Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Corretto PGP Key Renewal Announcement #83

Open
benty-amzn opened this issue Dec 5, 2024 · 12 comments
Open

Corretto PGP Key Renewal Announcement #83

benty-amzn opened this issue Dec 5, 2024 · 12 comments

Comments

@benty-amzn
Copy link
Contributor

The Corretto PGP Public Key has been renewed on December 3, 2024. If you are using systems that use apt for package management and experience an error such as the following when updating packages:

Reading package lists... Done
W: GPG error: https://apt.corretto.aws/ stable InRelease: The following signatures were invalid: EXPKEYSIG A122542AB04F24E3 Amazon Services LLC (Amazon Corretto release) <[email protected]>
E: The repository 'https://apt.corretto.aws/ stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

You may have an expired repository public key cached on your system. To fix this, please run the following command to update the key:

sudo rm /usr/share/keyrings/corretto-keyring.gpg && wget -O - https://apt.corretto.aws/corretto.key | sudo gpg --dearmor -o /usr/share/keyrings/corretto-keyring.gpg && sudo apt update

For systems using apt <= 2.4, use the following command instead:

sudo apt-key del A122542AB04F24E3 && sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A122542AB04F24E3
@linxux
Copy link

linxux commented Dec 8, 2024

Same issue.
The bad news is that commands like gpg/wget/curl are unavailable in my base image environment.
My workaround is removing the repository before apt-get update to bypass the GPG error.
And renew the public key if necessary.

@speedj
Copy link

speedj commented Dec 9, 2024

https://apt.corretto.aws/corretto.key also is expired. Right now downloading gives me

Amazon Services LLC
Email: [email protected]
Comment: Amazon Corretto release
This key has expired

Public Key
Key ID: A122542AB04F24E3
Algorithm: RSA
Key Size: 4096
Created: 05/12/2019
Expiry: 03/12/2024
Capabilities: Sign
Certify
Encrypt
Authenticate
Owner trust: Unknown
Fingerprint: 6D C3 63 6D AE 53 40 49 C8 B9 46 23 A1 22 54 2A B0 4F 24 E3
User ID
Name: Amazon Services LLC
Email: [email protected]
Comment: Amazon Corretto release
Created: 03/12/2024

@synecdoche
Copy link
Contributor

https://apt.corretto.aws/corretto.key also is expired. Right now downloading gives me

@speedj, I'm sorry you are experiencing this. The following command will download the key from the supplied URL and print its expiration date. You should be able to run it yourself and see the same expiration expiration date. Note that I ran this command on a Linux system; it may not work on others.

$ wget -q https://apt.corretto.aws/corretto.key -O corretto_test.key && date -d @$(gpg --with-colons corretto_test.key | cut -d: -f 7)
Sun Dec  2 21:17:37 UTC 2029

@speedj
Copy link

speedj commented Dec 10, 2024

@synecdoche you are right.
Sorry not to check thoroughly: it seems ubuntu seahorse does not work correctly.
Furthermore apt gave me an error since https://apt.corretto.aws/corretto.key is already dearmores and a further dearmor inserted garbage in my /etc/apt/trusted.gpg.d/amazon-corretto-jdk.asc

@serge-salamanka
Copy link

working fix for my case

wget -q -O - https://apt.corretto.aws/corretto.key | sudo apt-key add -

@timle2
Copy link

timle2 commented Dec 10, 2024

Ideally needed a one liner that would work for docker builds, where I didn't have wget already on the image.
This worked for me RUN curl -O https://apt.corretto.aws/corretto.key && apt-key add corretto.key

@kemalgoekhan
Copy link

correto image has not curl, wget and so on, before apt update you have to install it otherwise apt update try to fetch correto key and it will give you error.

my solution is:

