Fixing Yarn Key Error on Ubuntu

In this brief tutorial, we explore how to refresh keys when they are out of date on Ubuntu with links to man pages and commands provided.

Fixing Yarn Key Error on Ubuntu

It's been a little while since I did maintenance on my main Linux server. It doesn't really do much, it just hosts my website but in the future, it will do more as I plan to build and test cross platform apps on it as well as host other websites; so I needed to make sure that it was up to date and ready for production use. Plus, it's fun to jump into the command line every so often.

When I logged in and ran sudo apt-get update, I noticed that the following error presented itself:

Yarn is a package manager - it's used across lots of open-source, programming and systems projects. The issue is that the key used to authenticate Yarn's packages is out of date. If the packages aren't authenticated, the system could be run malicious software pretending to be Yarn - for example, a modified version of Yarn with some hidden code that would cause damage to the system, use extra resources for someone elses gain or perhaps even allow backdoor access.

Obviously, I don't want any of that so the best thing to do is refresh the key. We can do that in a few ways.

1. Refresh just the Yarn key

If we use the command below, we can refresh just the key for Yarn. Check out this forum post on AskUbuntu for more information. I used one of the answers to refresh just the Yarn key and modified it so that refreshed keys were added to the keyring.

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo tee /etc/apt/trusted.gpg.d/dl.yarnpkg.com.asc | sudo apt-key add -

It's worth reading over the man pages about apt-key for more information about the authentication of packages. The brief description is as follows "apt-key is used to manage the list of keys used by apt to authenticate packages. Packages which have been authenticated using these keys will be considered trusted". It goes without saying then that my addition of apt-key add - adds the refreshed key to a trusted state in the keyring. In the command above, we are getting the key directly from Yarn's creators, so there's not much risk of a fake key being added to the keyring but do keep in mind that it is possible to trust a key that isn't legitimate.

2. Refresh all keys

Whilst I don't recommend it, it is possible to pull a refresh of all of the keys using the following command: 

sudo apt-key adv --refresh-keys --keyserver keyserver.ubuntu.com

This will automatically refresh all of your keys against the ubuntu.com keyserver.

Obviously this can be a bit of a laborious task, so it's probably worth setting up a cronjob to do this automatically. I'll write that up in a separate blog post though and link to it once I've written it.