to build a Jenkins image here this morning and getting signing errors on the repo:
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://pkg.jenkins.io/debian-stable binary/ Release: The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project
W: Failed to fetch http://pkg.jenkins.io/debian-stable/binary/Release.gpg The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project
W: Some index files failed to download. They have been ignored, or old ones used instead.
I see a post on the Jenkins blog about the key changing, but it says April 5, and we're not then yet. What has changed for Ubuntu users? the old key doesn't seem to work, nor does the new one. I'm using the same repo configuration:deb https://pkg.jenkins.io/debian-stable binary/What has changed?
> Users installing Jenkins LTS 2.387.1 after March 31, 2023 may see a warning or an error noting that the PGP key has expired.
> Jenkins LTS 2.387.2 (April 5, 2023) will resolve that warning, so long as the new PGP public key has been installed by following the instructions in the Linux installation page
> Jenkins LTS 2.387.2 (April 5, 2023) will resolve that warning, so long as the new PGP public key has been installed by following the instructions in the Linux installation page
If you need to install Jenkins LTS with the Linux installer between now and April 5, your choices include:
- Override the package manager to ignore the expired PGP key
- Use a container image like jenkins/jenkins:2.387.1-jdk11
- Install the war file without the Linux installer
--
Am Donnerstag, dem 30.03.2023 um 10:44 -0700 schrieb Mark Waite:
> Jenkins LTS 2.387.2 (April 5, 2023) will resolve that warning, so long as the new PGP public key has been installed by following the instructions in the Linux installation page
Please note that these instructions contain a small mistake. The key should be downloaded to "/etc/apt/keyrings", unless it is later managed by a package, which is not the case here (see https://wiki.debian.org/DebianRepository/UseThirdParty). Would be great if that could be corrected (or, as recommended by Debian, a package be provided for managing the keyring after the initial setup).
I'd rather not include extra instructions for Debian 10, Debian 11, Ubuntu 18, and Ubuntu 20, especially when those instructions involve creating directories as the root user and assuring those directories have correct ownership and permissions.
sudo sh -c "test -d /etc/apt/keyrings || mkdir -m 0755 /etc/apt/keyrings"
We'll discuss further in the retrospective to see which path we take to reduce the problems for Debian and Ubuntu administrators on the next GPG key rotation.
Am Donnerstag, dem 06.04.2023 um 05:33 -0700 schrieb Mark Waite:
I'd rather not include extra instructions for Debian 10, Debian 11, Ubuntu 18, and Ubuntu 20, especially when those instructions involve creating directories as the root user and assuring those directories have correct ownership and permissions.
People knowing that page might then (falsely) assume that the key will be managed by a package after initial setup if it is to be placed into /usr/share/keyrings. OTOH, creating the directory is just one more line, likesudo sh -c "test -d /etc/apt/keyrings || mkdir -m 0755 /etc/apt/keyrings"
We'll discuss further in the retrospective to see which path we take to reduce the problems for Debian and Ubuntu administrators on the next GPG key rotation.
Why wait (until next rotation)? Why not create a package which places the current key into /usr/share/keyrings and add that as a dependency to the main Jenkins package? This is how Element or PostgreSQL (to name a few) already do it. Would have the benefit that no documentation change would be needed.
perform the necessary testing to confirm that it is well behaved