FROM maven:3.9.8-amazoncorretto-21-debian

RUN apt-get clean \
    && apt-get update --allow-insecure-repositories \
    && apt-get install -y --no-install-recommends ca-certificates curl gnupg \
    && curl -fsSL https://apt.corretto.aws/corretto.key | gpg --dearmor -o /usr/share/keyrings/corretto-archive-keyring.gpg \
    && echo "deb [signed-by=/usr/share/keyrings/corretto-archive-keyring.gpg] https://apt.corretto.aws stable main" > /etc/apt/sources.list.d/corretto.list \
    && apt-get update \
    && apt-get upgrade -y \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

@emrecio
Copy link

emrecio commented Dec 12, 2024

So I downloaded the apt key and tried to download the yum key, and still getting an error when doing "zypper ref". The actual error is below. I also tried an rpm --import https://apt.corretto.aws/corretto.key and https://yum.corretto.aws/corretto.key and opening up kleopatra to view my gpg keychain and root's keychain, i see that the cert is in there to expire on 2029.

Warning: The gpg key signing file 'repomd.xml' has expired.
Repository:       Amazon Corretto
Key Fingerprint:  6DC3 636D AE53 4049 C8B9 4623 A122 542A B04F 24E3
Key Name:         Amazon Services LLC (Amazon Corretto release) <[email protected]>
Key Algorithm:    RSA 4096
Key Created:      Thu Dec  5 13:19:05 2019
Key Expires:      Tue Dec  3 13:19:05 2024 (EXPIRED)
Rpm Name:         gpg-pubkey-b04f24e3-5de94a19

@benty-amzn
Copy link
Contributor Author

Thanks for contacting us about this. Which system or docker image are you testing this on, and how is the corretto repository configured? I was unable to reproduce the issue on opensuse/leap following the instructions here

@emrecio
Copy link

emrecio commented Dec 12, 2024

This is my desktop machine running SuSE Leap 15.6. I completely removed the Amazon Corretto repo. Did a "zypper clean -a". Ran "zypper ref" (no warning). Ran the command copy-paste from the link that you sent to add the repository. "zypper ref" shows the expired signature warning as noted above.

@benty-amzn
Copy link
Contributor Author

Still unable to reproduce, complete output below.
My assumption is that somehow the key is still cached after the corretto repo is removed, vs a docker container that never had the repo configured with the expired key.

If you remove the corretto repository from your system and run rpm -q gpg-pubkey | grep b04f24e3 does the Corretto key still appear? If so, can you try removing it with rpm -e gpg-pubkey-b04f24e3-674f7571 and then configuring the repository again?


$ docker image pull opensuse/leap                                                                                                                                                                                              
Using default tag: latest
latest: Pulling from opensuse/leap
Digest: sha256:d3a517b66067d9f150dbd57d7ad28e0806025ad6f3a3e8c71b09cc7230b833a6
Status: Image is up to date for opensuse/leap:latest
docker.io/opensuse/leap:latest
$ docker run -it opensuse/leap                                                                                                                                                                                                         
c697294b0f89:/ # cat /etc/os-release
NAME="openSUSE Leap"
VERSION="15.6"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.6"
PRETTY_NAME="openSUSE Leap 15.6"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.6"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Leap"
LOGO="distributor-logo-Leap"
c697294b0f89:/ # zypper lr
Repository priorities are without effect. All enabled repositories share the same priority.

