Categories
Misc

Updating the CUDA Linux GPG Repository Key

CUDA 16x9 Aspect RatioNVIDIA is updating and rotating the signing keys used by apt, dnf/yum, and zypper package managers beginning April 27, 2022.CUDA 16x9 Aspect Ratio

To best ensure the security and reliability of our RPM and Debian package repositories, NVIDIA is updating and rotating the signing keys used by the apt, dnf/yum, and zypper package managers beginning April 27, 2022.

If you don’t update your repository signing keys, expect package management errors when attempting to access or install packages from CUDA repositories.

To ensure continued access to the latest NVIDIA software, complete the following steps.

Remove the outdated signing key

Debian, Ubuntu, WSL

$ sudo apt-key del 7fa2af80

Fedora, RHEL, openSUSE, SLES

$ sudo rpm --erase gpg-pubkey-7fa2af80*

Install the new key

For Debian-based distributions, including Ubuntu, you must also install the new package or manually install the new signing key.

Install the new cuda-keyring package

To avoid the need for manual key installation steps, NVIDIA is providing a new helper package to automate the installation of new signing keys for NVIDIA repositories. 

Replace $distro/$arch in the following commands with values appropriate for your OS; for example:

  • debian10/x86_64
  • debian11/x86_64
  • ubuntu1604/x86_64
  • ubuntu1804/cross-linux-sbsa
  • ubuntu1804/ppc64el
  • ubuntu1804/sbsa
  • ubuntu1804/x86_64
  • ubuntu2004/cross-linux-sbsa
  • ubuntu2004/sbsa
  • ubuntu2004/x86_64
  • ubuntu2204/sbsa
  • ubuntu2204/x86_64
  • wsl-ubuntu/x86_64

Debian, Ubuntu, WSL

$ wget https://developer.download.nvidia.com/compute/cuda/repos/$distro/$arch/cuda-keyring_1.0-1_all.deb
$ sudo dpkg -i cuda-keyring_1.0-1_all.deb

Alternate method: Manually install the new signing key

If you can’t install the cuda-keyring package, you can install the new signing key manually (not the recommended method).

Debian, Ubuntu, WSL

$ sudo apt-key adv --fetch-keys https://developer.download.nvidia.com/compute/cuda/repos/$distro/$arch/3bf863cc.pub

RPM distros

On a fresh installation, Fedora, RHEL, openSUSE, or SLES as dnf/yum/zypper prompt you to accept new keys when the repository signing key changes. Accept the change when prompted.

Replace $distro/$arch in the following commands with values appropriate for your OS; for example:

  • fedora32/x86_64
  • fedora33/x86_64
  • fedora34/x86_64
  • fedora35/x86_64
  • opensuse15/x86_64
  • rhel7/ppc64le
  • rhel7/x86_64
  • rhel8/cross-linux-sbsa
  • rhel8/ppc64le
  • rhel8/sbsa
  • rhel8/x86_64
  • sles15/cross-linux-sbsa
  • sles15/sbsa
  • sles15/x86_64

For upgrades on RPM-based distros including Fedora, RHEL, and SUSE, you must also run the following command.

Fedora and RHEL 8

$ sudo dnf config-manager --add-repo https://developer.download.nvidia.com/compute/cuda/repos/$distro/$arch/cuda-$distro.repo

RHEL 7

$ sudo yum-config-manager --add-repo https://developer.download.nvidia.com/compute/cuda/repos/rhel7/$arch/cuda-rhel7.repo

openSUSE and SLES

$ sudo zypper removerepo cuda-$distro-$arch
$ sudo zypper addrepo https://developer.download.nvidia.com/compute/cuda/repos/$distro/$arch/cuda-$distro.repo

Working with containers

CUDA applications built using older NGC base containers may contain outdated repository keys. If you build Docker containers using these images as a base and update the package manager or install additional NVIDIA packages as part of your Dockerfile, these commands may fail as they would on a non-container system. To work around this, integrate the earlier commands into the Dockerfile you use to build the container.

Existing containers in which the package manager is not used to install updates are not affected by this key rotation.

Leave a Reply

Your email address will not be published. Required fields are marked *