Re-import repository keys for BDR and pglogical apt repositories
The BDR and pglogical apt repository GnuPG signing keys have been renewed.
Users should re-import the existing keys. You can verify that it’s still the same key as referenced in the documentation, just with a later expiry date.
wget --quiet -O - http://packages.2ndquadrant.com/bdr/apt/AA7A6805.asc | sudo apt-key add - sudo apt-key finger AA7A6805 | grep -A2 -B3 BDR
Now check the fingerprint printed by the second command to verify it’s the same as this output:
pub 2048R/AA7A6805 2015-03-24 [expires: 2019-03-23] Key fingerprint = 855A F5C7 B897 6564 17FA 73D6 5D94 1908 AA7A 6805 uid BDR Apt Signing Key for 2ndQuadrant <[email protected]> sub 2048R/739C93DD 2015-03-24 [expires: 2019-03-23]
and if it is, run:
sudo apt-get update
If you’ve found this blog post because you searched for an error like:
GPG error: http://packages.2ndquadrant.com jessie-2ndquadrant InRelease: The following signatures were invalid: KEYEXPIRED 1490229886 KEYEXPIRED 1490229886 KEYEXPIRED 1490229886 WARNING: The following packages cannot be authenticated! postgresql-bdr-client-9.4 postgresql-bdr-9.4 postgresql-bdr-contrib-9.4 postgresql-bdr-9.4-bdr-plugin
then run the above commands to fix it.
Whoa. Do you really recommend that people download the keys over *http*? I’m hoping that’s a typo?
It’s not a typo, though it’s not ideal, and the packages site will be moving to SSL soon. I have added a reminder to check the key fingerprint.
We do publish key fingerprints for the master signing key and the packaging keys are signed by this key, but few users will actually verify that.