#  | Alias                       | Name                                                                                        | Enabled | GPG Check | Refresh
---+-----------------------------+---------------------------------------------------------------------------------------------+---------+-----------+--------
 1 | repo-backports-debug-update | Update repository with updates for openSUSE Leap debuginfo packages from openSUSE Backports | No      | ----      | ----
 2 | repo-backports-update       | Update repository of openSUSE Backports                                                     | Yes     | ( p) Yes  | Yes
 3 | repo-debug                  | Debug Repository                                                                            | No      | ----      | ----
 4 | repo-debug-non-oss          | Debug Repository (Non-OSS)                                                                  | No      | ----      | ----
 5 | repo-debug-update           | Update Repository (Debug)                                                                   | No      | ----      | ----
 6 | repo-debug-update-non-oss   | Update Repository (Debug, Non-OSS)                                                          | No      | ----      | ----
 7 | repo-non-oss                | Non-OSS Repository                                                                          | Yes     | ( p) Yes  | Yes
 8 | repo-openh264               | Open H.264 Codec (openSUSE Leap)                                                            | Yes     | ( p) Yes  | Yes
 9 | repo-oss                    | Main Repository                                                                             | Yes     | ( p) Yes  | Yes
10 | repo-sle-debug-update       | Update repository with debuginfo for updates from SUSE Linux Enterprise 15                  | No      | ----      | ----
11 | repo-sle-update             | Update repository with updates from SUSE Linux Enterprise 15                                | Yes     | ( p) Yes  | Yes
12 | repo-source                 | Source Repository                                                                           | No      | ----      | ----
13 | repo-update                 | Main Update Repository                                                                      | Yes     | ( p) Yes  | Yes
14 | repo-update-non-oss         | Update Repository (Non-Oss)                                                                 | Yes     | ( p) Yes  | Yes
c697294b0f89:/ # zypper clean -a
All repositories have been cleaned up.
c697294b0f89:/ # zypper ref
Retrieving repository 'Update repository of openSUSE Backports' metadata .....................................................................................................................................................................................................................[done]
Building repository 'Update repository of openSUSE Backports' cache ..........................................................................................................................................................................................................................[done]
Retrieving repository 'Non-OSS Repository' metadata ..........................................................................................................................................................................................................................................[done]
Building repository 'Non-OSS Repository' cache ...............................................................................................................................................................................................................................................[done]
Retrieving repository 'Open H.264 Codec (openSUSE Leap)' metadata ............................................................................................................................................................................................................................[done]
Building repository 'Open H.264 Codec (openSUSE Leap)' cache .................................................................................................................................................................................................................................[done]
Retrieving repository 'Main Repository' metadata .............................................................................................................................................................................................................................................[done]
Building repository 'Main Repository' cache ..................................................................................................................................................................................................................................................[done]
Retrieving repository 'Update repository with updates from SUSE Linux Enterprise 15' metadata ................................................................................................................................................................................................[done]
Building repository 'Update repository with updates from SUSE Linux Enterprise 15' cache .....................................................................................................................................................................................................[done]
Retrieving repository 'Main Update Repository' metadata ......................................................................................................................................................................................................................................[done]
Building repository 'Main Update Repository' cache ...........................................................................................................................................................................................................................................[done]
Retrieving repository 'Update Repository (Non-Oss)' metadata .................................................................................................................................................................................................................................[done]
Building repository 'Update Repository (Non-Oss)' cache ......................................................................................................................................................................................................................................[done]
All repositories have been refreshed.
c697294b0f89:/ # zypper addrepo https://yum.corretto.aws/corretto.repo; zypper refresh
Adding repository 'Amazon Corretto' ..........................................................................................................................................................................................................................................................[done]
Repository 'Amazon Corretto' successfully added

URI         : https://yum.corretto.aws/x86_64
Enabled     : Yes
GPG Check   : Yes
Autorefresh : No
Priority    : 99 (default priority)

Repository priorities are without effect. All enabled repositories share the same priority.
Looking for gpg key ID B04F24E3 in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID B04F24E3 in repository Amazon Corretto.
  gpgkey=https://yum.corretto.aws/corretto.key

New repository or package signing key received:

  Repository:       Amazon Corretto
  Key Fingerprint:  6DC3 636D AE53 4049 C8B9 4623 A122 542A B04F 24E3
  Key Name:         Amazon Services LLC (Amazon Corretto release) <[email protected]>
  Key Algorithm:    RSA 4096
  Key Created:      Tue Dec  3 21:17:37 2024
  Key Expires:      Sun Dec  2 21:17:37 2029
  Rpm Name:         gpg-pubkey-b04f24e3-674f7571



    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If
    you are not sure whether the presented key is authentic, ask the repository provider or check
    their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they
    are using.

