S3 repository: Key out of date
ERnsTL opened this issue · comments
Greetings, according to the installation instructions, the key should be downloaded this way, but I get a key with ID 5898470A764B32C9:
gpg --fetch-keys https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt
gpg: fordere Schlüssel von https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt an
gpg: Schlüssel 5898470A764B32C9: "deb.h-ic.eu" nicht geändert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg: unverändert: 1
And then adding the repository, so far so good, but the repository deb files are signed with another key: BC1BF63BD10B8F1A.
Fehl:5 http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb debian InRelease
Die folgenden Signaturen konnten nicht überprüft werden, weil ihr öffentlicher Schlüssel nicht verfügbar ist: NO_PUBKEY BC1BF63BD10B8F1A
Signatures could not be verified because the public key is not available.
Possible situations:
- Forged package files on S3? Forged key.txt file on S3?
- Or the key.txt file has to be updated to match the currently used one to sign the deb packages: https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt
I faced the same issue 👍🏻
@neilalexander Hi Neal, this looks like a security-relevant issue and hinders installation via apt repository, could you please take a look at it, permitting time available?
Apologies that it's taken me a while to look at this, I've been unwell for a few days. I was scratching my head wondering what had changed until I realised that it's not the signing key that's at fault — it's the instructions on the website that are wrong.
They state to export key 5898470A764B32C9
, which is the master key, instead of BC1BF63BD10B8F1A
which is the signing subkey. One of my machines seems to be fine with this, the other one reports NO_PUBKEY
, so I wonder if something has changed with how Apt or GPG handles this case.
Either way, I'll fix the instructions to export the correct key ID.
Updated instructions now live: https://yggdrasil-network.github.io/installation-linux-deb.html
Many thanks @neilalexander !
New instructions worked perfectly.