The officially official Devuan Forum!

You are not logged in.

#1 2022-09-03 18:02:19

prizm02
Member
Registered: 2022-09-03
Posts: 5  

[SOLVED] Invalid Signatures

Hello fellow Devuaners

I a new to Devuan, but not new to linux or Debian,  I installed Chimeara a month ago and have had no problems until I tried to update today.

Apt reported the following error

Get:1 http://deb.devuan.org/merged chimaera InRelease [33.9 kB]
Get:2 http://deb.devuan.org/merged chimaera-updates InRelease [26.5 kB]
Err:1 http://deb.devuan.org/merged chimaera InRelease
  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
Get:3 http://deb.devuan.org/merged chimaera-security InRelease [26.5 kB]
Err:2 http://deb.devuan.org/merged chimaera-updates InRelease
  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
Err:3 http://deb.devuan.org/merged chimaera-security InRelease
  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
Fetched 86.9 kB in 3s (25.5 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.devuan.org/merged chimaera InRelease: The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.devuan.org/merged chimaera-updates InRelease: The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.devuan.org/merged chimaera-security InRelease: The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Failed to fetch http://deb.devuan.org/merged/dists/chimaera/InRelease  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Failed to fetch http://deb.devuan.org/merged/dists/chimaera-updates/InRelease  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Failed to fetch http://deb.devuan.org/merged/dists/chimaera-security/InRelease  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Some index files failed to download. They have been ignored, or old ones used instead

It is asking for updated GPG key ?

dpkg -i devuan-keyring_2022.09.04_all.deb

Sorry I Did not read the solved posts

Last edited by prizm02 (2022-09-03 18:36:06)

Offline

#2 2022-09-03 18:36:17

brocashelm
Member
Registered: 2020-06-29
Posts: 96  

Re: [SOLVED] Invalid Signatures

devuan-keyring has already been updated in the repository. This command was provided by Bb|hcb in the IRC channel:
apt update --allow-insecure-repositories && apt install devuan-keyring --allow-unauthenticated

Last edited by brocashelm (2022-09-03 19:09:39)


"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." - Benjamin Franklin

"In a time of universal deceit, telling the truth is a revolutionary act." - George Orwell

Offline

#3 2022-09-03 23:12:56

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 730  

Re: [SOLVED] Invalid Signatures

Note that the full hands-on may also require that the old local InRelease file for the distribution is removed manually, so the sequence of command would thus be (eg for chimaera):

  • # rm /var/lib/apt/lists/deb.devuan.org_merged_dists_chimaera_InRelease

  • # apt-get update --allow-unauthenticated --allow-insecure-repositories

  • # apt-get install devuan-keyring --allow-unauthenticated

Alternatively: Anyone uncomfortable with those command line options should rather download the new keyring directly, eg

Alternatively: if you have your own method that works, then that is fine too.

Offline

#4 2022-09-07 04:44:44

greenant
Member
Registered: 2022-05-04
Posts: 4  

Re: [SOLVED] Invalid Signatures

p.s. this worked for me on beowulf:

id=BB23C00C61FC752C
gpg --keyserver keyserver.ubuntu.com --recv-keys ${id} 
gpg --export ${id} | apt-key add -
apt update

Offline

#5 2022-09-07 05:43:45

narad-dev
Member
Registered: 2022-09-07
Posts: 2  

Re: [SOLVED] Invalid Signatures

The instructions above did not work fpr Daedalus.
How to fix the issue on Daedalus?

Many thanks in advance for your help.

Last edited by narad-dev (2022-09-07 05:44:06)

Offline

#6 2022-09-07 06:27:47

rolfie
Member
Registered: 2017-11-25
Posts: 673  

Re: [SOLVED] Invalid Signatures

The wget-method works on Daedalus. Attention: expand the path completely.

Online

#7 2022-09-07 14:41:25

narad-dev
Member
Registered: 2022-09-07
Posts: 2  

Re: [SOLVED] Invalid Signatures

No, wget as listed above does not work, because there is no http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb, there only is a http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring-udeb_2022.09.04_all.udeb.
This udeb cannot bei installed with dpkg -i because it would overwrite »/usr/share/keyrings/devuan-archive-keyring.gpg« which is part of packagdevuan-keyring 2017.10.03 .

Solution: download udeb file, purge old devuan keyring, then dpkg -i devuan-keyring-udeb_2022.09.04_all.udeb works.

Offline

#8 2022-09-07 15:31:50

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,131  

Re: [SOLVED] Invalid Signatures

narad-dev wrote:

No, wget as listed above does not work, because there is no http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb,

You must have hit a mirror that wasn't fully updated. If you pick one from the mirror list, you can go to the same directory and find the .deb package.
https://pkgmaster.devuan.org/mirror_list.txt

Offline

#9 2022-09-07 17:42:14

rolfie
Member
Registered: 2017-11-25
Posts: 673  

Re: [SOLVED] Invalid Signatures

narad-dev wrote:

No, wget as listed above does not work, because there is no http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb, there only is a http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring-udeb_2022.09.04_all.udeb.

