bug: Invalid GPG signature for fig-headless

[kevinderuijter]

Checks

• I have searched github.com/withfig/fig/issues and there are no duplicates of my issue
• I have run fig doctor in the affected terminal session
• I have run fig restart and replicated the issue again

Operating system

Fresh installation on Monday 24 July.
Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-76-generic x86_64)

Expected behaviour

The expected behaviour is for the Fig repository to install or update on ubuntu 20.04 using curl -fSsL https://repo.fig.io/scripts/install-headless.sh | bash or apt-get update.

Actual behaviour

curl -fSsL https://repo.fig.io/scripts/install-headless.sh | bash
███████╗██╗ ██████╗
██╔════╝██║██╔════╝
█████╗  ██║██║  ███╗
██╔══╝  ██║██║   ██║
██║     ██║╚██████╔╝
╚═╝     ╚═╝ ╚═════╝.io
Performing compatibility checks
[sudo] password for kevin: Executing https://repo.fig.io/scripts/apt/install.sh

Installing repo dependencies
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
lsb-release is already the newest version (11.1.0ubuntu4).
lsb-release set to manually installed.
ca-certificates is already the newest version (20230311ubuntu0.22.04.1).
ca-certificates set to manually installed.
gnupg is already the newest version (2.2.27-3ubuntu2.1).
gnupg set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Installing Fig repository
Installing Fig key
Updating apt
Get:1 https://repo.fig.io/apt stable InRelease [2438 B]
Err:1 https://repo.fig.io/apt stable InRelease                                 
  The following signatures were invalid: EXPKEYSIG 2D0C87B556D290C4 Fig <maintainer@fig.io>
Hit:2 http://nl.archive.ubuntu.com/ubuntu jammy InRelease                      
Get:3 http://nl.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]     
Get:4 http://nl.archive.ubuntu.com/ubuntu jammy-backports InRelease [108 kB]   
Get:5 http://nl.archive.ubuntu.com/ubuntu jammy-security InRelease [110 kB]    
Get:6 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security InRelease [7553 B]
Get:7 https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates InRelease [7459 B]
Get:8 https://esm.ubuntu.com/infra/ubuntu jammy-infra-security InRelease [7453 B]
Get:9 https://esm.ubuntu.com/infra/ubuntu jammy-infra-updates InRelease [7452 B]
Reading package lists... Done      
W: GPG error: https://repo.fig.io/apt stable InRelease: The following signatures were invalid: EXPKEYSIG 2D0C87B556D290C4 Fig <maintainer@fig.io>
E: The repository 'https://repo.fig.io/apt stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Installing Fig
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package fig-headless

sudo apt-get update
Get:1 https://repo.fig.io/apt stable InRelease [2438 B]
Hit:2 http://nl.archive.ubuntu.com/ubuntu jammy InRelease                                          
Hit:3 http://nl.archive.ubuntu.com/ubuntu jammy-updates InRelease                       
Err:1 https://repo.fig.io/apt stable InRelease                                          
  The following signatures were invalid: EXPKEYSIG 2D0C87B556D290C4 Fig <maintainer@fig.io>
Hit:4 http://nl.archive.ubuntu.com/ubuntu jammy-backports InRelease                                    
Hit:5 http://nl.archive.ubuntu.com/ubuntu jammy-security InRelease                                     
Hit:6 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security InRelease                                 
Hit:7 https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates InRelease
Hit:8 https://esm.ubuntu.com/infra/ubuntu jammy-infra-security InRelease
Hit:9 https://esm.ubuntu.com/infra/ubuntu jammy-infra-updates InRelease
Reading package lists... Done
W: GPG error: https://repo.fig.io/apt stable InRelease: The following signatures were invalid: EXPKEYSIG 2D0C87B556D290C4 Fig <maintainer@fig.io>
E: The repository 'https://repo.fig.io/apt stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Steps to reproduce

Install Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-76-generic x86_64)
Run curl -fSsL https://repo.fig.io/scripts/install-headless.sh | bash

Environment

NA

[nickpricks]

Meanwhile;

1. Bypass the safeguard
   --allow-unauthenticated
2. Adding unsigned repository with a flag
   sudo vi /etc/apt/sources.list
   or
   sudo vi /etc/apt/sources.list.d/fig.list
   add a [trusted=yes]
3. Disable
   Either use Software Updater or comment the repo from
   sudo vi /etc/apt/sources.list
   or
   sudo vi /etc/apt/sources.list.d/fig.list

Ref: linuxfordevices.com/tutorials/linux/fix-updating-from-such-a-repository-cant-be-done-securely-error

[FuturePilot]

I'm seeing the same thing on all my Debian and Ubuntu servers.

[stephanlamoureux]

same on ubuntu 22.04 in wsl2

[grant0417]

Seems I may have let our repo signature lapse, very sorry about this! Will try to resolve this tomorrow and update the status.

[natedunn]

@grant0417 thanks for letting us know! these things happen

[grant0417]

I have increased the key's expiration, to get the new key run:

curl -fsS https://repo.fig.io/scripts/apt/key.gpg | gpg --dearmor > /etc/apt/keyrings/fig.gpg

Then you should be able to sudo apt update && sudo apt upgrade

[stephanlamoureux]

@grant0417 I get the following error when running the above curl command curl: (23) Failed writing body

[ybkurt]

@grant0417 I get the following error when running the above curl command curl: (23) Failed writing body

I also got this error and it disappeared when I switch to root

[stephanlamoureux]

@grant0417 I get the following error when running the above curl command curl: (23) Failed writing body

I also got this error and it disappeared when I switch to root

I ran the command as sudo and got that error

[kevinderuijter]

@grant0417 I get the following error when running the above curl command curl: (23) Failed writing body

@stephanlamoureux
Can you try running the command without using sudo directly?

1. sudo su
2. curl -fsS https://repo.fig.io/scripts/apt/key.gpg | gpg --dearmor > /etc/apt/keyrings/fig.gpg

[stephanlamoureux]

2. curl -fsS https://repo.fig.io/scripts/apt/key.gpg | sudo gpg --dearmor > /etc/apt/keyrings/fig.gpg

Thank you, that did the trick.

[warifp]

Thankyou