heroku
apt cannot find Heroku-cli public key 6DB5542C356545CF
Ran sudo apt update and got the following error for the Heroku repository that indicates failed signature verification and missing public key 6DB5542C356545CF. The only information about this key I can find online is in Japanese or Korean, neither of which I understand, and translating them does not reveal any particularly useful information. I am concerned this could be a MITM attack, does anyone have any information or advice?
The full error message:
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cli-assets.heroku.com/apt ./ InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6DB5542C356545CF
W: Failed to fetch https://cli-assets.heroku.com/apt/./InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6DB5542C356545CF
W: Some index files failed to download. They have been ignored, or old ones used instead.
This worked for me curl https://cli-assets.heroku.com/apt/release.key | sudo apt-key add -
This worked for me
curl https://cli-assets.heroku.com/apt/release.key | sudo apt-key add -
@podfinkx thanks, I have found solutions to the problem, but I am more interested in knowing the cause. I prefer not to blindly follow instructions on the internet without knowing why I am doing it 😜
I understand, I think the problem was that they changed the gpg key and we needed to add the new key to be able to use the repo...
PD: the gpg key was probably changed because the old one expire it PD2: the command it's literally downloading and adding the new gpg key
https://stackoverflow.com/questions/67601571/apt-cannot-find-public-key-6db5542c356545cf
When I inspected the key:
wget https://cli-assets.heroku.com/apt/release.key
gpg --list-packets release.key
it mentions keyid 70E2D495D3D0A153. There is no 6DB5542C356545CF mentioned by sudo apt-get update:
Get:3 https://cli-assets.heroku.com/apt ./ InRelease [2,879 B] Err:3 https://cli-assets.heroku.com/apt ./ InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6DB5542C356545CF
Reading package lists... Done W: GPG error: https://cli-assets.heroku.com/apt ./ InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6DB5542C356545CF E: The repository 'https://cli-assets.heroku.com/apt ./ InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
sudo apt-key add is outdated method of adding keys in Debian, modern way:
echo "deb [signed-by=/usr/share/keyrings/heroku.com.asc] https://cli-assets.heroku.com/apt ./" | sudo tee /etc/apt/sources.list.d/heroku.list
^Just to add to this, the modern way avoids apt-key add or putting the key in /etc/apt/trusted.gpg.d manually (some discussion here and here)
Rather, dearmor the key and write it into your keyrings (be careful with dd), e.g.
cat release.key | gpg --dearmor | sudo dd of=/usr/share/keyrings/heroku-archive-keyring.gpg
Then match the name when creating the source list:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/heroku-archive-keyring.gpg] https://cli-assets.heroku.com/apt ./" | sudo tee /etc/apt/sources.list.d/heroku.list
I am getting ths error why?
sudo apt-get update
Hit:1 http://in.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://in.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 https://linux.teamviewer.com/deb stable InRelease
Hit:5 http://packages.microsoft.com/repos/code stable InRelease
Hit:6 http://deb.anydesk.com all InRelease
Hit:7 https://packages.microsoft.com/repos/vscode stable InRelease
Hit:8 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:9 http://ppa.launchpad.net/graphics-drivers/ppa/ubuntu focal InRelease
Hit:11 http://ppa.launchpad.net/nilarimogard/webupd8/ubuntu focal InRelease
Hit:13 https://dl.google.com/linux/chrome/deb stable InRelease
Ign:10 http://toolbelt.heroku.com/ubuntu ./ InRelease
Hit:14 http://toolbelt.heroku.com/ubuntu ./ Release
Err:15 http://toolbelt.heroku.com/ubuntu ./ Release.gpg
The following signatures were invalid: REVKEYSIG C927EBE00F1B0520 Heroku Release Engineering [email protected]
Hit:12 https://packagecloud.io/github/git-lfs/ubuntu focal InRelease
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://toolbelt.heroku.com/ubuntu ./ Release: The following signatures were invalid: REVKEYSIG C927EBE00F1B0520 Heroku Release Engineering [email protected]
W: Failed to fetch http://toolbelt.heroku.com/ubuntu/./Release.gpg The following signatures were invalid: REVKEYSIG C927EBE00F1B0520 Heroku Release Engineering [email protected]
W: Some index files failed to download. They have been ignored, or old ones used instead.
The following signatures were invalid: REVKEYSIG C927EBE00F1B0520 Heroku Release Engineering [email protected]
According to Heroku docs, there is an install option that auto updates.
curl https://cli-assets.heroku.com/install.sh | sh
@bmwenda I studied that https://cli-assets.heroku.com/install.sh and it only copies heroku executable to /usr/local/lib/heroku/bin/heroku. That means:
- no OS package is used
- no updates
- no uninstall option (you have to
rm /usr/local/lib/herokulater if you know that magic)
That's why DEB/RPM repositories rocks. And don't forget package signing!!
Can be closed. Release keys have been rotated multiple times since the OP.
Superseded by
- https://github.com/heroku/cli/issues/2828