Did the upgrade twice on two of my Daedalus VMs using the wget method, worked out fine with the devuan-keyring_2022.09.04_all.deb package, no udeb required.

Online

#10 2022-09-08 17:38:28

linuxuser
Member
Registered: 2022-09-08
Posts: 4  

Re: [SOLVED] Invalid Signatures

Hi all,

Tried to install Beowulf networkinstall today.

Could not install, because ISO Image was not updated with the correct signature.

Checked the repos, chimaera installer-iso's are also not updated with the right signature.

Any idea who to contact for this ?

Best regards.

EDIT

Found another post with a possible temporay solution,

https://dev1galaxy.org/viewtopic.php?id=5211

ISO images have to be fixed, though

Last edited by linuxuser (2022-09-08 18:09:46)

Offline

#11 2022-09-08 23:39:59

aitor
Member
From: basque country
Registered: 2016-12-03
Posts: 117  
Website

Re: [SOLVED] Invalid Signatures

linuxuser wrote:

ISO images have to be fixed, though

Quoting Ralph Ronnquist, there is an initial collection of trial installer ISOs that need to be tested in a range of settings at:

https://ido.rrq.id.au/download/


If you work systematically, things will come by itself (Lev D. Landau)

Offline

#12 2022-09-09 08:35:30

linuxuser
Member
Registered: 2022-09-08
Posts: 4  

Re: [SOLVED] Invalid Signatures

aitor wrote:
linuxuser wrote:

ISO images have to be fixed, though

Quoting Ralph Ronnquist, there is an initial collection of trial installer ISOs that need to be tested in a range of settings at:

https://ido.rrq.id.au/download/

Hi, thanks for your reply

I was able to install by installing the key package, like Morgennebel mentioned.

So what's the problem here ?

Replacing the key works just fine (and should be done), so what has to be tested ?
I don't see it.

BTW I'm all for testing software before releasing.
But right now the installer images don't work at all, and the fix seeems quite straightforward to me.

Regards.

Offline

#13 2022-09-09 09:20:38

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 730  

Re: [SOLVED] Invalid Signatures

BTW I'm all for testing software before releasing.
But right now the installer images don't work at all, and the fix seems quite straightforward to me.

Great. Welcome on board!
I'm probably doing things wrong yes, and need to retire.
We can rely on you taking over this?

Just in parenthesis: all the installers do still work fine as long as you avoid network mirror backing during installation. It of course means that you'll end up with a rather minimal system, but it's still one where you can use the manual patching (wget + dpkg) before using the network mirroring/access the first time.

Offline

#14 2022-09-09 09:54:17

linuxuser
Member
Registered: 2022-09-08
Posts: 4  

Re: [SOLVED] Invalid Signatures

ralph.ronnquist wrote:

BTW I'm all for testing software before releasing.
But right now the installer images don't work at all, and the fix seems quite straightforward to me.

Great. Welcome on board!
I'm probably doing things wrong yes, and need to retire.
We can rely on you taking over this?

Just in parenthesis: all the installers do still work fine as long as you avoid network mirror backing during installation. It of course means that you'll end up with a rather minimal system, but it's still one where you can use the manual patching (wget + dpkg) before using the network mirroring/access the first time.

Wow, hold your horses, Ralph, no offense meant ;-)
I have used Devuan without problems for a few years now, and see no reason for you to retire ;-)

Do I understand right, are you the only person supporting the installation part of Devuan ?
I don't know the Devuan community (yet) so please help me out here.

And I guess people who use network installers in expert mode should be able to manage for now.

When do you plan to have the updated install ISO's available ?

Regards.

Offline

#15 2022-09-09 10:19:29

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 730  

Re: [SOLVED] Invalid Signatures

No worries. I didn't think I took offense, but hmm maybe I did. But it is true that I do need to retire off Devuan and that new and more people need to step up and in; not necessarily you of course.

The installer ISOs are built using https://git.devuan.org/devuan/installer-iso.git which has been streamlined into an almost push-button state by now. But, whenever an ISO is built, it relies on the state of the repository at that particular time and it's always possible for some update inconsistency to slip in. It is therefore I think the installer ISOs typically need a broader testing than a single person running through it once.

Offline

#16 2022-09-09 10:50:47

linuxuser
Member
Registered: 2022-09-08
Posts: 4  

Re: [SOLVED] Invalid Signatures

I understand.

Good to see that Devuan is hosting it's own git, by the way.

Regards.

Offline

Board footer