Bug #113432 Expired Package repo
Submitted: 15 Dec 2023 0:35 Modified: 15 Dec 2023 14:54
Reporter: Carlos Pinero Email Updates:
Status: Verified Impact on me:
Category:MySQL Package Repos Severity:S1 (Critical)
Version:5.7 OS:Ubuntu
Assigned to: CPU Architecture:x86
Tags: gpg

[15 Dec 2023 0:35] Carlos Pinero
The signing key used for the packages was expired today:

Key info from gpg:

root@ubuntu-bionic:~# gpg /etc/apt/keyrings/mysql.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2021-12-14 [SC] [expired: 2023-12-14]
uid           MySQL Release Engineering <mysql-build@oss.oracle.com>
sub   rsa4096 2021-12-14 [E] [expired: 2023-12-14]

Error when running apt update:

Get:5 http://repo.mysql.com/apt/ubuntu bionic InRelease [20.0 kB]
Err:5 http://repo.mysql.com/apt/ubuntu bionic InRelease
  The following signatures were invalid: EXPKEYSIG 467B942D3A79BD29 MySQL Release Engineering <mysql-build@oss.oracle.com>
Reading package lists... Done
W: GPG error: http://repo.mysql.com/apt/ubuntu bionic InRelease: The following signatures were invalid: EXPKEYSIG 467B942D3A79BD29 MySQL Release Engineering <mysql-build@oss.oracle.com>
E: The repository 'http://repo.mysql.com/apt/ubuntu bionic InRelease' is not signed.

How to repeat:
> Add apt repositories to /etc/apt/sources.d/mysql/list:

deb [signed-by=/etc/apt/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu/ bionic mysql-apt-config
deb [signed-by=/etc/apt/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu/ bionic mysql-5.7
deb [signed-by=/etc/apt/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu/ bionic mysql-tools
deb-src [signed-by=/etc/apt/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu/ bionic mysql-5.7

> Add the signing key:

wget -O- https://repo.mysql.com/RPM-GPG-KEY-mysql-2022 | gpg --dearmor | tee /etc/apt/keyrings/mysql.gpg > /dev/null

> Run `apt update`

Suggested fix:
Update expiration date for the gpg key and upload new public key to repository
[15 Dec 2023 5:48] MySQL Verification Team
Hello Carlos Pinero,

Thank you for the report and feedback.

[15 Dec 2023 12:01] M Alex
is there a workaround for this?
[15 Dec 2023 12:35] M Alex
Only thing I could find WHICH IS HIGHLY INSECURE AND SHOULD ONLY BE TEMPORARY but gets the job done is to add [allow-insecure=yes] in /etc/apt/sources.list.d/mysql.list:

deb [allow-insecure=yes] http://repo.mysql.com/apt/debian/
[15 Dec 2023 14:33] Terje Røsten

this issue should now be resolved, please retry.
[15 Dec 2023 14:54] Carlos Pinero
I confirm that the new key `RPM-GPG-KEY-mysql-2023` is working now.

Thanks for the quick resolution.
[16 Dec 2023 4:21] Jarosław Potiuk
Thanks for the fix. I think however the policy of Oracle/MySQL to have expiry date for your software is deeply flawed. 

We had to manually fix all ~50 images we released in the past of our for Apache Airflow because of the expiry date. 

Nobody else does it. Postgres, MariaDB, even MsSQL put no expiry date on the keys that are used to sign repos. 

By putting expiry key on your apt repository you basically put an expiry date on your software and this expiry date gets shorter and shorter.

A good example of that are your own images that are affected. We had a user asking us for help in Airflow repo https://github.com/apache/airflow/issues/36231#issuecomment-1858419966 
to help to fix the same issue with  `mysql:8.0.35-debian` image of yours and we sent them to your support (as well, you should deal with your own problems).

This image has been released just 25 days ago. And due to the flawed policy of having an expiry date on your key, effectively lifetime of this image was 24 days. Not much. And likely you have a number of those images (similarly as what we had 50 of ours).  Now I guess you need to retroactively rebuild/patch your images - which is something the flawed policy of yours made us to get 36 hours of scrambling and  and answering support issues of our users (which we did despite our team is made of volunteers, not paid staff as is in the case of MySQL/Oracle). 

We kinda lost faith in Oracle being a good steward of MySQL apt repos and we decided in Apache Airflow in accelerated discussion and (currently running) lazy consensus, to switch to MariaDB clients for all our future releases (including the 2.8.0 release that was actually delayed by at least 2 days because of this bug).

Lazy consensus thread here: https://lists.apache.org/list.html?dev@airflow.apache.org

I hope - for the sake of your users loosing days due to such issues, you will reconsider your policies around signing your APT repos.
[2 Jan 20:50] Alessio Ciregia
Could you fix the issue also in the yum repository?
[8 Jan 13:23] Paul Garner

I was using this url to download the current year's GPG key:

But https://repo.mysql.com/RPM-GPG-KEY-mysql-2024 returns a 404

I had understood from this thread that the new key would be published in advance of the new year: