The officially official Devuan Forum!

You are not logged in.

#1 2022-09-04 01:01:26

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 731  

[SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

At 2022-09-04, the devuan repository key BB23C00C61FC752C updated at 2017 expired, which has led to difficulties for many users. The key has been corrected in the repository by expanding the validity period, and a new version of devuan-keyring, version 2022.09.04, is available.

It is only slightly complicated for an end user to get that new version installed given that their currently installed key version has expired. My proposed hands-on is as follows:

First alternative: this method removes the old local InRelease file for the distribution manually, and then installs the new devuan-keyring with "lowered apt security barriers". The sequence of commands are  (example for chimaera; change appropriately for beowulf and ascii):

  1. # rm /var/lib/apt/lists/deb.devuan.org_merged_dists_chimaera_InRelease

  2. # apt-get update --allow-unauthenticated --allow-insecure-repositories

  3. # apt-get install devuan-keyring --allow-unauthenticated

Second alternative: Anyone uncomfortable with those command line options should rather download the new keyring directly, eg

  1. # wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb

  2. # sha256sum devuan-keyring_2022.09.04_all.deb 96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d

  3. # dpkg -i devuan-keyring_2022.09.04_all.deb

Further alternatives: if you have your own method that works, then that is fine too.

When the new devuan-keyring has been installed the apt system is operated as per usual.

Offline

#2 2022-09-04 09:12:59

JesterOfSorts
Member
Registered: 2022-09-04
Posts: 2  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

I'm generating a sha256sum of:

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

not the one you posted... Please recheck, thank you.

*** UPDATED POST ***

** There is a hyperlink here... If you use that, you get the above, since the complete url was truncated, one could not simply copy the wget *FILE_LOCATION/FILENAME*

wget generated the correct sum, but it would be better to give users here something verbatim. . .


wget deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb

Last edited by JesterOfSorts (2022-09-04 09:19:25)

Offline

#3 2022-09-04 09:26:44

rolfie
Member
Registered: 2017-11-25
Posts: 673  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

I am getting exactly 96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d  on my download checked with gtkhash.

Would suggest you download again and recheck.

Edith: saw that the address given was a link and used right click - copy link adress in FF.

Last edited by rolfie (2022-09-04 09:30:09)

Offline

#4 2022-09-04 11:06:05

DandyKenguru
Member
Registered: 2022-09-04
Posts: 10  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

Considering the situation are you going to soon release the updated ISO in which this problem will be fixed?

Offline

#5 2022-09-04 11:18:56

_ds_
Member
Registered: 2022-09-04
Posts: 2  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

2nd alternative, step 2:

sha256sum -c <<'END'
96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d *devuan-keyring_2022.09.04_all.deb
END

No output hash to compare manually this way.

Offline

#6 2022-09-04 12:27:16

JesterOfSorts
Member
Registered: 2022-09-04
Posts: 2  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

rolfie wrote:

I am getting exactly 96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d  on my download checked with gtkhash.

Would suggest you download again and recheck.

Edith: saw that the address given was a link and used right click - copy link adress in FF.

I've never had an issue with right-click save as before today. Could it be the current FF in daedalus?

right-click save as will give me a totally different file and throws a security warning that the download is not safe...

When i right-click copy address, and paste it downloads the correct file/checksum...

Offline

#7 2022-09-04 12:53:33

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 731  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

DandyKenguru wrote:

Considering the situation are you going to soon release the updated ISO in which this problem will be fixed?

Yes, it would be an excellent contribution to the Devuan project to refresh any of the various installer ISOs for this.

Offline

#8 2022-09-04 15:30:04

soohwa
Member
Registered: 2017-08-21
Posts: 10  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

ralph.ronnquist wrote:
DandyKenguru wrote:

Considering the situation are you going to soon release the updated ISO in which this problem will be fixed?

Yes, it would be an excellent contribution to the Devuan project to refresh any of the various installer ISOs for this.

How can this be accomplished locally?

Offline

#9 2022-09-04 22:21:45

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 731  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

The first step would be to determine which, if any, installation use case(s) need attention.

Offline

#10 2022-09-05 09:44:36

amaro
Member
Registered: 2022-02-08
Posts: 61  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

this warning about package authentication is kind of annoying and pops up for every 'install' command

WARNING: The following packages cannot be authenticated!
  chromium chromium-common libfreetype6 libjsoncpp25 libffi8
  libwayland-client0
Install these packages without verification? [y/N]

any chance of getting around it?

Offline

#11 2022-09-05 12:58:59

MiyoLinux
Member
Registered: 2016-12-05
Posts: 1,228  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

ralph.ronnquist wrote:

At 2022-09-04, the devuan repository key BB23C00C61FC752C updated at 2017 expired, which has led to difficulties for many users. The key has been corrected in the repository by expanding the validity period, and a new version of devuan-keyring, version 2022.09.04, is available..

Thanks Ralph!

...oh...wait. You're "Down Under", so let me fix that...

¡ɥdlɐɹ sʞuɐɥʇ

tongue

LOLOLOLOLOL!

Seriously though...I thank you, and it's much appreciated! Take care!


I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#12 2022-09-05 13:18:53

Camtaf
Member
Registered: 2019-11-19
Posts: 215  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

amaro wrote:

this warning about package authentication is kind of annoying and pops up for every 'install' command

any chance of getting around it?

As  said above should fix it...

 

  # wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb

  # dpkg -i devuan-keyring_2022.09.04_all.deb

...& don't forget to

sudo apt-get update

Before trying to install programs.

Last edited by Camtaf (2022-09-05 13:21:28)

Offline

#13 2022-09-05 14:06:58

amaro
Member
Registered: 2022-02-08
Posts: 61  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

well, is it possible that the alternatives are not quite the same?
after

apt update --allow-insecure-repositories && apt install devuan-keyring --allow-unauthenticated

executed yesterday morning
here the warnings are very active

The following NEW packages will be installed:
  freeglut3 libgumbo1 libmujs2 libssl3 mupdf
0 upgraded, 5 newly installed, 0 to remove and 1217 not upgraded.
Need to get 43.9 MB of archives.
After this operation, 79.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
WARNING: The following packages cannot be authenticated!
  freeglut3 libgumbo1 libmujs2 libssl3 mupdf
Install these packages without verification? [y/N]

Last edited by amaro (2022-09-05 14:09:51)

Offline

#14 2022-09-05 14:20:14

MiyoLinux
Member
Registered: 2016-12-05
Posts: 1,228  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

I would suggest using the 2nd alternative (using Ralphe's suggestion) using wget....but that's just me.

...to each, his own.


I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#15 2022-09-05 16:56:57

amaro
Member
Registered: 2022-02-08
Posts: 61  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

obviously, to paraphrase Orwell, 'All alternatives are effective, but some are more effective than others.'
the 2nd one really made a difference

# apt install cmus
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
  libjsoncpp24
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
  cmus-plugin-ffmpeg libcddb2 libdiscid0
Suggested packages:
  libroar2
The following NEW packages will be installed:
  cmus cmus-plugin-ffmpeg libcddb2 libdiscid0
0 upgraded, 4 newly installed, 0 to remove and 1216 not upgraded.
Need to get 346 kB of archives.
After this operation, 1,080 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://devuan.ipacct.com/devuan/merged daedalus/main i386 libcddb2 i386 1.3.2-7 [51.5 kB]
Get:2 http://devuan.ipacct.com/devuan/merged daedalus/main i386 libdiscid0 i386 0.6.2-3 [15.5 kB]
Get:3 http://devuan.ipacct.com/devuan/merged daedalus/main i386 cmus i386 2.10.0-2 [266 kB]
Get:4 http://devuan.ipacct.com/devuan/merged daedalus/main i386 cmus-plugin-ffmpeg i386 2.10.0-2 [13.8 kB]
Fetched 346 kB in 3s (138 kB/s)               
Selecting previously unselected package libcddb2.
(Reading database ... 135362 files and directories currently installed.)
Preparing to unpack .../libcddb2_1.3.2-7_i386.deb ...
Unpacking libcddb2 (1.3.2-7) ...
Selecting previously unselected package libdiscid0:i386.
Preparing to unpack .../libdiscid0_0.6.2-3_i386.deb ...
Unpacking libdiscid0:i386 (0.6.2-3) ...
Selecting previously unselected package cmus.
Preparing to unpack .../cmus_2.10.0-2_i386.deb ...
Unpacking cmus (2.10.0-2) ...
Selecting previously unselected package cmus-plugin-ffmpeg.
Preparing to unpack .../cmus-plugin-ffmpeg_2.10.0-2_i386.deb ...
Unpacking cmus-plugin-ffmpeg (2.10.0-2) ...
Setting up libcddb2 (1.3.2-7) ...
Setting up libdiscid0:i386 (0.6.2-3) ...
Setting up cmus (2.10.0-2) ...
Setting up cmus-plugin-ffmpeg (2.10.0-2) ...
Processing triggers for man-db (2.10.2-2) ...
Processing triggers for libc-bin (2.34-7) ...

thank you, MiyoLinux!

