Nvidia-docker: Where's the current public GPG key?

Same problem for DEB repos as well.

Same here. Was working fine till about a day ago, but now get:

GPG error: https://nvidia.github.io/libnvidia-container/ubuntu18.04/amd64  InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6ED91CA3AC1160CD
E: The repository 'https://nvidia.github.io/libnvidia-container/ubuntu18.04/amd64  InRelease' is not signed.

I'm trying to use this in an offline environment where I need to manually create and maintain an offline repo. Generally it's not been an issue as I can use reposync to mirror the repo locally and construct a .repo file that points to a local copy of the gpg key for validation. The current public repo files for the Nvidia container packages disable gpg checks but that's not an option for the secure environment I need to deploy this in. Not to mention the uneasiness of something like docker that interacts at the kernel level running with unvalidated packages.

If I can download the key file locally then I can set up the mirrored repo to correctly validate offline. I just need the correct public gpg key to do it.

we (pytorch) are now getting widespread CI errors along the lines of:

E: Failed to fetch https://nvidia.github.io/nvidia-docker/ubuntu16.04/amd64/InRelease  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)

(full example log

The timing corresponds with these two commits:
https://github.com/NVIDIA/nvidia-docker/commit/6eed18c4c93215fbf076107c76b1ef7f48bb4e1f
https://github.com/NVIDIA/nvidia-docker/commit/295c69dacafce741f5e0995cabb273ef2ef9d9e8

@RenaudWasTaken are we doing something wrong here?

Hello!

@suo
The gpgkey expired, and we updated it with a new one :)
let me see if this isn't a caching issue

According to https://nvidia.github.io/nvidia-docker/ , gpgkey update can be done by:

curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | \
  sudo apt-key add -

There are many issues that are aggregated here :)

1. The GPG key expired recently and we updated it
2. Because of the multi-repository setup, not all updates were done at the same time
3. Because of the multi-repository setup, the web caching isn't uniform

Now that we've updated the repos (and the cache has been updated), you should just be able to add the new gpg key to your keyring and update / install the packages:

curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | sudo apt-key add -

@chuckatkins regarding the gpgkey not being the one used for signing, I didn't have time to check whether we used a different key (maybe the master), but with the key rotation the packages are now signed by the gpgkey advertised :)

Hope this solve everyone's issues!

Can I suggest then that the provided yum .repo files reenable validation then with gpgcheck=1?

current public repo files for the Nvidia container packages disable gpg checks but that's not an option for the secure environment I need to deploy this in.

That's not completly true, we enable repo_gpgcheck which allows you to ensure that the packages weren't tampered with.
I'm sifting through old documentation but I seem to remember that enabling gpgcheck was either breaking customers or us when generating the packages. I'll update here if I find more information.

According to https://nvidia.github.io/nvidia-docker/ , gpgkey update can be done by:

curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | \
  sudo apt-key add -

That worked! Thanks.

So is this an expected process that will happen semi-often in future or totally randomly for some security reason?

According to https://nvidia.github.io/nvidia-docker/ , gpgkey update can be done by:

curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | \
  sudo apt-key add -

This worked..thanks