NVIDIA is updating and rotating the signing keys used by apt, dnf/yum, and zypper package managers beginning April 27, 2022.
To best ensure the security and reliability of our RPM and Debian package repositories, NVIDIA is updating and rotating the signing keys used by the apt, dnf/yum, and zypper package managers beginning April 27, 2022.
If you don’t update your repository signing keys, expect package management errors when attempting to access or install packages from CUDA repositories.
To ensure continued access to the latest NVIDIA software, complete the following steps.
Remove the outdated signing key
Debian, Ubuntu, WSL
$ sudo apt-key del 7fa2af80
Fedora, RHEL, openSUSE, SLES
$ sudo rpm --erase gpg-pubkey-7fa2af80*
Install the new key
For Debian-based distributions, including Ubuntu, you must also install the new package or manually install the new signing key.
Install the new cuda-keyring package
To avoid the need for manual key installation steps, NVIDIA is providing a new helper package to automate the installation of new signing keys for NVIDIA repositories.
Replace $distro/$arch in the following commands with values appropriate for your OS; for example:
- debian10/x86_64
- debian11/x86_64
- ubuntu1604/x86_64
- ubuntu1804/cross-linux-sbsa
- ubuntu1804/ppc64el
- ubuntu1804/sbsa
- ubuntu1804/x86_64
- ubuntu2004/cross-linux-sbsa
- ubuntu2004/sbsa
- ubuntu2004/x86_64
- ubuntu2204/sbsa
- ubuntu2204/x86_64
- wsl-ubuntu/x86_64
Debian, Ubuntu, WSL
$ wget https://developer.download.nvidia.com/compute/cuda/repos/$distro/$arch/cuda-keyring_1.0-1_all.deb
$ sudo dpkg -i cuda-keyring_1.0-1_all.debAlternate method: Manually install the new signing key
If you can’t install the cuda-keyring package, you can install the new signing key manually (not the recommended method).
Debian, Ubuntu, WSL
$ sudo apt-key adv --fetch-keys https://developer.download.nvidia.com/compute/cuda/repos/$distro/$arch/3bf863cc.pubRPM distros
On a fresh installation, Fedora, RHEL, openSUSE, or SLES as dnf/yum/zypper prompt you to accept new keys when the repository signing key changes. Accept the change when prompted.
Replace $distro/$arch in the following commands with values appropriate for your OS; for example:
- fedora32/x86_64
- fedora33/x86_64
- fedora34/x86_64
- fedora35/x86_64
- opensuse15/x86_64
- rhel7/ppc64le
- rhel7/x86_64
- rhel8/cross-linux-sbsa
- rhel8/ppc64le
- rhel8/sbsa
- rhel8/x86_64
- sles15/cross-linux-sbsa
- sles15/sbsa
- sles15/x86_64
For upgrades on RPM-based distros including Fedora, RHEL, and SUSE, you must also run the following command.
Fedora and RHEL 8
$ sudo dnf config-manager --add-repo https://developer.download.nvidia.com/compute/cuda/repos/$distro/$arch/cuda-$distro.repoRHEL 7
$ sudo yum-config-manager --add-repo https://developer.download.nvidia.com/compute/cuda/repos/rhel7/$arch/cuda-rhel7.repoopenSUSE and SLES
$ sudo zypper removerepo cuda-$distro-$arch
$ sudo zypper addrepo https://developer.download.nvidia.com/compute/cuda/repos/$distro/$arch/cuda-$distro.repoWorking with containers
CUDA applications built using older NGC base containers may contain outdated repository keys. If you build Docker containers using these images as a base and update the package manager or install additional NVIDIA packages as part of your Dockerfile, these commands may fail as they would on a non-container system. To work around this, integrate the earlier commands into the Dockerfile you use to build the container.
Existing containers in which the package manager is not used to install updates are not affected by this key rotation.