The officially official Devuan Forum!

You are not logged in.

#26 2022-09-07 13:29:07

Ogis1975
Member
Registered: 2017-04-21
Posts: 307  
Website

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

ralph.ronnquist wrote:

@Ogis1975: So what's your purpose with that kind of post?

Please excuse my poor English. First of all, I wanted to ask why the persons responsible for maintaining the repository keys did not update them in time? Second of all, I wanted to ask about these people, i.e. Devuan developers approach to security. Is it normal that the people responsible for storing these keys have not updated them in time? Is it normal that these keys have to be manually downloaded and installed in a potentially dangerous way?

P.S.

I just want to reiterate that personally I have been using Debian for over ten years. I have NEVER had such or similar problems. Maybe Devuan developers should review their approach to security and not be so irresponsible? Personally, I'm about to migrate back to Debian land, since the Debian developers take security much more seriously.....

P.P.S

I don't want to offend anyone. This is just my opinion...

Last edited by Ogis1975 (2022-09-07 13:29:53)


What economists call over-production is but a production that is above the purchasing power of the worker, who is reduced to poverty by capital and state.
            ----+- Peter Kropotkin -+----

Offline

#27 2022-09-07 17:48:11

alexkemp
Member
Registered: 2018-05-14
Posts: 290  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

Ogis1975's is a reasonable question to ask.

If you get offended by the question then

  1. That is the response of a child, not of a grown adult

  2. No-one can ever then expect that you will take this matter seriously & responsibly

  3. The future then will be filled with an infinite repetition of these (and other) issues, with zero fix in sight

Now yes, of course, you also get idiotic responses from entitled fools that have zero respect for the continual efforts of unpaid volunteers on their behalf. Those people do not deserve any respect, but that does not mean that Ogis1975's question is not a reasonable one to ask.

Many thanks to Ralph for his continual efforts on Devuan's behalf. It is a new venture & I fully expect bumps along the road. As long as things continually improve I have few complaints & immense gratitude for the simple fact that it is available to the world & to me.

Offline

#28 2022-09-07 20:11:49

_ds_
Member
Registered: 2022-09-04
Posts: 2  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

Also, for those of us using apt-cacher-ng:

find /var/cache/apt-cacher-ng -name \*InRelease\* -delete

This may delete a little more than necessary, but it does the job.

Offline

#29 2022-09-07 23:21:33

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 1,106  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

alexkemp wrote:

Ogis1975's is a reasonable question to ask.

I disagree: it's a totally useless question.

Obviously there has been some kind of process failure when everyone in the whole community, including you and Ogis1975 as well as myself, failed to notice that the repository key was about to expire.

You don't have to ask about that. Rather you should ask yourself: "how can I help in the future?" and then act towards that.

Offline

#30 2022-09-08 07:52:30

xinomilo
Unknown
Registered: 2017-07-02
Posts: 315  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

a calendar thingy for anyone/@ll in devuan core team with access to the key, should be easy to do. (to save same trouble next year.)

ralph, users do not have access to gpg keys, nor do they sign packages with that key "everyday", nor do they run `apt-key list` everyday....
i think it's mostly up to the core team to just put some reminders on key/security processes.
yes, users can help, but you should not rely on others noticing in the first place for core/critical(imho), things.

2c.

Offline

#31 2022-09-08 08:53:56

Camtaf
Member
Registered: 2019-11-19
Posts: 408  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

@Ogis1975:

When Devuan has as many maintainers as Debian has, I would likely expect the same, but until then......

(These things happen.....some other software maintainers have been known to forget to renew keys too.)

EDIT: So glad this problem was sorted out so quickly, many thanks. smile

Last edited by Camtaf (2022-09-08 08:55:22)

Offline

#32 2022-09-08 11:55:23

Evenson
Member
Registered: 2022-09-08
Posts: 58  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

Hi, joined the forum just now and wanted to ask if maybe the keys should not have an expiry date or is this a security issue if they have no expiry?

Many thanks for the quick fix though.

