New GPG keys deployed for packages.ros.org

tfoote · June 7, 2019, 7:43pm

As a follow up to Security issue on ROS build farm - ROS General - Open Robotics Discourse we have now deployed new GPG keys to packages.ros.org. This will require anyone using packages.ros.org to update your trusted GPG keys to be able to update packages going forward.

tldr; At this point you should do the following 3 things:

Add the new ROS GPG key to your apt keyring if you have not already.
Revoke the old GPG key, it’s no longer used.
If using testing update the ros-shadow-fixed repository to refer to ros-testing repository.

How to transition

Below are instructions for how to update your GPG keys.

Adding the new ROS repository key

Who should do this?
Everyone who installs ROS packages from packages.ros.org

When should this be done?
Now

What to do?
Set up the new repository key

sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

Removing the old ROS repository key

Who should do this?
Everyone.

When must this be done?
Now

What to do?
Remove the key from your apt keyring

sudo apt-key del 421C365BD9FF1F717815A3895523BAEEB01FA116

Updating the testing repository url

Who should do this? Anyone who is currently using the ros-shadow-fixed repository to test ROS packages before a sync.

Check your /etc/apt/sources.list and /etc/apt/sources.list.d/*.list for http://packages.ros.org/ros-shadow-fixed and replace it with http://packages.ros.org/ros-testing

Migrating to Snapshots.ros.org for unsupported distribitions

For older unsupported distributions we have moved the debian packages to a new host. Details for how to set that up are in this post: Security issue on ROS build farm - #8 by nuclearsandwich - ROS General - Open Robotics Discourse

More detailed explanations can be found in this post:

kyrofa · June 7, 2019, 8:29pm

Excellent, thank you @tfoote. We’ve thus started the process of untrusting the old key in the snapcraft CLI (the new one has been trusted since the original news broke, no one should be broken).

https://github.com/snapcore/snapcraft/pull/2586

ruffsl · June 7, 2019, 11:42pm

FYI: ROS Docker images from the Official Library registry have also been updated to reflect the above key rotation. Please be sure to sure to pull the latest images before rebuilding any dependent tags.

https://github.com/docker-library/official-images/pull/6053

https://github.com/docker-library/official-images/pull/6000

As @gerkey mentioned in the original thread, a big thanks to @tfoote, @nuclearsandwich, and @jrivero for the many hours and late nights they put into getting us back on track. Cheers!

P.S. for tracking when update images get finally synced to the docker hub registry:

tfoote · June 7, 2019, 11:49pm

Thank you to @kyrofa @ruffsl @garyservin and everyone who’s helping propagate these changes quickly. If you’re updating tools and services that build on top of our packages please reply here or track it at Updates for ROS repository changes 2019-06 · Issue #276 · ros-infrastructure/roswiki · GitHub so that people can know which things have been updated.

eisoku9618 · June 12, 2019, 1:18pm

For ubuntu 14.04 or earlier (e.g. indigo or jade), we should run

sudo apt-key del B01FA116

instead of

sudo apt-key del 421C365BD9FF1F717815A3895523BAEEB01FA116

since apt version is old.

B01FA116 is the last 8 characters of 421C365BD9FF1F717815A3895523BAEEB01FA116.

yanqd0 · May 29, 2021, 1:18am

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2019-05-30 [SC] [expired: 2021-05-29]
      C1CF 6E31 E6BA DE88 68B1  72B4 F42E D6FB AB17 C654
uid           [ expired] Open Robotics <info@osrfoundation.org>

Today, the key released 2 years ago is expired. Is the new key on the way?

mikeferguson · May 29, 2021, 4:18am

See also: Key for downloading ros2 source showing expired - #3 by Katherine_Scott - ROS General - Open Robotics Discourse

trusktr · June 14, 2021, 6:15pm

Hey you all, the recommended solution is not working for me.

I already had

sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

as described above in my Docker container’s Dockerfile, but it was failing due to expired keys during installation of ROS packages.

Then I added the line

curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | sudo apt-key add -

and everything worked.

Unless I’m reading the documentation wrong, it seems that it should work with the first line, and the second line should not be required. Why may I have success only when I add the second line?

To summarize, my failing code is this:

sh -c 'echo "deb http://packages.ros.org/ros/ubuntu $(lsb_release -sc) main" > /etc/apt/sources.list.d/ros-latest.list' >/dev/null 2>&1 \
    && apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

which results in the key error when trying to install ROS packages, but the following code works:

sh -c 'echo "deb http://packages.ros.org/ros/ubuntu $(lsb_release -sc) main" > /etc/apt/sources.list.d/ros-latest.list' >/dev/null 2>&1 \
    && apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | sudo apt-key add -

I have a feeling the first line is not needed if I have the second one, but the main issue is that it does not work for me if I use only the first.

trusktr · June 14, 2021, 6:24pm

Sorry, I wasn’t checking the date of the original post, and I thought this thread was for the new incident described at

Does that mean that the following page is outdated and should list a new value there instead of C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654?

Surely many people are hitting that page, and it’s not working…

cottsay · June 14, 2021, 7:17pm

The new public key uses the same private key as before, so that fingerprint is still correct.

From a fresh docker pull, I ran these commands and they worked correctly for Ubuntu Bionic and Focal, targeting Melodic and Noetic respectively:

$ docker pull ubuntu:focal
$ docker run --rm -it ubuntu:focal
# apt update
# apt install -y gnupg lsb-release
# sh -c 'echo "deb http://packages.ros.org/ros/ubuntu $(lsb_release -sc) main" > /etc/apt/sources.list.d/ros-latest.list' >/dev/null 2>&1 \
    && apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654
# apt update
# apt install -y ros-noetic-catkin

Perhaps try removing any existing key prior to running the import step?

apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --delete-keys C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

tfoote · June 14, 2021, 7:24pm

Moving this discussion over to the new thread: Ubuntu installation doc needs to be updated for use with new GPG keys? - ROS General - Open Robotics Discourse

And closing this one for clarity.

Topic		Replies	Views
ROS GPG Key Expiration Incident ROS General gpg , incident	47	52551	June 17, 2021
ROS signing key migration guide ROS General	46	14021	July 22, 2025
ROS GPG Key 期限切れ Japan Users Group	4	12074	June 3, 2021
Key rotation for ROS 2 apt repositories ROS General ros2 , ardent , bouncy , crystal	2	8642	June 7, 2019
Again... Snapshot repo GPG key expired ROS General melodic , gpg , install	13	5064	December 31, 2023