February 22, 2019

Updating the YARN GPG Key on a Ghost Droplet

How to update the yarn GPG key for a DigitalOcean Droplet

Updating the YARN GPG Key on a Ghost Droplet

Since the beginning of 2019, my DigitalOcean Ghost droplet started giving the following error whenever I ran the apt-update command:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1EW: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1EW: Some index files failed to download. They have been ignored, or old ones used instead.

After doing some research, I found that the yarn developer is following good security practices and updating their PUBKEY every two years. It is documentened in the GitHub issue 4253

This can be easily resolve by running the command:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -