Skip to content

Update ROS apt repo key#816

Merged
christophebedard merged 5 commits intomainfrom
christophebedard/update-apt-repo-key
Jun 2, 2025
Merged

Update ROS apt repo key#816
christophebedard merged 5 commits intomainfrom
christophebedard/update-apt-repo-key

Conversation

@christophebedard
Copy link
Member

@christophebedard christophebedard commented Jun 1, 2025
edited
Loading

Fixes #815.

The current/old one expired on June 1st (today). See https://discourse.ros.org/t/ros-signing-key-migration-guide/43937.

Just update the public key and keep the apt repository setup as-is, since CI doesn't really benefit from installing the new ros2-apt-source package. See the key update here: ros/rosdistro#46048. The key copied here is specifically this one: https://github.com/ros/rosdistro/blob/master/ros.asc. Someone else should double-check that it matches.

@christophebedard
Copy link
Member Author

christophebedard commented Jun 1, 2025

I pushed an empty commit at first just to see what's broken. The answer is "basically all jobs."

@christophebedard christophebedard force-pushed the christophebedard/update-apt-repo-key branch from 375e876 to 33213c1 Compare June 1, 2025 17:47
@christophebedard christophebedard requested a review from a team as a code owner June 1, 2025 17:47
@christophebedard christophebedard requested review from MichaelOrlov and emersonknapp and removed request for a team June 1, 2025 17:47
@christophebedard
Update ROS apt repo key
db439e7 
See ros/rosdistro#46048.

Signed-off-by: Christophe Bedard <bedard.christophe@gmail.com>
@christophebedard christophebedard force-pushed the christophebedard/update-apt-repo-key branch from 33213c1 to db439e7 Compare June 1, 2025 18:03
@christophebedard
Copy link
Member Author

christophebedard commented Jun 1, 2025

There are still issues with archive.ubuntu.com, so I'll try to retrigger failing jobs until they pass.

@christophebedard christophebedard mentioned this pull request Jun 1, 2025
Closed
@christophebedard
Copy link
Member Author

christophebedard commented Jun 1, 2025

We might want to switch to downloading the key directly using sudo curl -sSL https://raw.githubusercontent.com/ros/rosdistro/master/ros.key -o /usr/share/keyrings/ros-archive-keyring.gpg, but for now this works.

@christophebedard
Copy link
Member Author

christophebedard commented Jun 1, 2025

Alright, all jobs finally passed. Now I'm just waiting for someone to validate that the public key is the same as https://github.com/ros/rosdistro/blob/master/ros.asc

@christianrauch
Copy link
Contributor

christianrauch commented Jun 1, 2025

Alright, all jobs finally passed. Now I'm just waiting for someone to validate that the public key is the same as https://github.com/ros/rosdistro/blob/master/ros.asc

Well, my /etc/apt/sources.list.d/ros2.sources is using a different key:

Types: deb deb-src
URIs: http://packages.ros.org/ros2/ubuntu
Suites: noble
Components: main
Signed-By:  -----BEGIN PGP PUBLIC KEY BLOCK-----
 .
 mQINBFzvJpYBEADY8l1YvO7iYW5gUESyzsTGnMvVUmlV3XarBaJz9bGRmgPXh7jc
 VFrQhE0L/HV7LOfoLI9H2GWYyHBqN5ERBlcA8XxG3ZvX7t9nAZPQT2Xxe3GT3tro
 u5oCR+SyHN9xPnUwDuqUSvJ2eqMYb9B/Hph3OmtjG30jSNq9kOF5bBTk1hOTGPH4
 K/AY0jzT6OpHfXU6ytlFsI47ZKsnTUhipGsKucQ1CXlyirndZ3V3k70YaooZ55rG
 aIoAWlx2H0J7sAHmqS29N9jV9mo135d+d+TdLBXI0PXtiHzE9IPaX+ctdSUrPnp+
 TwR99lxglpIG6hLuvOMAaxiqFBB/Jf3XJ8OBakfS6nHrWH2WqQxRbiITl0irkQoz
 pwNEF2Bv0+Jvs1UFEdVGz5a8xexQHst/RmKrtHLct3iOCvBNqoAQRbvWvBhPjO/p
 V5cYeUljZ5wpHyFkaEViClaVWqa6PIsyLqmyjsruPCWlURLsQoQxABcL8bwxX7UT
 hM6CtH6tGlYZ85RIzRifIm2oudzV5l+8oRgFr9yVcwyOFT6JCioqkwldW52P1pk/
 /SnuexC6LYqqDuHUs5NnokzzpfS6QaWfTY5P5tz4KHJfsjDIktly3mKVfY0fSPVV
 okdGpcUzvz2hq1fqjxB6MlB/1vtk0bImfcsoxBmF7H+4E9ZN1sX/tSb0KQARAQAB
 tCZPcGVuIFJvYm90aWNzIDxpbmZvQG9zcmZvdW5kYXRpb24ub3JnPokCVAQTAQgA
 PgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMHPbjHmut6IaLFytPQu1vur
 F8ZUBQJoEhoGBQkUtHZwAAoJEPQu1vurF8ZUv1AP/2gID+uw7pw3WpPevny3pliZ
 JeDx4Y+ut+5c2nCfkpUc3lG50v9ly4ZpNQTWKIm9yB6dxgary7EKpAlGVmiU75JA
 LyftVtjeyQcre2f7Z00u2lXw8Red52AsWHkh/dtctgLSGQiJdTd0donO6cszZFVa
 sCiFdRKlizGvBkE8uFdKYMGixOgnvQZrb9OLqRsoj10aDzN0X3NJk1LTxiS3+udY
 poOk2Bm9VGyrNmgIrYiNqbYPBHYkWGHBqJxvAK92lJ2I/n6X4U8r6sMdDE7QDw4j
 FMdrxC0XmCL4cFPkkR1qadtJy9FiCtpKyqiKuUsCG6AUi5EOY+7Y3oSpKn8Wp1K5
 VMbv12JRIatDIeaAnwa2qyBQVAVC1F/OqWUFKluPjKyMR3DXKwjxpt1P+HUmda0w
 HcnhFIu2th/egmGKH5e3atcVxjAxYfm+f92MN7fFEuFQsMZhI/gt3IgESWrgdaAz
 opRInrMz7yEtz3VaaehwmUUR2gevPQMzBRaA+NIqMLDUvV5jujvFe8c1VUtBLTYc
 /alBiM/Mo1niy3aUfDahzhTr6zz+ur6BFRnNFWv56M3NOVlreNm3NIbNX2kTKh0Z
 QJSSCklJuDUqnPmAzT2BZWUpwfe7QYRwvQhF0YB2N1LavyNwiyfinCQlAh+Q9eme
 2jqGsxvQym3sAPnWvA68
 =xH9H
 -----END PGP PUBLIC KEY BLOCK-----