Edit to add, i found this interesting stackechange post about this, albeit a bit old.
https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security/79386#79386

Last edited by Evenson (2022-09-08 12:07:01)


"A stop job is running..." - SystemD

Offline

#33 2022-09-08 15:12:04

Ogis1975
Member
Registered: 2017-04-21
Posts: 307  
Website

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

ralph.ronnquist wrote:
alexkemp wrote:

Ogis1975's is a reasonable question to ask.

I disagree: it's a totally useless question.

Yes, of course. You won't get far with that attitude. By the way, even distrowatch mentioned this key issue. Great promotion for this distro.

P.S.

I have already migrated my machines to Debian land.


What economists call over-production is but a production that is above the purchasing power of the worker, who is reduced to poverty by capital and state.
            ----+- Peter Kropotkin -+----

Offline

#34 2022-09-08 16:39:42

MiyoLinux
Member
Registered: 2016-12-05
Posts: 1,323  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

This is something that I take for granted...as I'm sure many others do.  tongue

If someone will tell me to tell me how to keep up with the renewal date(s), I will gladly accept that responsibility in order to help the project.  smile

I may be the creator of a Devuan respin, but I'm not ashamed to admit my lack of knowledge in certain areas. I'm always happy to learn something new.

Lay it on me baby! wink

Contact me here or by email.


I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#35 2022-09-08 18:29:17

golinux
Administrator
Registered: 2016-11-25
Posts: 3,137  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

MiyoLinux wrote:

This is something that I take for granted...as I'm sure many others do.  tongue

If someone will tell me to tell me how to keep up with the renewal date(s), I will gladly accept that responsibility in order to help the project.  smile

I may be the creator of a Devuan respin, but I'm not ashamed to admit my lack of knowledge in certain areas. I'm always happy to learn something new.

Lay it on me baby! wink

Contact me here or by email.

Oh Miyo . . . you are one in a million!! Someone who understands the dynamics of what sustains "free software" and actually steps up  to DO something!!! You will be contacted shortly. Promise . . .

Offline

#36 2022-09-08 20:55:21

brocashelm
Member
Registered: 2020-06-29
Posts: 112  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

What Camtaf said. It's a small project that's run by a few volunteers, so I don't understand the need to escalate things, when there are some workarounds for this. Manually installing the updated DEB file worked for me.

Be like our friend MiyoLinux and offer to help out.

Offline

#37 2022-09-08 21:35:47

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 1,106  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

At https://ido.rrq.id.au/download there is an initial collection of trial installer ISOs that need to be tested in a range of settings.

Everyone here who doesn't devalue themselves with the label "just a Devuan user" should grab at least one of them and run it through a number of variations, and then report on it, maybe as an email to me. Refer to usecases.html for the primary use case division. VM trials as well as bare-metal trials are good.

EDIT: my alternate email is rrq at rrq dot id dot au

Offline

#38 2022-09-08 22:58:16

aitor
Member
From: basque country
Registered: 2016-12-03
Posts: 219  
Website

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

ralph.ronnquist wrote:

At https://ido.rrq.id.au/download there is an initial collection of trial installer ISOs that need to be tested in a range of settings.

Everyone here who doesn't devalue themselves with the label "just a Devuan user" should grab at least one of them and run it through a number of variations, and then report on it, maybe as an email to me. Refer to usecases.html for the primary use case division. VM trials as well as bare-metal trials are good.

EDIT: my alternate email is rrq at rrq dot id dot au

Thanks for your work, Ralph


If you work systematically, things will come by itself (Lev D. Landau)

Offline

#39 2022-09-11 20:32:49

dave
Member
Registered: 2020-09-28
Posts: 12  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

An update on this key problem:  It seems to have been fixed.  [ Sometime after 9/9 ] 

Without changing anything or manually doing a key import, my apt-get update & upgrade procs now work as designed.

I wasn't really looking forward to a manual intervention on my dozen or so systems.  Some of which are sometimes difficult to reach. :-(

So: Many thanks to whomever got the archive signed.  I'm guessing here, but probably with an old but unexpired key... ??

But it works.

Thanx.

Offline

#40 2022-09-11 23:08:01

guuml.dev1
Member
Registered: 2018-12-09
Posts: 21  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

Sorry for being late to the party at So 11 Sep 2022 21:44:59 CEST,
date +%c, you know?

