Yarn: Yarn update/install fails with "GPG signature for this Yarn release is invalid!" message
Do you want to request a feature or report a bug?
Bug
What is the current behavior?
Installing yarn via recommended command fails (curl -o- -L https://yarnpkg.com/install.sh | bash)
Bash output:
curl -o- -L https://yarnpkg.com/install.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7033 0 7033 0 0 25686 0 --:--:-- --:--:-- --:--:-- 25761
Installing Yarn!
> Downloading tarball...
[1/2]: https://yarnpkg.com/latest.tar.gz --> /var/folders/lk/hyn85_3d2vjdq_3cbnbs3nyc0000gn/T/yarn.tar.gz.XXXXXXXXXX.bd3s0O1a
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 91 100 91 0 0 284 0 --:--:-- --:--:-- --:--:-- 284
100 608 0 608 0 0 366 0 --:--:-- 0:00:01 --:--:-- 3684
100 914k 100 914k 0 0 108k 0 0:00:08 0:00:08 --:--:-- 110k
[2/2]: https://yarnpkg.com/latest.tar.gz.asc --> /var/folders/lk/hyn85_3d2vjdq_3cbnbs3nyc0000gn/T/yarn.tar.gz.XXXXXXXXXX.bd3s0O1a.asc
100 95 100 95 0 0 1480 0 --:--:-- --:--:-- --:--:-- 1480
100 612 0 612 0 0 2897 0 --:--:-- --:--:-- --:--:-- 2897
100 832 100 832 0 0 1905 0 --:--:-- --:--:-- --:--:-- 1905
> Verifying integrity...
gpg: Signature made Mon Feb 26 13:01:19 2018 CST using RSA key ID B6FF4DE3
gpg: Can't check signature: No public key
> GPG signature for this Yarn release is invalid! This is BAD and may mean the release has been tampered with. It is strongly recommended that you report this to the Yarn developers.
If the current behavior is a bug, please provide the steps to reproduce.
- Run command
curl -o- -L https://yarnpkg.com/install.sh | bashwith or without a currently installed version of yarn. - Notice failure to install. I can't guarantee that this isn't something wrong with my system per se, but installing yarn via
npmwithsudo npm i yarn -gworks fine. I'm reporting this issue primarily because the error message "strongly recommends" that I do.
What is the expected behavior?
- Run command
curl -o- -L https://yarnpkg.com/install.sh | bash - Yarn installs with no errors. Alternately, the script gives the user better instructions on dealing with this issue locally, if the error is actually related to the environment.
Please mention your node.js, yarn and operating system version.
Node: 8.9.4
MacOS: 10.13.3
Yarn: 1.5.1, but this is irrelevant because the error is in the install script.
keeganbrown
All 2 comments
I just saw this in a Bitbuckets Pipeline container (a CI solution)
As a result, I couldn't pull any logs, but I just wanted to note that this isn't an isolated incident.
dancrumb
on 7 Mar 2018
Sorry about that. You likely have an older version of the GPG key that was imported before December 2017. For security, it's rotated once per year. You can import the latest GPG key to fix it:
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --import
Please let me know if you still see the issue after that.
https://github.com/yarnpkg/website/issues/761 will improve the installation script and update it to ensure the proper subkeys are available. If you'd like to send a PR for that, it'd be great.
Daniel15
on 7 Mar 2018
Related issues
FLGMwt
路
3Comments
jviotti
路
3Comments
sebmck
路
3Comments
ocolot
路
3Comments
torifat
路
3Comments
Most helpful comment
Sorry about that. You likely have an older version of the GPG key that was imported before December 2017. For security, it's rotated once per year. You can import the latest GPG key to fix it:
Please let me know if you still see the issue after that.
https://github.com/yarnpkg/website/issues/761 will improve the installation script and update it to ensure the proper subkeys are available. If you'd like to send a PR for that, it'd be great.