Yarn repo key expired [EDIT: changed again], is it OK to trust it?

What type of hardware are you using: VPS bought online
What YunoHost version are you running: 12.1.39
How are you able to access your server: The webadmin
SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: no

Describe your issue

Today yunohost tools update started complaining about Yarn repo.

Is it safe to trust the new key?

Share relevant logs or error messages

Fetching available upgrades for system packages…
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging
W: Some index files failed to download. They have been ignored, or old ones used instead.
Something went wrong while updating the cache of APT (Debian's package manager). Here is a dump of the sources.list lines, which might help identify problematic lines:
sources.list:deb http://deb.debian.org/debian bookworm main non-free non-free-firmware
sources.list:deb-src http://deb.debian.org/debian bookworm main
sources.list:deb http://security.debian.org/debian-security bookworm-security main non-free non-free-firmware
sources.list:deb-src http://security.debian.org/debian-security bookworm-security main
sources.list:deb http://deb.debian.org/debian bookworm-updates main non-free non-free-firmware
sources.list:deb-src http://deb.debian.org/debian bookworm-updates main
sources.list.d/yunohost.list:deb [signed-by=/usr/share/keyrings/yunohost-bookworm.gpg] http://forge.yunohost.org/debian/ bookworm stable
sources.list.d/yarn.list:deb [signed-by=/etc/apt/trusted.gpg.d/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main
sources.list.d/extra_php_version.list:deb [signed-by=/etc/apt/trusted.gpg.d/extra_php_version.gpg] https://packages.sury.org/php/ bookworm main

EDIT: actually the key is expired not changed (so far)
EDIT2: the key changed now

Tracking upstream issue: Expired gpg signature · Issue #9216 · yarnpkg/yarn · GitHub

Same problem at home.

Following suggestion of yarn dev in this link solved the error mentioned on my setup Thanks

YunoHost compatible command for rotating the key:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/yarn.gpg > /dev/null

YunoHost compatible command for rotating the key:

Thank you
It solved the problem

Hi

Personally, since I didn’t have any packages from that repository installed, I simply removed it. And it works perfectly

Use this command apt list --installed | grep yarn to find out if this repository is the source of a package installed on your system.

(Tip: As a precaution, make a copy of the repository.)

Bye

In all cases, a manual intervention seems to be required.
Simply deleting yarn.list is not enough: an yunohost tools regen-conf apt -f will reinstall yarn.list without updating the key.
So either you need to remove yarn.list and the gpg key (/etc/apt/trusted.gpg.d/yarn.gpg) and then run yunohost tools regen-conf apt -f
or simply import the new key as said by @orhtej2

Should we perform this manually? Or a future Yunohost update will do it by its own?

For now unfortunately you need to do that manually. I have not seen any development regarding this issue in YNH core.

Hi everyone.
It happened again today… same procedure, same result, works perfectly

it happened again… If I don’t do the procedure again, will there be any problems?

The key got rotated again: Debian repo: New GPG key · Issue #9218 · yarnpkg/yarn · GitHub, we need to update it once more

I try tree times do a `curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg > /dev/null` but I still have

```
yunohost tools update
Info: Fetching available upgrades for system packages…
Warning: W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The f
ollowing signatures couldn’t be verified because the public key is not available: NO_PUBKEY 62D54FD4003F6525
Warning: W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 62D54FD4003F6525
Warning: W: Some index files failed to download. They have been ignored, or old ones used instead.
Error: Something went wrong while updating the cache of APT (Debian’s package manager). Here is a dump of the sources.list lines, which might help identify problematic lines:
sources.list.d/extra_php_version.list:deb [signed-by=/etc/apt/trusted.gpg.d/extra_php_version.gpg] Index of /php/ bookworm main
sources.list.d/yarn.list:deb [signed-by=/etc/apt/trusted.gpg.d/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main
sources.list.d/yunohost.list:deb [signed-by=/usr/share/keyrings/yunohost-bookworm.gpg] Index of /debian/ bookworm stable
sources.list.d/debian.sources:Types: deb deb-src
sources.list.d/debian.sources:URIs: mirror+file:///etc/apt/mirrors/debian.list
sources.list.d/debian.sources:Suites: bookworm bookworm-updates bookworm-backports
sources.list.d/debian.sources:Components: main
sources.list.d/debian.sources:Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
sources.list.d/debian.sources:Types: deb deb-src
sources.list.d/debian.sources:URIs: mirror+file:///etc/apt/mirrors/debian-security.list
sources.list.d/debian.sources:Suites: bookworm-security
sources.list.d/debian.sources:Components: main
sources.list.d/debian.sources:Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Info: Updating application catalog…
```

Try
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/yarn.gpg > /dev/null
Yunohost yarn list expects the key to be located in /etc/apt/trusted.gpg.d

Thanks ! it works

This did the trick for me !
Thanks

Thank you!