[SERVER-80968] PGP Key changed on mongodb-org/testing Created: 12/Sep/23  Updated: 29/Oct/23  Resolved: 13/Oct/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.2.0-rc0

Type: Bug Priority: Major - P3
Reporter: Joseph Ferguson Assignee: Dylan Richardson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Release Infrastructure
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Setup gpg keys (all the release keys as used in the past):

$ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 20691EEC35216C63CAF66CE1656408E390CFB1F5
gpg: keybox '/tmp/tmp.iaIflEL03S/pubring.kbx' created
gpg: /tmp/tmp.iaIflEL03S/trustdb.gpg: trustdb created
gpg: key 656408E390CFB1F5: public key "MongoDB 4.4 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 39BD841E4BE5FB195A65400E6A26B1AE64C3C388
gpg: key 6A26B1AE64C3C388: public key "MongoDB 6.0 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 9DA31620334BD75D9DCB49F368818C72E52529D4
gpg: key 68818C72E52529D4: public key "MongoDB 4.0 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys E162F504A20CDF15827F718D4B7C549A058F8B6B
gpg: key 4B7C549A058F8B6B: public key "MongoDB 4.2 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys E58830201F7DD82CD808AA84160D26BB1785BA38
gpg: key 160D26BB1785BA38: public key "MongoDB 7.0 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys F5679A222C647C87527C2F8CB00A0BD1E2C63C11
gpg: key B00A0BD1E2C63C11: public key "MongoDB 5.0 Release Signing Key <packaging@mongodb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ mkdir -p /etc/apt/keyrings
$ gpg --batch --export 20691EEC35216C63CAF66CE1656408E390CFB1F5 39BD841E4BE5FB195A65400E6A26B1AE64C3C388 9DA31620334BD75D9DCB49F368818C72E52529D4 E162F504A20CDF15827F718D4B7C549A058F8B6B E58830201F7DD82CD808AA84160D26BB1785BA38 F5679A222C647C87527C2F8CB00A0BD1E2C63C11 > /etc/apt/keyrings/mongodb.gpg

Setup the apt sources.list:

$ echo 'deb [ signed-by=/etc/apt/keyrings/mongodb.gpg ] http://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/testing multiverse' > '/etc/apt/sources.list.d/mongodb-org.list'
$ # also the regular repo for other deps like mongo-org-shell
$ echo 'deb [ signed-by=/etc/apt/keyrings/mongodb.gpg ] http://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse' > '/etc/apt/sources.list.d/mongodb-7.0.list'

Try to apt-get update:

$ apt-get update
Get:1 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
...
Get:22 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [1059 kB]
Get:23 http://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 Release.gpg [866 B]
Get:24 http://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/testing Release.gpg [866 B]
Ign:24 http://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/testing Release.gpg
Get:25 http://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0/multiverse amd64 Packages [10.8 kB]
Reading package lists...
W: GPG error: http://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 81B0EBBBADCEA95C
E: The repository 'http://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/testing Release' is not signed.

With the same error for focal/mongodg-org/testing:

W: GPG error: http://repo.mongodb.org/apt/ubuntu focal/mongodb-org/testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 81B0EBBBADCEA95C

Participants:
Story Points: 1

 Description   

The apt signing key for https://repo.mongodb.org/apt/ubuntu/dists/jammy/mongodb-org/testing has changed with the release of 7.0.2~rc1. This breaks the build 7.0.2~rc1 as well as for other RCs like 6.0.10~rc0 (and 5.0.21~rc0 in the focal suite).

The ID mentioned by apt when attempting to use the repo does not match any of the keys on https://pgp.mongodb.com/. (81B0EBBBADCEA95C).



 Comments   
Comment by Dylan Richardson [ 29/Sep/23 ]

Hi Joseph!

We made a change three weeks ago to our development and testing repositories to use a new key for signing repository metadata. Previously, we were actually using a "random" key depending on which version of the server we had most recently published. We didn't like this behavior because it meant that we couldn't tell users one specific key which was in use for that repository. You could get around it by importing all possible keys like you have done, but you also had to keep that list of keys up to date for distributions where we are publishing new major versions.

Instead, we now have a single, long-lived key we will be using for development and testing releases in these repositories. We didn't realize we had external users for the testing/development repositories, so we hadn't published the new key to pgp.mongodb.com. I have now done so, and you can find the correct key at https://pgp.mongodb.com/server-dev.asc.

Let me know if you have any other problems with this new key!

Generated at Thu Feb 08 06:45:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.