[Build] ArrayFire OpenPGP key expired on 11-21-2023
robert-macmillan opened this issue · comments
The repository key downloaded from https://repo.arrayfire.com/GPG-PUB-KEY-ARRAYFIRE-2020.PUB expired on 11-21-2023. Attempts to install ArrayFire packages under Ubuntu 22.04 or in Docker build scripts fail with error The following signatures were invalid: EXPKEYSIG 34EF51520DCB6543 ArrayFire <technical@arrayfire.com>.
Description
The following excerpt from a Dockerfile adding ArrayFire 3.8.3 to the image suddenly stopped working.
# ArrayFire 3.8.3
RUN wget -qO - https://repo.arrayfire.com/GPG-PUB-KEY-ARRAYFIRE-2020.PUB | apt-key add - && \
echo "deb [arch=amd64] https://repo.arrayfire.com/debian all main" >> /etc/apt/sources.list.d/hpccm.list && \
apt-get update -y && \
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
arrayfire \
arrayfire-cmake \
arrayfire-cpu3-dev \
arrayfire-cuda3-dev \
arrayfire-doc \
arrayfire-examples \
arrayfire-headers && \
rm -rf /var/lib/apt/lists/*
Inspection of the output from the docker build command revealed the following error:
Err:2 https://repo.arrayfire.com/debian all InRelease
The following signatures were invalid: EXPKEYSIG 34EF51520DCB6543 ArrayFire <technical@arrayfire.com>
In addition, the apt-key deprecation message was also reported:
W: https://repo.arrayfire.com/debian/dists/all/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: GPG error: https://repo.arrayfire.com/debian all InRelease: The following signatures were invalid: EXPKEYSIG 34EF51520DCB6543 ArrayFire <technical@arrayfire.com>
E: The repository 'https://repo.arrayfire.com/debian all InRelease' is not signed.
To reproduce the error and address the apt-key deprecation mesage, I followed the instructions in the Linux Uprising article titled "apt-key Is Deprecated. How To Add OpenPGP Repository Signing Keys Without It On Debian, Ubuntu, Linux Mint, Pop!_OS, Etc." tailored for ArrayFire. First, I retrieved the ArrayFire OpenPGP key, dearmored it, and stored it in /usr/share/keyrings.
Note: Commands were executed in an Ubuntu 22.04 bash shell running under WSL2 on Windows 11.
wget -O- https://repo.arrayfire.com/GPG-PUB-KEY-ARRAYFIRE-2020.PUB | gpg --dearmor | sudo tee /usr/share/keyrings/arrayfire-archive-keyring.gpg
I then used nano with elevated privileges to add the repository sources.list entry, again following the guidance provided in step 2 in the Linux Uprising article. I created a file at /etc/apt/sources.list.d/arrayfire.list with the following contents:
deb [arch=amd64 signed-by=/usr/share/keyrings/arrayfire-archive-keyring.gpg] https://repo.arrayfire.com/debian all main
Finally, I ran sudo apt-get update and verified the same behavior as seen when uses docker build.
Get:12 https://repo.arrayfire.com/debian all InRelease [4293 B]
Err:12 https://repo.arrayfire.com/debian all InRelease
The following signatures were invalid: EXPKEYSIG 34EF51520DCB6543 ArrayFire <technical@arrayfire.com>
Error Log
N/A - The build step is never reached.
Build Environment
Compiler version: N/A for this issue
Operating system: Windows 11 Pro (22H2, 22621.2715), Ubuntu 22.04 under WSL2
Build environment: N/A for this issue
CMake variables: N/A for this issue
I'm happy to provide more information if it is relevant to addressing this issue.
I also verified the expiration date of the OpenPGP key using the command gpg --show-keys arrayfire-archive-keyring.gpg from the /usr/share/keyrings directory. The following output confirms the key expired on 11-21-2023.
pub rsa4096 2020-11-12 [SC]
2DB7A43051A4F1FDB8748729AFE820CC4C4DC6A8
uid ArrayFire <technical@arrayfire.com>
sub rsa4096 2020-11-19 [S] [expired: 2023-11-21]
Hi all. I have updated the key and everything should work as expected.
Call
apt-key adv --fetch-key https://repo.arrayfire.com/GPG-PUB-KEY-ARRAYFIRE-2020.PUB
To update your key if you are still seeing this message.
Thanks
I confirm the fix addressed the reported issue. Thank you.