Heroku gpg issues in ubuntu images

image: ubuntu-2004:202107-02

trying to run sudo apt-get update yields the following error

ircleci@ip-172-28-32-194:~$ sudo apt-get update
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu focal-backports InRelease
Get:4 https://cli-assets.heroku.com/apt ./ InRelease [2,895 B]
Hit:5 https://deb.nodesource.com/node_16.x focal InRelease
Hit:6 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:7 http://ppa.launchpad.net/git-core/ppa/ubuntu focal InRelease
Err:4 https://cli-assets.heroku.com/apt ./ InRelease
  The following signatures were invalid: EXPKEYSIG 6DB5542C356545CF Heroku, Inc. <support@heroku.com>
Hit:8 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu focal InRelease
Reading package lists... Done
W: GPG error: https://cli-assets.heroku.com/apt ./ InRelease: The following signatures were invalid: EXPKEYSIG 6DB5542C356545CF Heroku, Inc. <support@heroku.com>
E: The repository 'https://cli-assets.heroku.com/apt ./ InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

This is my first time posting an error so please let me know if I can be more expressive! Thanks!

2 Likes

I think this answer on GitHub will help you. It helped me solve my case.

This issue can be fixed by running:

curl https://cli-assets.heroku.com/apt/release.key | sudo apt-key add -

The issue is that Heroku’s old apt signing key expired. The command above downloads their new key. Updated images are on the way that avoids this issue.

I’m still seeing this error with the stock ubuntu-2204:2022.10.2 machine image, for what it’s worth.

E: Repository 'https://cli-assets.heroku.com/apt ./ InRelease' changed its 'Origin' value from 'Heroku' to 'Jeff Dickey @jdxcode'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.
2 Likes

Same here.

We’ve worked around it with

sudo rm -rf /etc/apt/sources.list.d/heroku.list

1 Like

This worked for me :+1:

We’ve also just started hitting this error. Using the workarounds for now…

This issue was fixed earlier this year. People are seeing this issue again because Heroku has decided to change their signing key YET AGAIN. This is unacceptable for the type of image we produce so this time we’re going to fix this issue by not including the Heroku repository at all. This will prevent the problem from returning.

Fixed images will be produced and should roll out within the next 24 hours or so. We’ll update here when they’re ready.

6 Likes

Looks like it got fixed, I just commented the line in /etc/apt/sources.list.d/heroku.list some days ago. And just uncommented it and it upgraded the package well now.
Thanks.