I ran into an issue with the website CI build failing earlier today. I opened haskell-actions/setup#122 because I wasn't able to figure out what the issue was:
Today, I ran into this issue while trying to use the setup action:
Setting up cabal Adding /home/runner/.cabal/bin to PATH /home/runner/.ghcup/bin/cabal update <repo>/root.json does not have enough signatures signed with the appropriate keys Error: The process '/home/runner/.ghcup/bin/cabal' failed with exit code 1The relevant part of the workflow:
- name: Set up Haskell uses: haskell-actions/setup@v2 id: setup with: ghc-version: '9.2.8' cabal-version: '3.10.1.0' cabal-update: trueBefore this failure, the job had been working. No changes had been made to the workflow in the repository. This is the failed job: https://github.com/exodrifter/website/actions/runs/16579270664/job/46891198451
I found a related issue on the hackage issue tracker: https://github.com/haskell/hackage-server/issues/547. So, I thought my build would start working if I deleted all of my caches for my repository, but this did not resolve the issue.
I had some more time to look into it tonight and
found out that TUF is the acronym for an update
framework called The Update
Framework. I assumed that this was being used by
Cabal, which reminded me that I should probably look
for issues in the Cabal issue tracker that might
reveal what's going on. After searching for
root.json in the Cabal issue tracker, I
found haskell/cabal#11095.
It looks like the key signatures were updated recently, as this was merged three days ago at 2025-07-25T17:20-0700. It might be the cause of the build failure for me, since my last successful build was two days ago on 2025-07-26T18:57:59-07:00. In addition, there was a comment posted about one hour ago pointing out that this would make Cabal versions 3.10 or earlier stop working, except for 3.10.3:
However yesterday I discovered that all versions of cabal-install < 3.10 stopped working. :-(
<repo>/root.json does not have enough signatures signed with the appropriate keysMost obvious example is current Ubuntu 24.04 LTS which still ships 3.8.
Sure enough, my GitHub actions config is still
using Cabal v3.10.1. I have no need to be on such an
old version, so I can update the config to the
newest versions that are recommended by
ghcup:
- name: Set up Haskell
uses: haskell-actions/setup@v2
id: setup
with:
ghc-version: '9.6.7'
cabal-version: '3.12.1.0'
cabal-update: true