MongoDB 4.2 packages on Debian Stretch cannot be authenticated

I’m having an issue with the signing keys for Mongo 4.2 on Debian.9 stretch, as documented here: https://docs.mongodb.com/manual/tutorial/install-mongodb-on-debian/

A minimal Dockerfile using the commands from that doc:

FROM debian:stretch
RUN apt-get update
RUN apt-get install -y wget gnupg
RUN wget -qO - https://www.mongodb.org/static/pgp/server-4.2.asc | apt-key add -
RUN echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/4.2 main" | tee /etc/apt/sources.list.d/mongodb-org-4.2.list
RUN apt-key list
RUN apt-get update
RUN apt-get install -y mongodb-org

This errors with:

WARNING: The following packages cannot be authenticated!
mongodb-org-shell mongodb-org-server mongodb-org-mongos mongodb-org-tools
mongodb-org
E: There were unauthenticated packages and -y was used without --allow-unauthenticated

This has just started failing yesterday on one of our builds, was previously working OK.

I’ve followed the troubleshooting instructions here: https://docs.mongodb.com/manual/reference/installation-ubuntu-community-troubleshooting/

And the key has been added as expected:

Step 6/8 : RUN apt-key list
---> Running in 1edf49f36623
Warning: apt-key output should not be parsed (stdout is not a terminal)
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2018-04-18 [SC] [expires: 2023-04-17]
E162 F504 A20C DF15 827F 718D 4B7C 549A 058F 8B6B
uid [ unknown] MongoDB 4.2 Release Signing Key <[packaging@mongodb.com](mailto:packaging@mongodb.com)>

Has anyone else seen this issue? I’m very concerned that packages in the official repo.mongodb.org appear to no longer be signed by the officially documented public key, given that they previously were. Using debian:buster instead works fine, so I don’t think it’s an issue with the key that is documented (which is the same for both Stretch and Buster).

Trying to edit but it won’t let me (new users can only have 2 links apparently), so to update - this is now resolved. Unsure what fixed it, no changes our side, assume it was a MongoDB infrastructure issue.

Hi Chris,

Some of the latest 4.2 Debian/Ubuntu packages released were inadvertently signed with the 4.4 signing key: https://jira.mongodb.org/browse/DOCS-13691

Apologies for the inconvenience, this problem has been corrected.

Regards,
Stennie

2 Likes

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.