Last sunday noon, aka So 04 Sep 12:00, my usual workflow (as root) was disrupted by an EXPKEYSIG error: WTF? Network error caused by provider? No. – DNS problem? No. – What is going on? This looks like a serious problem to my local machine and has to be fixed NOW!
 
Wait, eight days later, I want to make a long story short. Since my 1st beginning with Linux kernels and GNU software on rpm based machines I know a true zen say:

Security is a matter of trust.

Once upon the time an "update" process "distrust his master voice" and therefor ignores my well choosen configuration. I've lost data and recovering from this accident takes some time. The change to debian packaging system, change of distribution, was one of the consequences. And the step from debian/jessie to devuan/jessie some years later wasn't that difficult to continue the way with GNU/Linux. Back to the failing apt update (as root;)

I'm not a C-programmer and I have only a vague understanding of so-called elliptic curves"internet security", but last week there was a urgent need for me to find some thing like a Devuan Cryptographic Key. But where? And HOW TO know that this is the right key?

Thanks to ralph.ronnquist I've found two answers. (There has always to be an alternative to init freedom;-) The 1st alternative is "allow-unauthenticated" and/or "allow-insecure-repositories". Does not sound trustworthy, really? The second way looks better to me:

  • As a "normal user" with UID>=1000 download the new key to a directory of your choice:

    wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb

    Note: Meanwhile https://www.devuan.org/os/keyring states

    apt-get install devuan-keyring

    but I tend to disagree: wget does one thing download one file, but apt installing one file may affect other packages.

  • Verify the checksum by your own, that's to say:

    sha256sum ./devuan-keyring_2022.09.04_all.deb

    has an output of

    96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d  ./devuan-keyring_2022.09.04_all.deb

    Make sure that's ok!

  • Now inject this proved file to your system:

    # dpkg -i ./devuan-keyring_2022.09.04_all.deb

    Note: sudo want's user's password, but I'll prefer a real root shell.

  • Then update the package information:

    # apt update

Summary:

As far as I can trust myself;-) I have copied that proved deb-file to an USB stick. Using this file with dpkg -i just before any apt update works on every devuan/jessie 'til chimaera I can reach! AND it keeps my last DVD alive: Around easter 2022 I have burned that raw DVD with chimaera to check discless hardware without internet connection. Updating the keyring is just a small step just before getting another host up and running.

last but not least:

apt-cache policy devuan-keyring
devuan-keyring:
  Installiert:           2022.09.04
  Installationskandidat: 2022.09.04
  Versionstabelle:
*** 2022.09.04 500
        500 http://deb.devuan.org/merged chimaera/main amd64 Packages
        100 /var/lib/dpkg/status

apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

man apt-key
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.

Thanks for all your work and a better new week.


guuml is an abbrevation for gü in ASCII (1967),
focused on devuan and skipping epic poems like beowulf.
Has Gü spent his last raw DVD to a chimäre? No.

Offline

#41 2022-09-12 15:30:23

dave
Member
Registered: 2020-09-28
Posts: 12  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

@guuml.dev1 :  You were probably composing your note and didn't see my previous post #39 at 16:32:49 ...

It looks like whomever is in charge of the archive keeps managed to get them resigned with a valid signature.

So suddenly, apt/apt-get updates just started working (magically) again with no need for a manual intervention.

Now: It Just Works.  [tm]

[ On my systems which are running chimaera and beowulf. ]

Last edited by dave (2022-09-12 15:38:25)

Offline

#42 2022-09-19 15:30:21

joril
Member
From: Italy
Registered: 2017-04-15
Posts: 44  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

ralph.ronnquist wrote:

At https://ido.rrq.id.au/download there is an initial collection of trial installer ISOs that need to be tested in a range of settings.

Hi Ralph,
there are no files at https://ido.rrq.id.au/download anymore, is the test period over?
Thanks for your time!

Offline

#43 2022-09-20 10:17:46

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 1,106  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

As the key issue was fixed without needing ISO remake, the trial remakes were removed.

Offline

#44 2022-09-20 11:32:10

joril
Member
From: Italy
Registered: 2017-04-15
Posts: 44  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

I see... Great, thanks!

Offline

Board footer