Offline

#16 2022-09-05 20:44:19

mobin2008
Member
Registered: 2022-04-04
Posts: 5  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

ralph.ronnquist wrote:

At 2022-09-04,
Second alternative: Anyone uncomfortable with those command line options should rather download the new keyring directly, eg

  1. # wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb

  2. # sha256sum devuan-keyring_2022.09.04_all.deb 96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d

  3. # dpkg -i devuan-keyring_2022.09.04_all.deb

Why dont use apt instead of use directly dpkg?

apt install ./devuan-keyring_2022.09.04_all.deb

Offline

#17 2022-09-05 21:02:35

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,532  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

mobin2008 wrote:

Why dont use apt instead of use directly dpkg?

Because apt performs the authentication checks that are broken until the new keyring package is installed.

Offline

#18 2022-09-05 21:17:09

mobin2008
Member
Registered: 2022-04-04
Posts: 5  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

Head_on_a_Stick wrote:
mobin2008 wrote:

Why dont use apt instead of use directly dpkg?

Because apt performs the authentication checks that are broken until the new keyring package is installed.

you right but works for me hmm

Offline

#19 2022-09-06 13:50:31

Ogis1975
Member
Registered: 2017-04-21
Posts: 277  
Website

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

But how could this happen? I do not understand anything. How could those overseeing Devuan miss something of such importance? After all, the repository key is one of the cornerstones of security...As long as I've been using Debian, this nonsense has never happened...I think Devuan developers should take security more seriously (just my opinion and I didn't mean to offend anyone).


What economists call over-production is but a production that is above the purchasing power of the worker, who is reduced to poverty by capital and state.
            ----+- Peter Kropotkin -+----

Offline

#20 2022-09-06 14:35:15

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 731  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

@Ogis1975: So what's your purpose with that kind of post?

Offline

#21 2022-09-06 15:42:37

golinux
Administrator
Registered: 2016-11-25
Posts: 2,604  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

ralph.ronnquist wrote:

@Ogis1975: So what's your purpose with that kind of post?

Perhaps Ogis1975 is wanting to volunteer to take on the task of monitoring the expiration dates of all the Devuan certificates . . . smile

Online

#22 2022-09-06 15:57:58

MLEvD
Member
Registered: 2021-02-14
Posts: 126  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

What's the procedure for this monitoring? Can anybody do it, or does it require expertise of some kind?

Offline

#23 2022-09-06 16:35:54

golinux
Administrator
Registered: 2016-11-25
Posts: 2,604  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

I am not really qualified to answer this question but imagine it would require something like:

1. Locate all Devuan keys and expiration dates.
2. Set up auto notifications to developers well in advance of expiration dates.
3. Actually remember to do it (or learn how to do it yourself).

big_smile

Online

#24 2022-09-06 16:58:32

MLEvD
Member
Registered: 2021-02-14
Posts: 126  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

golinux wrote:

I am not really qualified to answer this question but imagine it would require something like:

1. Locate all Devuan keys and expiration dates.
2. Set up auto notifications to developers well in advance of expiration dates.
3. Actually remember to do it (or learn how to do it yourself).

big_smile

Back in March, decided to upgrade machine 2 to ssd, so first upgraded spare machine 1 to small ssd and started using machine 1, so machine 2 could be worked on.
Then there was an emergency, and all projects had to be boxed and shelved.
Last week the emergency finished, then this morning machine 1 had an unbooting grub.
So, back on machine 2, which wouldn't boot, but got it booting by installing lmde5 in a spare partition. 6 month old devuan beowulf booted off the new grub. Apt update resulted in EXPKEYSIG BB23C00C61FC752C Devuan Repository errors.

For a moment, I actually thought about just running it without updates until I got debian working again.
Decided against that, searched these lists. What luck, the keys expired just two days before I needed them!
The real risk here, is users not promptly applying security updates, and I was almost one of them.

Offline

#25 2022-09-07 10:22:40

jay
Member
Registered: 2019-11-10
Posts: 1  

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

Hello everyone!

First off: I greatly appreciate devuan and use it every day on several machines! Thank you to all the contributors!

Now back to topic:

After fixing this issue using your guide (as well as a "apt-key del BB23C00C61FC752C" beforehand...),
I realized that the new GPG key also expires within a year...

I strongly recommend using individual GPG keys per release that do not expire before the respective release's end-of-life!

That also happens to be debian's approach from what I can see:

Debian/Buster key expires: 2027-04-12
Debian/Bullseye key expires: 2029-01-15
(says my "apt-key list" command anway)

You could take those expiration dates as template for your own keys and add a couple months or a year on top to account for the delay between debian releases and their respective devuan counter-part.


With the currently provided new key we can expect the exact same problem to happen next year,
that's why I would be happy if you could consider this approach.


Thank you!

Offline

Board footer