[SERVER-31698] Packages cannot be authenticated — revisited Created: 24/Oct/17  Updated: 15/Oct/18  Resolved: 27/Oct/17

Status: Closed
Project: Core Server
Component/s: Packaging
Affects Version/s: 3.6.0-rc0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: James Newton Assignee: Zakhar Kleyman
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by DOCS-10933 Fix GPG issue with MongoDB Ubuntu ins... Closed
Related
is related to SERVER-27398 packages cannot be authenticated Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

On a brand new server running Ubuntu 16.04.3, I follow the steps to install MongoDB Community Edition, as described here.

After executing the line `sudo apt-get install mongodb-org`, I get this warning:

WARNING: The following packages cannot be authenticated!
  mongodb-org-shell mongodb-org-server mongodb-org-mongos mongodb-org-tools mongodb-org
Install these packages without verification? [y/N]

I tried the steps proposed by Brian Samek for the earlier bug, updating them to the current version:

sudo rm /etc/apt/sources.list.d/mongodb-org-3.6.list
sudo apt-get update
echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list
sudo apt-get update
sudo apt-get install -y mongodb-org

My complete terminal session is shown below.

$ sudo find / -name "mongo*"
/etc/apt/sources.list.d/mongodb-org-3.6.list
blackslate@lexogram:~$ sudo rm /etc/apt/sources.list.d/mongodb-org-3.6.list
blackslate@lexogram:~$ sudo find / -name "mongo*"
blackslate@lexogram:~$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
Executing: /tmp/tmp.17prbTsQbs/gpg.1.sh --keyserver
hkp://keyserver.ubuntu.com:80
--recv
2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
gpg: requesting key 91FA4AD5 from hkp server keyserver.ubuntu.com
gpg: key 91FA4AD5: "MongoDB 3.6 Release Signing Key <packaging@mongodb.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
blackslate@lexogram:~$ echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list
deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing multiverse
blackslate@lexogram:~$
blackslate@lexogram:~$ sudo apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Hit:2 http://mirrors.melbourne.co.uk/ubuntu xenial InRelease
Hit:3 http://mirrors.melbourne.co.uk/ubuntu xenial-updates InRelease
Hit:4 http://mirrors.melbourne.co.uk/ubuntu xenial-backports InRelease
Ign:5 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing InRelease
Hit:6 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release
Get:7 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release.gpg [801 B]
Ign:7 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release.gpg
Fetched 103 kB in 0s (152 kB/s)
Reading package lists... Done
W: GPG error: http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BC711F9BA15703C6
*W: The repository 'http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.*
N: See apt-secure(8) manpage for repository creation and user configuration details.
blackslate@lexogram:~$ sudo apt-get install mongodb-org
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
mongodb-org-mongos mongodb-org-server mongodb-org-shell mongodb-org-tools
The following NEW packages will be installed
mongodb-org mongodb-org-mongos mongodb-org-server mongodb-org-shell mongodb-org-tools
0 to upgrade, 5 to newly install, 0 to remove and 0 not to upgrade.
Need to get 68.8 MB of archives.
After this operation, 282 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
*WARNING: The following packages cannot be authenticated!
mongodb-org-shell mongodb-org-server mongodb-org-mongos mongodb-org-tools mongodb-org
Install these packages without verification? [y/N]*

Participants:

 Description   

This bug looks very similar to an earlier one which was apparently resolved:

SERVER-27398

The MongoDB 3.6 Release Signing Key appears not to be recognized: mongodb packages cannot be authenticated.



 Comments   
Comment by Ramon Fernandez Marina [ 06/Jun/18 ]

Hi jgoeglein; this behavior is expected:

  • you seem to have the testing repo configured
  • we just started publishing release candidates for the upcoming 4.0 release
  • the 4.0 release has a different key than 3.6

Glad to hear you were able to sort this out – and thanks for posting detailed instructions on how to address this for everyone else that runs into this issue.

Regards,
Ramón.

Comment by Jesse Goeglein [ 06/Jun/18 ]

Hello Zakhar,

Sorry to resurrect a closed ticket, but it looks like this cropped up again with the upcoming 4.0 release. Even though I'm running 3.6 on my ubuntu 16.04.03 server with the 3.6 signing keys already downloaded, I started getting his same error. After deleting and reimporting the 3.6 keys as suggested in this thread, I ended up going back to James' original installation instructions and re-downloaded the key from there here

It turns out that command actually downloads the 4.0 signing key, which resolved my problem:

sudo apt-get update
Ign:1 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing InRelease
Get:2 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release [5,385 B]
Hit:3 mirror://mirrors.ubuntu.com/mirrors.txt xenial InRelease
Get:4 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release.gpg [801 B]
Err:4 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 68818C72E52529D4
Fetched 6,186 B in 0s (7,789 B/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 68818C72E52529D4
W: Failed to fetch http://repo.mongodb.org/apt/ubuntu/dists/xenial/mongodb-org/testing/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 68818C72E52529D4
W: Some index files failed to download. They have been ignored, or old ones used instead.

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
Executing: /tmp/tmp.s4sWY7RG9Q/gpg.1.sh --keyserver
hkp://keyserver.ubuntu.com:80
--recv
9DA31620334BD75D9DCB49F368818C72E52529D4
gpg: requesting key E52529D4 from hkp server keyserver.ubuntu.com
gpg: key E52529D4: public key "MongoDB 4.0 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1) 

sudo apt-get update
Ign:1 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing InRelease
Get:2 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release [5,385 B]
Hit:3 mirror://mirrors.ubuntu.com/mirrors.txt xenial InRelease
Get:4 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release.gpg [801 B]
Get:5 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing/multiverse amd64 Packages [40.3 kB]
Get:6 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing/multiverse arm64 Packages [28.1 kB]
Fetched 74.6 kB in 2s (35.6 kB/s)

Comment by Zakhar Kleyman [ 24/Oct/17 ]

James,

Upon further review, I found that the error that you originally got was related to our rc release process.
Currently, RC versions from all branches go to the same repo. After 3.6.0-rc0, we also released 3.4.10-rc0, so the repo got signed with 3.4 key. Instructions that you followed had a step import the key for 3.6. Import step actually completed fine, but it wasn't the key that the repo was signed with.

The steps I provided you turned out to do nothing to fix this. What actually resolved the problem was the 3.6.0-rc1 release that we did earlier today because it re-signed the repo with 3.6 key again.
All my tests happened after that, so I wasn't able to reproduce.

Once we release 3.6 GA, it would use a separate repo (xenial/mongodb-org/3.6), similarly to 3.4, so it will not be affected by any other branches. (You'd need to update /etc/apt/sources.list.d/mongodb-org-3.6.list though).

We'll also work on fixing the RC release process to prevent issues like this in the future.

I appologize for the incovinience it caused.

Comment by James Newton [ 24/Oct/17 ]

Hi Zakhar,

Your steps do seem to solve the issue. I had gone ahead and installed
MongoDB anyway, as the printout below will show.

Thanks for your help!

James

$ sudo apt-key list
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <
ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12

pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <
ftpmaster@ubuntu.com>

pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <
cdimage@ubuntu.com>

pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <
cdimage@ubuntu.com>

pub 4096R/91FA4AD5 2016-12-14 [expires: 2018-12-14]
uid MongoDB 3.6 Release Signing Key <packaging@mongodb.com>

$ sudo apt-key del 91FA4AD5
OK
$ */usr/bin/curl -sLO https://www.mongodb.org/static/pgp/server-3.6.asc
<https://www.mongodb.org/static/pgp/server-3.6.asc> && sudo
/usr/bin/apt-key add server-3.6.asc*
OK
$ *echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu
<http://repo.mongodb.org/apt/ubuntu> xenial/mongodb-org/testing multiverse"
deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu
xenial/mongodb-org/testing multiverse
blackslate@lexogram:~$ sudo apt-get update
Hit:1 http://mirrors.melbourne.co.uk/ubuntu xenial InRelease
Hit:2 http://mirrors.melbourne.co.uk/ubuntu xenial-updates InRelease

Hit:3 http://mirrors.melbourne.co.uk/ubuntu xenial-backports InRelease

Get:4 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]

Hit:5 https://deb.nodesource.com/node_4.x xenial InRelease

Ign:6 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing
InRelease
Ign:7 https://oss-binaries.phusionpassenger.com/apt/passenger xenial
InRelease
Hit:8 https://oss-binaries.phusionpassenger.com/apt/passenger xenial Release
Get:9 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/testing Release
[5,385 B]
Fetched 108 kB in 0s (152 kB/s)
Reading package lists... Done
$ sudo apt-get install mongodb-org
Reading package lists... Done
Building dependency tree
Reading state information... Done
mongodb-org is already the newest version (3.6.0~rc1).
0 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.

On 24 October 2017 at 20:54, Zakhar Kleyman (JIRA) <jira@mongodb.org> wrote:

Comment by Zakhar Kleyman [ 24/Oct/17 ]

Hello, James.

The steps you're using seem to be correct. I did everything you did on a fresh ubuntu 16.04.3 vagrant box and it worked ok for me.

Can you please run "sudo apt-key list" on the box you're trying to install mongodb-org on and share the output?

If 91FA4AD5 is there, can you try to delete it with "sudo apt-key del 91FA4AD5" and then re-import with the command below?

/usr/bin/curl -sLO https://www.mongodb.org/static/pgp/server-3.6.asc && sudo /usr/bin/apt-key add server-3.6.asc

It should do the same thing as "sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5" but it pulls the key from our servers instead of ubuntu. It's the same key though.

Update: You might also need to run "sudo apt-get update" in between deleting the key with apt-key del and re-adding it.

Generated at Thu Feb 08 04:27:55 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.