Rotating the GPG Keys

NVIDIA constantly evaluates and improves security implementations. As part of these improvements, we are rolling out changes to harden the security and reliability of our repositories. These changes require rotating the GPG keys that are used to sign the metadata and packages in those repositories. This section provides information about how to rotate the GPG keys on your system.

1. Download the new repository setup packages.

   wget https://international.download.nvidia.com/dgx/repos/bionic/pool/multiverse/d/dgx-repo/dgx-repo_1.0-5_amd64.deb
   wget https://international.download.nvidia.com/dgx/repos/bionic/pool/multiverse/n/nvidia-repo-keys/nvidia-repo-keys_22.04-1_all.deb
   

2. Directly install the .deb packages, which skips the GPG check performed in apt.

   If prompted, ensure that you accept the maintainer’s version for all files.

   sudo dpkg --force-confnew -i ./nvidia-repo-keys_22.04-1_all.deb  ./dgx-repo_1.0-5_amd64.deb
   

3. Manually revoke the previous DGX and CUDA GPG keys.

   sudo apt-key del 629C85F2
   sudo apt-key del 7FA2AF80
   

4. Update optional repositories that were previously enabled.

   for x in $(find /etc/apt/sources.list.d -name "dgx*.list");
   do if ! grep -q "signed-by" $x;
   then sudo sed -i 's|^deb |deb [arch=amd64 signed-by=/usr/share/keyrings/dgx_debian_prod.gpg] |' $x; fi; done