Wouldn't it be easier to just install the new Debian package from https://github.com/ros-infrastructure/ros-apt-source/releases/? Alternatively, you could download ros2-archive-keyring.gpg from https://github.com/ros-infrastructure/ros-apt-source/tree/main/ros-apt-source/keys.

@christophebedard christophebedard force-pushed the christophebedard/update-apt-repo-key branch 2 times, most recently from 7901333 to a77da28 Compare June 1, 2025 21:04
@christophebedard
Use ros-apt-source package
3add115 
Signed-off-by: Christophe Bedard <bedard.christophe@gmail.com>
@christophebedard christophebedard force-pushed the christophebedard/update-apt-repo-key branch from a77da28 to 3add115 Compare June 1, 2025 21:31
@christophebedard
Revert "Use ros-apt-source package"
52f425a 
This reverts commit 3add115.

Signed-off-by: Christophe Bedard <bedard.christophe@gmail.com>
@christophebedard christophebedard force-pushed the christophebedard/update-apt-repo-key branch from f0b9bbc to 94ac2c2 Compare June 1, 2025 21:56
@christophebedard
Copy link
Member Author

christophebedard commented Jun 1, 2025
edited
Loading

Well, my /etc/apt/sources.list.d/ros2.sources is using a different key:

Not sure why. But the key that's used here (before this PR) is what used to be here, before it was updated https://github.com/ros/rosdistro/blob/master/ros.asc. That's what I used.

@codecov
Copy link

codecov bot commented Jun 1, 2025

Codecov Report

Attention: Patch coverage is 75.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 92.85%. Comparing base (6b64243) to head (94ac2c2).

Files with missing lines Patch % Lines
src/setup-ros-ubuntu.ts 75.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #816      +/-   ##
==========================================
- Coverage   93.38%   92.85%   -0.53%     
==========================================
  Files          10       10              
  Lines         257      252       -5     
  Branches       27       27              
==========================================
- Hits          240      234       -6     
- Misses         17       18       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@christophebedard
Download key directly
e3155d7 
Signed-off-by: Christophe Bedard <bedard.christophe@gmail.com>
@christophebedard christophebedard force-pushed the christophebedard/update-apt-repo-key branch from 94ac2c2 to e3155d7 Compare June 1, 2025 21:58
@christophebedard
Revert "Download key directly"
009e972 
This reverts commit e3155d7.

Signed-off-by: Christophe Bedard <bedard.christophe@gmail.com>
@christophebedard
Copy link
Member Author

christophebedard commented Jun 1, 2025

Alright, I gave both a shot (using the apt source package and downloading the key directly) and there's small annoying issues that I don't really have time to figure out in the very short term, so this is what I'll be going with. We can improve this later.

@christophebedard
Copy link
Member Author

christophebedard commented Jun 1, 2025

Alright, it passed again. Can you check the key like I described in the PR description?

@christianrauch
Copy link
Contributor

christianrauch commented Jun 2, 2025

Alright, it passed again. Can you check the key like I described in the PR description?

Not sure how I should check this. I can confirm that the key that is added in the PR is the same as:

Note that this one is called RPM-GPG-KEY-ROS2. I would assume this key is used to sign the RPM packages and it is different from the one embedded in the /etc/apt/sources.list.d/ros2.sources.

But I guess the CI already checks that the repo can be accessed?

Btw, to avoid such key issues in the future, you could add an option to the action to ignore the key and always trust the repo (deb [trusted=yes]).

@christophebedard christophebedard merged commit 39978c2 into main Jun 2, 2025
48 of 52 checks passed
@christophebedard christophebedard deleted the christophebedard/update-apt-repo-key branch June 2, 2025 15:07
@christophebedard
Copy link
Member Author

christophebedard commented Jun 2, 2025

Thanks for validating.

But I guess the CI already checks that the repo can be accessed?

Yes, it does.

Btw, to avoid such key issues in the future, you could add an option to the action to ignore the key and always trust the repo (deb [trusted=yes]).

Not sure of the security implications of that, and I don't think that's really necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emersonknapp emersonknapp Awaiting requested review from emersonknapp emersonknapp is a code owner automatically assigned from ros-tooling/reviewers

@MichaelOrlov MichaelOrlov Awaiting requested review from MichaelOrlov MichaelOrlov is a code owner automatically assigned from ros-tooling/reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ROS repo key expired

2 participants

@christophebedard @christianrauch