S3 repository: Key out of date

Question

S3 repository: Key out of date

ERnsTL opened this issue 9 months ago · comments

Greetings, according to the installation instructions, the key should be downloaded this way, but I get a key with ID 5898470A764B32C9:

gpg --fetch-keys https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt
gpg: fordere Schlüssel von https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt an
gpg: Schlüssel 5898470A764B32C9: "deb.h-ic.eu" nicht geändert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:              unverändert: 1

And then adding the repository, so far so good, but the repository deb files are signed with another key: BC1BF63BD10B8F1A.

Fehl:5 http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb debian InRelease
  Die folgenden Signaturen konnten nicht überprüft werden, weil ihr öffentlicher Schlüssel nicht verfügbar ist: NO_PUBKEY BC1BF63BD10B8F1A

Signatures could not be verified because the public key is not available.

Possible situations:

Forged package files on S3? Forged key.txt file on S3?
Or the key.txt file has to be updated to match the currently used one to sign the deb packages: https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt

Rawda Fawzy · Answer 1 · Sun Oct 29 2023 21:53:40 GMT+0800 (China Standard Time)

I faced the same issue 👍🏻

ERnsTL · Answer 2 · Sun Nov 12 2023 16:10:53 GMT+0800 (China Standard Time)

@neilalexander Hi Neal, this looks like a security-relevant issue and hinders installation via apt repository, could you please take a look at it, permitting time available?

Neil · Answer 3 · Mon Nov 13 2023 18:44:05 GMT+0800 (China Standard Time)

Apologies that it's taken me a while to look at this, I've been unwell for a few days. I was scratching my head wondering what had changed until I realised that it's not the signing key that's at fault — it's the instructions on the website that are wrong.

They state to export key 5898470A764B32C9, which is the master key, instead of BC1BF63BD10B8F1A which is the signing subkey. One of my machines seems to be fine with this, the other one reports NO_PUBKEY, so I wonder if something has changed with how Apt or GPG handles this case.

Either way, I'll fix the instructions to export the correct key ID.

Neil · Answer 4 · Mon Nov 13 2023 18:46:12 GMT+0800 (China Standard Time)

Updated instructions now live: https://yggdrasil-network.github.io/installation-linux-deb.html

ERnsTL · Answer 5 · Wed Nov 15 2023 03:03:28 GMT+0800 (China Standard Time)

Many thanks @neilalexander !
New instructions worked perfectly.