[DOCS-13691] Provided signing key does not match Debian buster packages Created: 08/Jun/20  Updated: 30/Oct/23  Resolved: 09/Jun/20

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Bug Priority: Major - P3
Reporter: Johannes Wienke Assignee: Ravind Kumar (Inactive)
Resolution: Done Votes: 1
Labels: debian, signing
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:
Days since reply: 3 years, 35 weeks, 1 day ago
Epic Link: DOCSP-1769

 Description   

Description

The current installation instructions advise to execute the following command to obtain a valid signing key for the MongoDB 4.2 server:

wget -qO - https://www.mongodb.org/static/pgp/server-4.2.asc | sudo apt-key add -

This currently yields a key with the following fingerprint:

E162 F504 A20C DF15 827F  718D 4B7C 549A 058F 8B6B

However, the packages currently available seem to be signed with 656408E390CFB1F5.

Therefore, the installation instructions currently fail:

wget -qO - https://www.mongodb.org/static/pgp/server-4.2.asc | apt-key add 
Warning: apt-key output should not be parsed (stdout is not a terminal)
OK
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main" | tee /etc/apt/sources.list.d/mongodb-org-4.2.list
deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main
apt-get update
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Ign:2 http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 InRelease
Get:3 http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 Release [1488 B]
Get:4 http://deb.debian.org/debian buster InRelease [121 kB]
Get:5 http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 Release.gpg [801 B]
Get:6 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:7 http://security.debian.org/debian-security buster/updates/main amd64 Packages [201 kB]
Ign:5 http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 Release.gpg
Get:8 http://deb.debian.org/debian buster/main amd64 Packages [7905 kB]
Get:9 http://deb.debian.org/debian buster-updates/main amd64 Packages [7592 B]
Reading package lists...
W: GPG error: http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 656408E390CFB1F5
E: The repository 'http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 Release' is not signed.

{{}}

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Ravind Kumar (Inactive) [ 09/Jun/20 ]

Thanks for your patience everyone. We appreciate the outreach.

Comment by Johannes Wienke [ 09/Jun/20 ]

Yes, also works again on our side.

Comment by Alon Reznik [ 09/Jun/20 ]

Hi Ravind.

Seems to be fixed.

 

Thanks for all of the help

 

Alon

Comment by Ravind Kumar (Inactive) [ 08/Jun/20 ]

Hey folks!

Our engineers deployed changes to fix the affected repositories. Please let us know if there are continued issues for deployment.

We're also exploring mitigations to prevent this issue from happening again.

cc johannes.wienke@plan.one alon@rivery.io

Comment by Ravind Kumar (Inactive) [ 08/Jun/20 ]

Hi alon@rivery.io,

We have multiple engineers actively working on this issue. I've notified them of the deployment blocker as well.

We appreciate your patience. As soon as our team knows of a fix, we will update this ticket.

Comment by Alon Reznik [ 08/Jun/20 ]

Hi Guys.

I think you already know that this blocking any deployments using Docker(s) that includes your package.

If not - please prioritize this a critical due to it blocks our deployments for now.

Thanks!

Comment by Ravind Kumar (Inactive) [ 08/Jun/20 ]

Hi johannes.wienke@plan.one,

Thanks for letting us know - our engineers are aware of the issue and are investigating.

It looks like the release may have been signed with the MongoDB 4.4 key. You can install that key as a temporary work-around:

wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -

See Step 1 of our 4.4 Installation Instructions for more information.

I understand this is inconvenient. Once the issue is resolved, you should no longer require the 4.4 public key for installing 4.2-series binaries. I can leave this ticket open and resolve once the issue has been addressed.

Generated at Thu Feb 08 08:08:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.