MongoDB 3.6 Ubuntu Release Signing Key expired: 2023-12-09

The docs (Install MongoDB Community Edition on Ubuntu — MongoDB Manual) suggest that the key can be found here: https://www.mongodb.org/static/pgp/server-3.6.asc

This key has now expired!

How does one notify someone responsible for the repo to update it!

Similar to:

The answer is in this thread:

Thanks for the suggestions Chris, if I was just after downloading the installer and getting on with my life, the release archive would be the way to go.

However I’m more concerned with trying to get someone responsible for the repo and documentation to make some changes. In the interest of saving others time in the future.

I appreciate I could just pull the deb package from the release archive, and if Mongo are intending on that being the way forward for old version (3.6 IS old) then so be it.

However If the intention is to cease supporting the Ubuntu repo, then surely to avoid confusion the best approach is to amend the community docs and remove the repo from the internet.
If the intention is to keep it around then they key should be updated.
The current situation is a bit of a mess and I can see it wasting peoples time when they come to try and install from the repo and get the signing key error.

I gather as a lowly non-paying punter the best I can hope for is someone from Mongo reading this post and maybe takign some action. So fingers crossed.

P.S.
I’m not sure of the wisdom of marking a public repository as trusted in the absence of a valid signing yet as suggested in some of those linked topics!

1 Like

Any chance to get the new GPG key for MongoDB 3.6?

2 Likes

Usually I’d suggest a Jira but per https://www.mongodb.com/docs/legacy/?site=docs I don’t think it would result in a change, but could still be worth a shot.

(Emphasis is mine)

MongoDB encourages upgrading to the most recent version to ensure documentation support. If upgrading is not possible, archived documentation is still available for previous versions. Archived documentation no longer receives updates.

I think I speak for us all when we say we understand we probably needed to upgrade earlier, but at this point we can’t because we get an error when we do because the key is expired. If we could get an unexpired key that would be great. I’m also getting expired key errors for 4.0 as well and if I’m correct, everyone else will as well once they try to upgrade from 3.6 to 4.0 then to 4.4 where we all want to be.

If we cannot get an unexpired key for 3.6 then we will need some far clearer instructions on how we need to upgrade as there really isn’t any documentation that I can find that will get me from point A to B with specific instruction.

All the documentation that I have found just says to do it without any klinds of commands to show us specifically what and how.

The thread I reference provides two methods to get past this on Ubuntu. There is even a command to create the repo file.

Perhaps I can create a more detailed post on the matter.

Don’t forget 4.2 :smiley: also 4.4 is EoL February 29 and 5.0 in October so at a minimum I’d recommend targeting 6.0.

7.0 will give a few years before another major version upgrade would be required.

The thread you referenced is for version 3.6 on Ubuntu 18.04 and that’s fine. But the repository for 20.04 (Focal) doesn’t have the repositories for 3.6 nor 4.0. The focal repositories start at 4.2. And if memory serves, we need to run upgrades though all the major version in order.

Same principle applies. Add the same option to any repository.

Okay so I went ahead and tried what was in the other one where I added trusted=yes because the archive that is linked in the first option doesn’t have a repository for Ubuntu 20.04. I added the Trusted=Yes to 3.6, 4.0 and 4.4 and I reran sudo apt-get update and this is what came from it.

Ign:1 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.6 InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease
Get:4 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Ign:5 https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 InRelease
Get:6 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.6 Release [2,495 B]
Ign:7 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 InRelease
Ign:8 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 InRelease
Get:9 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.6 Release.gpg [801 B]
Get:10 https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 Release [2,989 B]
Hit:3 https://dl.ui.com/unifi/debian stable InRelease
Hit:11 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:12 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 Release
Hit:13 http://us.archive.ubuntu.com/ubuntu focal-security InRelease
Hit:14 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 Release
Get:15 https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 Release.gpg [801 B]
Ign:9 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.6 Release.gpg
Get:16 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.6/multiverse amd64 Packages [15.4 kB]
Err:17 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 656408E390CFB1F5
Ign:15 https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 Release.gpg
Get:19 https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0/multiverse amd64 Packages [18.4 kB]
Fetched 155 kB in 4s (35.2 kB/s)
Reading package lists... Done
W: GPG error: http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.6 Release: The following signatures were invalid: EXPKEYSIG 58712A2291FA4AD5 MongoDB 3.6 Release Signing Key <packaging@mongodb.com>
N: Skipping acquire of configured file 'multiverse/binary-arm64/Packages' as repository 'http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.6 InRelease' doesn't support architecture 'arm64'
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 656408E390CFB1F5
W: GPG error: https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 Release: The following signatures were invalid: EXPKEYSIG 68818C72E52529D4 MongoDB 4.0 Release Signing Key <packaging@mongodb.com>
N: Skipping acquire of configured file 'multiverse/binary-arm64/Packages' as repository 'https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 InRelease' doesn't support architecture 'arm64'
W: Failed to fetch https://repo.mongodb.org/apt/ubuntu/dists/focal/mongodb-org/4.4/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 656408E390CFB1F5
W: Some index files failed to download. They have been ignored, or old ones used instead.
type or paste code here

Can you share the deb lines in each repo file?

I ran into the same error when trying to update my server running Unifi Network Application, which uses MongoDB3.6. There is a script by Glenn Rietveld for updating both Unifi Network Application and MongoDB to Version 4.4, which solved my problem, no more key expired errors.

The script has an Option to just upgrade MongoDB. Maybe you can take some parts of his script an adopt it to your needs…

1 Like

The issue still persits, i’m not able to install mongodb version 3.6 in ubuntu 18.
GPG error: MongoDB Repositories bionic/mongodb-org/3.6 Release: The following signatures were invalid: EXPKEYSIG 58712A2291FA4AD5 MongoDB 3.6 Release Signing Key packaging@mongodb.com
Does anybody have any idea, when this issue will be fixed?

Never.

MongoDB indicate they will not maintain the keys for end of life software.

https://jira.mongodb.org/browse/SERVER-76348

2 Likes

Hi Team,

Currently we have mongodb 3.6 with 3 servers(1 primary, 2 replicas and 1 arbiter), we would like to upgrade 3.6 to 4.2, Can we directly upgrade to 4.2 from 3.6 or we have to upgrade first to 4.0 → 4.2

The recommended upgrade path is to do in-place upgrades through successive major releases of MongoDB. Here is the recommended upgrade path: 3.6 → 4.0 → 4.2

When attempting to upgrade to MongoDB 4.0 on Ubuntu, we encountered an issue related to installing the 4.0 version due to an expired signing key.

can anyone please guide me on this?

I used this solution an it worked

sudo apt-key del <<key>>

wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
 sudo apt update

sudo apt upgrade