Can't verify rpm.
Oscar-21 opened this issue · comments
Issue tracker is ONLY used for reporting bugs with technical details. "It doesn't work" or new features should be discussed with our customer support. Please use bug report function in Bridge or contact bridge@protonmail.ch.
Can not install the latest rpm file.
Expected Behavior
sudo rpm --import bridge_pubkey.gpg
rpm --checksig protonmail-bridge-3.9.1-1.x86_64.rpm
protonmail-bridge-3.9.1-1.x86_64.rpm: digests signatures OK
Current Behavior
sudo rpm --import bridge_pubkey.gpg
rpm --checksig protonmail-bridge-3.9.1-1.x86_64.rpm
AG (ProtonMail Bridge developers) <bridge@protonmail.ch>):
1. Certificiate E2C75D68E6234B07 invalid: certificate is not alive
because: The primary key is not live
because: Expired on 2024-02-02T13:40:50Z
2. Key E2C75D68E6234B07 invalid: key is not alive
because: The primary key is not live
because: Expired on 2024-02-02T13:40:50Z
digests SIGNATURES NOT OK
gpg key is not valid for current rpm
Steps to Reproduce
- download latest rpm
- download key here, mentioned herehttps://proton.me/support/install-bridge-linux-rpm-file
same result if download key here in github release page - sudo rpm --import bridge_pubkey.gpg
- rpm --checksig protonmail-bridge-3.9.1-1.x86_64.rpm
When using the sig file to try and verify the pub key (both downloaded from github)
gpg --verify bridge_pubkey.gpg.sig bridge_pubkey.gpg
gpg: Signature made Mon 05 Feb 2024 06:12:15 AM EST
gpg: using RSA key D51E64D3E63EDC3EEF7864CEE2C75D68E6234B07
gpg: Can't check signature: No public key
Version Information
3.9.1-1
We have recently updated our installer singing key. Is it possible you still have the old key in your system?
See this #460 for instructions on how to remove old keys.
Chiming in here. A similar (the same?) issue with the .deb
file for 3.10.0. However the issue appears to be that the release was signed with an expired key:
$ gpg --verify protonmail-bridge_3.10.0-1_amd64.deb.sig
gpg: assuming signed data in 'protonmail-bridge_3.10.0-1_amd64.deb'
gpg: Signature made Wed 06 Mar 2024 13:59:07 EAT
gpg: using RSA key D51E64D3E63EDC3EEF7864CEE2C75D68E6234B07
gpg: Good signature from "Proton Technologies AG (ProtonMail Bridge developers) <bridge@protonmail.ch>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: D51E 64D3 E63E DC3E EF78 64CE E2C7 5D68 E623 4B07
We have recently updated our installer singing key. Is it possible you still have the old key in your system?
See this #460 for instructions on how to remove old keys.
@LBeernaertProton thanks, that worked. ChatGPT and I were under the assumption that an rpm import
would overwrite the previous key but it seems I put too much faith in AI!
After I ran the fix you shared I checked the docs for rpm import
out of curiosity, they are in a manpage named rpmkeys
(at least on fedora) and they don't provide any docs for the --import
other than how to use the option, they do leave a hint though in the docs for the -qi
option where they note that "you can remove keys after adding 'like files'".
Maybe they can update the article to show the removal instruction for people who had previously installed the keys and are ignorant of this process like I was? Article for installing rpm is here: https://proton.me/support/install-bridge-linux-rpm-file?
Chiming in here. A similar (the same?) issue with the
.deb
file for 3.10.0. However the issue appears to be that the release was signed with an expired key:$ gpg --verify protonmail-bridge_3.10.0-1_amd64.deb.sig gpg: assuming signed data in 'protonmail-bridge_3.10.0-1_amd64.deb' gpg: Signature made Wed 06 Mar 2024 13:59:07 EAT gpg: using RSA key D51E64D3E63EDC3EEF7864CEE2C75D68E6234B07 gpg: Good signature from "Proton Technologies AG (ProtonMail Bridge developers) <bridge@protonmail.ch>" [expired] gpg: Note: This key has expired! Primary key fingerprint: D51E 64D3 E63E DC3E EF78 64CE E2C7 5D68 E623 4B07
@zwets the link @LBeernaertProton shared worked for me.
Thanks @Oscar-21. That link has info specific to RPM, so the issue with the deb is different. I will lift it to a new issue, so this one can be closed.
@Oscar-21 thanks for point this out to us. We will update the article as soon as possible.
We will close the ticket once this is completed.
Hey @Oscar-21, we've updated the article. I'll close the ticket.