Do you want to reject the key, or trust always? [r/a/?] (r): a
Retrieving repository 'Amazon Corretto' metadata .............................................................................................................................................................................................................................................[done]
Building repository 'Amazon Corretto' cache ..................................................................................................................................................................................................................................................[done]
Repository 'Update repository of openSUSE Backports' is up to date.
Repository 'Non-OSS Repository' is up to date.
Repository 'Open H.264 Codec (openSUSE Leap)' is up to date.
Repository 'Main Repository' is up to date.
Repository 'Update repository with updates from SUSE Linux Enterprise 15' is up to date.
Repository 'Main Update Repository' is up to date.
Repository 'Update Repository (Non-Oss)' is up to date.
All repositories have been refreshed.
c697294b0f89:/ # zypper ref
Repository 'Amazon Corretto' is up to date.
Repository 'Update repository of openSUSE Backports' is up to date.
Repository 'Non-OSS Repository' is up to date.
Repository 'Open H.264 Codec (openSUSE Leap)' is up to date.
Repository 'Main Repository' is up to date.
Repository 'Update repository with updates from SUSE Linux Enterprise 15' is up to date.
Repository 'Main Update Repository' is up to date.
Repository 'Update Repository (Non-Oss)' is up to date.
All repositories have been refreshed.
c697294b0f89:/ # zypper clean -a
All repositories have been cleaned up.
c697294b0f89:/ # zypper ref
Retrieving repository 'Amazon Corretto' metadata .............................................................................................................................................................................................................................................[done]
Building repository 'Amazon Corretto' cache ..................................................................................................................................................................................................................................................[done]
Retrieving repository 'Update repository of openSUSE Backports' metadata .....................................................................................................................................................................................................................[done]
Building repository 'Update repository of openSUSE Backports' cache ..........................................................................................................................................................................................................................[done]
Retrieving repository 'Non-OSS Repository' metadata ..........................................................................................................................................................................................................................................[done]
Building repository 'Non-OSS Repository' cache ...............................................................................................................................................................................................................................................[done]
Retrieving repository 'Open H.264 Codec (openSUSE Leap)' metadata ............................................................................................................................................................................................................................[done]
Building repository 'Open H.264 Codec (openSUSE Leap)' cache .................................................................................................................................................................................................................................[done]
Retrieving repository 'Main Repository' metadata .............................................................................................................................................................................................................................................[done]
Building repository 'Main Repository' cache ..................................................................................................................................................................................................................................................[done]
Retrieving repository 'Update repository with updates from SUSE Linux Enterprise 15' metadata ................................................................................................................................................................................................[done]
Building repository 'Update repository with updates from SUSE Linux Enterprise 15' cache .....................................................................................................................................................................................................[done]
Retrieving repository 'Main Update Repository' metadata ......................................................................................................................................................................................................................................[done]
Building repository 'Main Update Repository' cache ...........................................................................................................................................................................................................................................[done]
Retrieving repository 'Update Repository (Non-Oss)' metadata .................................................................................................................................................................................................................................[done]
Building repository 'Update Repository (Non-Oss)' cache ......................................................................................................................................................................................................................................[done]
All repositories have been refreshed.
c697294b0f89:/ #

@emrecio
Copy link

emrecio commented Dec 12, 2024

So the only difference is that you're doing it on a fresh image, not on a previously installed system which may have had the old gpg key installed. I had to uninstall the old key using rpmkeys:

Note the old key that gives you a warning as noted above, then see the last line: "Rpm Name: gpg-pubkey-b04f24e3-5de94a19"
Confirm that it's in there...
# rpm -qa gpg-pubkey | grep 5de94a19
Remove it...

# rpm -e gpg-pubkey-b04f24e3-5de94a19
# zypper clean -a
# zypper ref

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants