Re-import repository keys for BDR and pglogical apt repositories
The BDR and pglogical apt repository GnuPG signing keys have been renewed.
Users should re-import the existing keys. You can verify that it’s still the same key as referenced in the documentation, just with a later expiry date.
Simply run:
wget --quiet -O - http://packages.2ndquadrant.com/bdr/apt/AA7A6805.asc | sudo apt-key add - sudo apt-key finger AA7A6805 | grep -A2 -B3 BDR
Now check the fingerprint printed by the second command to verify it’s the same as this output:
pub 2048R/AA7A6805 2015-03-24 [expires: 2019-03-23]
Key fingerprint = 855A F5C7 B897 6564 17FA 73D6 5D94 1908 AA7A 6805
uid BDR Apt Signing Key for 2ndQuadrant <[email protected]>
sub 2048R/739C93DD 2015-03-24 [expires: 2019-03-23]
and if it is, run:
sudo apt-get update
If you’ve found this blog post because you searched for an error like:
GPG error: http://packages.2ndquadrant.com jessie-2ndquadrant InRelease: The following signatures were invalid: KEYEXPIRED 1490229886 KEYEXPIRED 1490229886 KEYEXPIRED 1490229886 WARNING: The following packages cannot be authenticated! postgresql-bdr-client-9.4 postgresql-bdr-9.4 postgresql-bdr-contrib-9.4 postgresql-bdr-9.4-bdr-plugin
then run the above commands to fix it.
Whoa. Do you really recommend that people download the keys over *http*? I’m hoping that’s a typo?
It’s not a typo, though it’s not ideal, and the packages site will be moving to SSL soon. I have added a reminder to check the key fingerprint.
We do publish key fingerprints for the master signing key on https://2ndquadrant.com/en/resources/signing-keys/ and the packaging keys are signed by this key, but few users will actually verify that.