Heroku gpg issues in ubuntu images

hwchase17 · April 26, 2022, 10:11pm

image: ubuntu-2004:202107-02

trying to run sudo apt-get update yields the following error

ircleci@ip-172-28-32-194:~$ sudo apt-get update
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu focal-backports InRelease
Get:4 https://cli-assets.heroku.com/apt ./ InRelease [2,895 B]
Hit:5 https://deb.nodesource.com/node_16.x focal InRelease
Hit:6 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:7 http://ppa.launchpad.net/git-core/ppa/ubuntu focal InRelease
Err:4 https://cli-assets.heroku.com/apt ./ InRelease
  The following signatures were invalid: EXPKEYSIG 6DB5542C356545CF Heroku, Inc. <support@heroku.com>
Hit:8 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu focal InRelease
Reading package lists... Done
W: GPG error: https://cli-assets.heroku.com/apt ./ InRelease: The following signatures were invalid: EXPKEYSIG 6DB5542C356545CF Heroku, Inc. <support@heroku.com>
E: The repository 'https://cli-assets.heroku.com/apt ./ InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

This is my first time posting an error so please let me know if I can be more expressive! Thanks!

hervinhio · April 27, 2022, 7:10pm

I think this answer on GitHub will help you. It helped me solve my case.

FelicianoTech · May 26, 2022, 4:10pm

This issue can be fixed by running:

curl https://cli-assets.heroku.com/apt/release.key | sudo apt-key add -

The issue is that Heroku’s old apt signing key expired. The command above downloads their new key. Updated images are on the way that avoids this issue.

ms1111 · November 15, 2022, 12:28am

I’m still seeing this error with the stock ubuntu-2204:2022.10.2 machine image, for what it’s worth.

E: Repository 'https://cli-assets.heroku.com/apt ./ InRelease' changed its 'Origin' value from 'Heroku' to 'Jeff Dickey @jdxcode'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.

jamesbassett · November 15, 2022, 1:47am

Same here.

We’ve worked around it with

sudo rm -rf /etc/apt/sources.list.d/heroku.list

jackdek11 · November 15, 2022, 1:29pm

This worked for me

dafeder · November 15, 2022, 3:53pm

We’ve also just started hitting this error. Using the workarounds for now…

FelicianoTech · November 15, 2022, 5:54pm

This issue was fixed earlier this year. People are seeing this issue again because Heroku has decided to change their signing key YET AGAIN. This is unacceptable for the type of image we produce so this time we’re going to fix this issue by not including the Heroku repository at all. This will prevent the problem from returning.

Fixed images will be produced and should roll out within the next 24 hours or so. We’ll update here when they’re ready.

Ortega-Dan · November 18, 2022, 2:58am

Looks like it got fixed, I just commented the line in /etc/apt/sources.list.d/heroku.list some days ago. And just uncommented it and it upgraded the package well now.
Thanks.

Janeer · December 20, 2022, 2:45pm

After upgrade it works fine. I also had this error with GPG.
project home page.

jerdog · December 20, 2022, 3:20pm