Problem with debian repository key

christiand · January 16, 2023, 7:13pm

Hi to everyone.

apt is complaining about a missing public key

Errore:1 https://apt.grafana.com stable InRelease                                                                                                                           
  Le seguenti firme non sono state verificate perché la chiave pubblica non è disponibile: NO_PUBKEY 9E439B102CF3C0C6

but the key is there:

gpg --show-keys /usr/share/keyrings/grafana.gpg
pub   rsa3072 2023-01-06 [SC] [scadenza: 2025-01-05]
      0E22EB88E39E12277A7760AE9E439B102CF3C0C6
uid                      Grafana Labs <engineering@grafana.com>
sub   rsa3072 2023-01-06 [E] [scadenza: 2025-01-05]

My grafana.list is:

cat /etc/apt/sources.list.d/grafana.list 
deb [signed-by=/usr/share/keyrings/grafana.gpg] https://apt.grafana.com stable main

What am I missing?

ptpdp · January 17, 2023, 5:54am

The key was emergency-rotated, as fallout from the CircleCI breach.

Whenever there’s a key problem with the repo signing key, I’ve found it best to check https://packages.grafana.com/oss/ – there’s usually something useful there. In this case:

The GPG key used to sign the APT repository (fingerprint 4E40DDF6D76E284A4A6780E48C8C34C524098CB6) was rotated on 2023-01-12 and replaced with a new key with fingerprint 0E22EB88E39E12277A7760AE9E439B102CF3C0C6.
If you enabled the repository before that, you will see errors when running apt update.
To fix this, re-run the commands below to fetch the new key. See the following blog post for more information: Grafana Labs update regarding CircleCI security updates | Grafana Labs

(I had to stop there, I’ve not used the community pages from this account before so hit a new-user 2-links limit)

christiand · January 17, 2023, 6:56am

Thanks for your answer.
I had already found the news about the key rotation and downloaded the new key, please see the fingerprint posted in my previous message.
But I still get an error from apt, and the error message is pointing to new key:
NO_PUBKEY 9E439B102CF3C0C6

EDIT: ok I was missing the command gpg --dearmor on the key, now it works

kienerj · January 28, 2023, 9:38am

Can you explain the exact command because I have the same issue

christiand · January 28, 2023, 12:00pm

From link posted by ptpdp before:
https://packages.grafana.com/oss/

$ mkdir -p /etc/apt/keyrings/
$ wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor > /etc/apt/keyrings/grafana.gpg
$ echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | tee /etc/apt/sources.list.d/grafana.list

kienerj · January 28, 2023, 7:01pm

neither these command nor the ones from the blog actually work for me (Ubuntu).

EDIT:
it seems for ubuntu 20.04 the gpg key must be put into /etc/apt/trusted.gpg.d

else it simply does not work

overdose263 · June 8, 2023, 1:36pm

Greetings all, noob here. Just inherited this from someone else.

For me what worked is the link sent by @ptpdp

Grafana Labs update regarding CircleCI security updates | Grafana Labs

In case someone needs a fix without going around circles…

pkkrusty · October 18, 2023, 2:51pm

For anyone on Raspberry pi, the commands that will solve the problem are:

cd /etc/apt/trusted.gpg.d/
sudo wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/grafana.gpg >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/grafana.gpg] https://apt.grafana.com stable main" | sudo tee /etc/apt/sources.list.d/grafana.list

wlfuchs · January 5, 2024, 2:56pm

Thamks