Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad GPG signature #3547

Closed
bcruddy opened this issue May 31, 2017 · 10 comments
Closed

Bad GPG signature #3547

bcruddy opened this issue May 31, 2017 · 10 comments

Comments

@bcruddy
Copy link

bcruddy commented May 31, 2017

Do you want to request a feature or report a bug?
Bug

What is the current behavior?
Yarn install fails on Travis

If the current behavior is a bug, please provide the steps to reproduce.
Invalid GPG signature
https://gist.github.com/bcruddy/f901c0f510352ff14a5c9911007ee723

What is the expected behavior?
Valid GPG signature

Please mention your node.js, yarn and operating system version.
See gist.
@bcruddy
Copy link
Author

bcruddy commented May 31, 2017

I couldn't replicate this as I got a valid GPG signature after restarting the build

@akullpp
Copy link

akullpp commented May 31, 2017

Same here building a docker image:

gpg: key 1646B01B86E50310: public key "Yarn Packaging <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

@skipjack
Copy link

skipjack commented Jun 2, 2017
edited
Loading

We're seeing the same thing over at webpack/webpack.js.org#1251... see this build.

GPG signature for this Yarn release is invalid! This is BAD and may mean the release has been tampered with. It is strongly recommended that you report this to the Yarn developers.

@paulirish
Copy link
Member

I got the exact same results as @bcruddy on this travis build. (raw log)

> Verifying integrity...
gpg: key 86E50310: public key "Yarn Packaging <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Signature made Tue 23 May 2017 08:06:30 PM UTC using RSA key ID FD2497F5
gpg: BAD signature from "Yarn Packaging <[email protected]>"
> GPG signature for this Yarn release is invalid! This is BAD and may mean the release has been tampered with. It is strongly recommended that you report this to the Yarn developers.

Unfortunately the build that @skipjack links no longer has the failure text but it's probably the same error as @bcruddy and i.

And it looks like the @akullpp's bug is slightly different as it has no valid OpenPGP data found. vs Signature made [...] using RSA key ID [...]

@skipjack
Copy link

skipjack commented Jun 3, 2017

Yeah, somehow restarting the build fixed the issue for us. I'll report back if we see it again.

@arcanis
Copy link
Member

arcanis commented Jun 6, 2017

@Daniel15 Do you think we could add the file size / Nth first bytes / Nth last bytes in the error messages? It could make it easier to detect corrupted downloads

@Daniel15
Copy link
Member

Daniel15 commented Jun 6, 2017
edited
Loading

no valid OpenPGP data found means that the GPG signature is totally missing for some reason, whereas BAD signature from "Yarn Packaging <[email protected]>" means that the GPG signature file (.asc) is fine but the signature doesn't match the tarball. Usually this means the tarball is somehow corrupted, and redownloading it will fix the problem. If you're hitting that error message, then even without the GPG verification, you'd likely encounter errors extracting the tarball.

@arcanis - That sounds doable. I guess we could use head and tail to get the first/last Nth bytes?

I wonder if the installation script should simply try to redownload the tarball and see if that works? It's possible the download was interrupted somehow, and retrying a second time could work.

@winterbe
Copy link

Also got bad signature while installing latest Yarn 1.1.0:

❯ curl -o- -L https://yarnpkg.com/install.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6875    0  6875    0     0  10053      0 --:--:-- --:--:-- --:--:-- 10051
Installing Yarn!
/Users/winterbe/.yarn/bin/yarn
> Downloading tarball...

[1/2]: https://yarnpkg.com/latest.tar.gz --> /var/folders/fn/dt_1pxlx0kvcj17f93_tmh5m0000gn/T/yarn.tar.gz.XXXXXXXXXX.ovNMWklZ
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    90  100    90    0     0    233      0 --:--:-- --:--:-- --:--:--   233
100   608    0   608    0     0    505      0 --:--:--  0:00:01 --:--:--   505
100  853k  100  853k    0     0   262k      0  0:00:03  0:00:03 --:--:--  446k

[2/2]: https://yarnpkg.com/latest.tar.gz.asc --> /var/folders/fn/dt_1pxlx0kvcj16f98_tmh5m0000gn/T/yarn.tar.gz.XXXXXXXXXX.ovNMWklZ.asc
100    94  100    94    0     0   1577      0 --:--:-- --:--:-- --:--:--  1577
100   612    0   612    0     0   2322      0 --:--:-- --:--:-- --:--:--  597k
100  1028  100  1028    0     0   2447      0 --:--:-- --:--:-- --:--:--  2447
> Verifying integrity...
gpg: Signatur vom So 24 Sep 20:34:20 2017 CEST
gpg:                mittels RSA-Schlüssel 6A010C5166006599AA17F08146C2130DFD2497F5
gpg: Korrekte Signatur von "Yarn Packaging <[email protected]>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
Unter-Fingerabdruck  = 6A01 0C51 6600 6599 AA17  F081 46C2 130D FD24 97F5
> GPG signature looks good
> Extracting to ~/.yarn...
> Adding to $PATH...
> We've added the following to your /Users/winterbe/.zshrc
> If this isn't the profile of your current shell then please add the following to your correct profile:
   
export PATH="$HOME/.yarn/bin:$PATH"

> Successfully installed Yarn 1.1.0! Please open another terminal where the `yarn` command will now be available.

@Daniel15
Copy link
Member

@winterbe It looks fine to me?

gpg: Korrekte Signatur von "Yarn Packaging [email protected]" [unbekannt]

This warning just means that you haven't added the Yarn signing key as a trusted key on your computer. It doesn't mean that the signature is invalid:

gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.

@winterbe
Copy link

winterbe commented Sep 25, 2017 via email

@BYK BYK closed this as completed Oct 26, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@paulirish @Daniel15 @BYK @winterbe @arcanis @bestander @akullpp @bcruddy @skipjack