cri-o: PGP key expired

What happened?

I was trying to install the cri-o on the Ubuntu following the docs steps in https://github.com/cri-o/cri-o/blob/main/install.md#apt-based-operating-systems

But I was not getting errors on apt-get update

Err:7 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease
  The following signatures were invalid: EXPKEYSIG 4D64390375060AA4 devel:kubic OBS Project <devel:kubic@build.opensuse.org>
Err:8 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.20/xUbuntu_20.04  InRelease
  The following signatures were invalid: EXPKEYSIG 4D64390375060AA4 devel:kubic OBS Project <devel:kubic@build.opensuse.org>
Err:9 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.21/xUbuntu_20.04  InRelease
  The following signatures were invalid: EXPKEYSIG 4D64390375060AA4 devel:kubic OBS Project <devel:kubic@build.opensuse.org>
Reading package lists... Done

The apt sources looks like:

$ cat '/etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:1.20.list'
deb [signed-by=/usr/share/keyrings/libcontainers-crio-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.20/xUbuntu_20.04/ /

$ cat '/etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:1.21.list'
deb [signed-by=/usr/share/keyrings/libcontainers-crio-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.21/xUbuntu_20.04/ /

$ cat '/etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list'
deb [signed-by=/usr/share/keyrings/libcontainers-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/ /

$ ls -la /usr/share/keyrings/libcontainers-*
-rw-r--r-- 1 root root 723 Dec  6 14:16 /usr/share/keyrings/libcontainers-archive-keyring.gpg
-rw-r--r-- 1 root root 723 Dec  6 14:16 /usr/share/keyrings/libcontainers-crio-archive-keyring.gpg

Also note that if I run apt-key list I get that PGP key is exprired (today).

$ curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/Release.key             | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers.gpg       add -

$ apt-key list
...
/etc/apt/trusted.gpg.d/libcontainers.gpg
----------------------------------------
pub   rsa2048 2018-08-03 [SC] [expired: 2022-12-06]
      2472 D6D0 D2F6 6AF8 7ABA  8DA3 4D64 3903 7506 0AA4
uid           [ expired] devel:kubic OBS Project <devel:kubic@build.opensuse.org>

What did you expect to happen?

The PGP key is updated so that it is possible to install cri-o on ubuntu from official repo.

How can we reproduce it (as minimally and precisely as possible)?

 set -x \ 
 && OS=xUbuntu_20.04 \
 && VERSION=1.21 \
 && { cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
deb [signed-by=/usr/share/keyrings/libcontainers-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /
EOF
} \
 && { cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
deb [signed-by=/usr/share/keyrings/libcontainers-crio-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /
EOF
} \
 && sudo apt-get install -y curl gpg \
 && sudo mkdir -p /usr/share/keyrings \
 && curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | sudo  gpg --dearmor --no-tty  -o /usr/share/keyrings/libcontainers-archive-keyring.gpg \
 && curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/Release.key | sudo gpg --dearmor --no-tty -o /usr/share/keyrings/libcontainers-crio-archive-keyring.gpg \
 && sudo apt-get update

Anything else we need to know?

Probably hits also Debian users.

CRI-O and Kubernetes version

Not applicable cri-o installation fails.

OS version

# On Linux:
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
$ uname -a
Linux  some-hostname 5.4.0-132-generic #148-Ubuntu SMP Mon Oct 17 16:02:06 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Additional environment details (AWS, VirtualBox, physical, etc.)

Ubuntu VM

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 13
Comments: 23 (5 by maintainers)

Most upvoted comments

I played around with the workaround suggested by @pczerkas and came up with a somewhat easier temporary workaround. The idea is to add trusted=yes to the deb … lines appended to the repo lists, like:

echo ""deb [trusted=yes signed-by=/usr/share/keyrings/libcontainers-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /"" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list

Note that if more than one optional properties are required (like shown above) you’ll need to space separate these within the [ … ] section.

The nice thing about this approach is that you won’t need to create a temporary CRI-O config file.

jefflill on Dec 7, 2022

xref https://github.com/openSUSE/open-build-service/issues/13493

I commented on the top level of devel:kubic, someone who has more power than I have needs to extend the key.

haircommander on Dec 7, 2022

Alright, the packages are at the point where I can rebuild them and the issue goes away. I’ve done 1.25 already, and will go down to 1.21 (as that’s the lowest I’ve seen here). let me know if you need something earlier, or if I missed any

haircommander on Dec 8, 2022