MongoDB GPG - Invalid Signatures

I'm installing MongoDB on an Ubuntu 14.04 machine, using the instructions at: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-ubuntu/

So I run:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927

And then:

echo "deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list

Followed by:

sudo apt-get update

I then get the following warning at the end of the update:

> W: GPG error: http://repo.mongodb.org trusty/mongodb-org/3.2 Release: > The following signatures were invalid: BADSIG D68FA50FEA312927 MongoDB > 3.2 Release Signing Key <[email protected]>

If I ignore the warning and try to run:

sudo apt-get install -y mongodb-org

I get:

> WARNING: The following packages cannot be authenticated!
> mongodb-org-shell mongodb-org-server mongodb-org-mongos > mongodb-org-tools mongodb-org E: There are problems and -y was used > without --force-yes

Any ideas on how to resolve? Thanks!

Update all expired keys from Ubuntu key server in one command:

sudo apt-key list | \
 grep "expired: " | \
 sed -ne 's|pub .*/\([^ ]*\) .*|\1|gp' | \
 xargs -n1 sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys

Command explanation:

1. sudo apt-key list - lists all keys installed in the system;
2. grep "expired: " - leave only lines with expired keys;
3. sed -ne 's|pub .*/\([^ ]*\) .*|\1|gp' - extracts keys;
4. xargs -n1 sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys - updates keys from Ubuntu key server by found expired ones.

Source

Sounds like you need to redo the installation steps for MongoDB. First, remove any existing repository file for MongoDB. Do as below:

$ sudo rm /etc/apt/sources.list.d/mongodb*.list

Next, add the key (without the key, the repository will not load):

$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927

Now, create a new MongoDB repository list file:

$ echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list

After adding the repository details, we need to update the packages list:

$ sudo apt-get update

Now install MongoDB:

sudo apt install mongodb-org

You don't need to reinstall the mongo packages, but just change the key as following:

List the keys to confirm it is expired:

apt-key list | grep "expired:"

Replace the key:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 0xd68fa50fea312927

The number 0xd68fa50fea312927 is the current valid key id (expires at 2019-10-09), as you can check here.

It seems version 3.2.1 has been released on 11/Jan/2016, and the packages signature is bad since this moment. The packages signature were fine the day before.

refs: https://jira.mongodb.org/browse/SERVER/fixforversion/15908/?selectedTab=com.atlassian.jira.jira-projects-plugin:version-summary-panel

You can either add the --force-yes option, or wait for a few hours that the mongodb team sees and fixes the issue.

There is already a ticket there: https://jira.mongodb.org/browse/SERVER-22144

I also faced this issue when installing MongoDB 4.0 on Ubuntu 16.04. So I did.

1. sudo rm /etc/apt/sources.list.d/mongodb*.list - remove any existing file for MongoDB

2. sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv E52529D4 - add the key

3. sudo bash -c 'echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/4.0 multiverse" > /etc/apt/sources.list.d/mongodb-org-4.0.list' - create a new MongoDB repository list file

Now, Complete the installation with an update of repositories then install MongoDB, enable the mongod service and start it up, and last, check your MongoDB version:

sudo apt update
sudo apt install mongodb-org

systemctl enable mongod.service
systemctl start mongod.service

mongo --version

I also faced this issue when installing MongoDB 3.2 on my ubuntu 16.04 using the below commands. The below solution is provided as the question related to the v3.2 installation of MongoDB

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927
echo "deb http://repo.mongodb.org/apt/ubuntu "$(lsb_release -sc)"/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list
sudo apt-get update

After running the above update command i found the following warnings

W: GPG error: http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 Release: The following signatures were invalid: KEYEXPIRED 1507497109
W: The repository 'http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

On further investigating using the below command to list all the keys

sudo apt-key list

It shows that the current key is expired on 2017-10-08

pub   4096R/EA312927 2015-10-09 [expired: 2017-10-08]
uid                  MongoDB 3.2 Release Signing Key <[email protected]>

This also made sense as the MongoDB Current Stable Release is now (3.4.9).

To fix the issue first we make a small cleanup (optional)

1. we remove the old key added

   sudo apt-key list // List all keys

   sudo apt-key del EA312927 // Find the uid of the key to be deleted

   apt-key list | grep Mongodb // Verify if its deleted

2. Now we remove the MongoDB repo added in /etc/apt/sources.list.d

   sudo rm /etc/apt/sources.list.d/mongodb*.list

3. Now we install the latest stable version of MongoDB(3.4.9) using below commands

Import the Public Key used by the Ubuntu Package Manager

apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6

Create a file list for mongoDB to fetch the current repository

echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu "$(lsb_release -sc)"/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-3.4.list

Install MongoDB

sudo apt-get update
sudo apt-get install mongodb-org

I had the same problem, and solved it by installing mongodb with tarball method. Refer to the below link for detail.

https://docs.mongodb.org/manual/tutorial/install-mongodb-on-linux/

Adding details below

1. curl -O https://fastdl.mongodb.org/linux/mongodb-linux-i686-3.2.0.tgz

2. tar -zxvf mongodb-linux-i686-3.2.0.tgz

3. mkdir -p mongodb && cp -R -n mongodb-linux-i686-3.2.0/ mongodb

4. export PATH=/bin:$PATH

5. then run mongod (db path might needs to be set)

I experienced the similar problem and got the following error while installing MongoDB 4.2 on Ubuntu 18.04 instance on Google Cloud.

W: GPG error: http://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.2 Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4B7C549A058F8B6B
E: The repository 'http://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.2 Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details

The solution that worked from me was running the following command to get the key. I found this on MongoDB official Jira Issue Pages.

/usr/bin/curl -sLO https://www.mongodb.org/static/pgp/server-4.2.asc && sudo /usr/bin/apt-key add server-4.2.asc

I found this solution in MongoDB official Jira issues. Here is the link to the issue.

wget -qO - https://www.mongodb.org/static/pgp/server-3.2.asc | sudo apt-key add -

Actually, the following is very important to solve the problem

$ sudo rm /etc/apt/sources.list.d/mongodb*.list

I had the same problem, so I did:

root@skarabi:~# apt remove mongodb-org

Then:

root@skarabi:~# sudo rm /etc/apt/sources.list.d/mongodb*.list

After :

root@skarabi:~# apt update

Using dlopatin's answer I came up with this for Ubuntu 18.04 since that code doesnt work anymore:

sudo apt-key list | \
grep -A 1 "\[expired:" | \
sed -ne 's|^\s\{1,10\}\(\w*\)|\1|gp' | \
xargs -d '\n' sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys

1. List keys sudo apt-key list
2. Get the expired one and print the next line with the fingerprint grep -A 1 "\[expired:"
3. Use sed to extract only the lines starting with space ^\s\{1,10\},and select the alphanumeric characters \(\w*\), replace those lines with the selected group which is the fingerprint \1, repeat for all returned lines g,then print the fingerprint p. That gives: sed -ne 's|^\s\{1,10\}\(\w*\)|\1|gp'
4. Use xargs with delimiter for '\n' otherwise it will break on spaces: xargs -d '\n', then pass the fingerprints as arguments to apt-key to update them: sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys which gives you: xargs -d '\n' sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys

Hopefully that is clear. Ignore the warning about apt-key output parsing :)

This worked for me on ubuntu focal 20.04.01 LTS for installing MongoDB version 3.4.17:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list
sudo apt update

apt-cache policy libssl1.0-dev
sudo apt-get install libssl1.0-dev

sudo apt-get install -y mongodb-org=3.4.17 mongodb-org-server=3.4.17 mongodb-org-shell=3.4.17 mongodb-org-mongos=3.4.17 mongodb-org-tools=3.4.17