[SOLVED] Invalid Signatures

prizm02 · 2022-09-03 18:02:19

Hello fellow Devuaners

I a new to Devuan, but not new to linux or Debian, I installed Chimeara a month ago and have had no problems until I tried to update today.

Apt reported the following error

Get:1 http://deb.devuan.org/merged chimaera InRelease [33.9 kB]
Get:2 http://deb.devuan.org/merged chimaera-updates InRelease [26.5 kB]
Err:1 http://deb.devuan.org/merged chimaera InRelease
  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
Get:3 http://deb.devuan.org/merged chimaera-security InRelease [26.5 kB]
Err:2 http://deb.devuan.org/merged chimaera-updates InRelease
  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
Err:3 http://deb.devuan.org/merged chimaera-security InRelease
  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
Fetched 86.9 kB in 3s (25.5 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.devuan.org/merged chimaera InRelease: The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.devuan.org/merged chimaera-updates InRelease: The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.devuan.org/merged chimaera-security InRelease: The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Failed to fetch http://deb.devuan.org/merged/dists/chimaera/InRelease  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Failed to fetch http://deb.devuan.org/merged/dists/chimaera-updates/InRelease  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Failed to fetch http://deb.devuan.org/merged/dists/chimaera-security/InRelease  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Some index files failed to download. They have been ignored, or old ones used instead

It is asking for updated GPG key ?

dpkg -i devuan-keyring_2022.09.04_all.deb

Sorry I Did not read the solved posts

Last edited by prizm02 (2022-09-03 18:36:06)

brocashelm · 2022-09-03 18:36:17

devuan-keyring has already been updated in the repository. This command was provided by Bb|hcb in the IRC channel:
apt update --allow-insecure-repositories && apt install devuan-keyring --allow-unauthenticated

Last edited by brocashelm (2022-09-03 19:09:39)

ralph.ronnquist · 2022-09-03 23:12:56

Note that the full hands-on may also require that the old local InRelease file for the distribution is removed manually, so the sequence of command would thus be (eg for chimaera):

# rm /var/lib/apt/lists/deb.devuan.org_merged_dists_chimaera_InRelease
# apt-get update --allow-unauthenticated --allow-insecure-repositories
# apt-get install devuan-keyring --allow-unauthenticated

Alternatively: Anyone uncomfortable with those command line options should rather download the new keyring directly, eg

# wget http://deb.devuan.org/devuan/pool/main/ … 04_all.deb
# sha256sum devuan-keyring_2022.09.04_all.deb 96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d
# dpkg -i devuan-keyring_2022.09.04_all.deb

Alternatively: if you have your own method that works, then that is fine too.

greenant · 2022-09-07 04:44:44

p.s. this worked for me on beowulf:

id=BB23C00C61FC752C
gpg --keyserver keyserver.ubuntu.com --recv-keys ${id} 
gpg --export ${id} | apt-key add -
apt update

narad-dev · 2022-09-07 05:43:45

The instructions above did not work fpr Daedalus.
How to fix the issue on Daedalus?

Many thanks in advance for your help.

Last edited by narad-dev (2022-09-07 05:44:06)

rolfie · 2022-09-07 06:27:47

The wget-method works on Daedalus. Attention: expand the path completely.

narad-dev · 2022-09-07 14:41:25

No, wget as listed above does not work, because there is no http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb, there only is a http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring-udeb_2022.09.04_all.udeb.
This udeb cannot bei installed with dpkg -i because it would overwrite »/usr/share/keyrings/devuan-archive-keyring.gpg« which is part of packagdevuan-keyring 2017.10.03 .

Solution: download udeb file, purge old devuan keyring, then dpkg -i devuan-keyring-udeb_2022.09.04_all.udeb works.

fsmithred · 2022-09-07 15:31:50

narad-dev wrote:

No, wget as listed above does not work, because there is no http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb,

You must have hit a mirror that wasn't fully updated. If you pick one from the mirror list, you can go to the same directory and find the .deb package.
https://pkgmaster.devuan.org/mirror_list.txt

rolfie · 2022-09-07 17:42:14

narad-dev wrote:

No, wget as listed above does not work, because there is no http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb, there only is a http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring-udeb_2022.09.04_all.udeb.

Did the upgrade twice on two of my Daedalus VMs using the wget method, worked out fine with the devuan-keyring_2022.09.04_all.deb package, no udeb required.

linuxuser · 2022-09-08 17:38:28

Hi all,

Tried to install Beowulf networkinstall today.

Could not install, because ISO Image was not updated with the correct signature.

Checked the repos, chimaera installer-iso's are also not updated with the right signature.

Any idea who to contact for this ?

Best regards.

EDIT

Found another post with a possible temporay solution,

https://dev1galaxy.org/viewtopic.php?id=5211

ISO images have to be fixed, though

Last edited by linuxuser (2022-09-08 18:09:46)

aitor · 2022-09-08 23:39:59

linuxuser wrote:

ISO images have to be fixed, though

Quoting Ralph Ronnquist, there is an initial collection of trial installer ISOs that need to be tested in a range of settings at:

https://ido.rrq.id.au/download/

linuxuser · 2022-09-09 08:35:30

aitor wrote:

linuxuser wrote:
ISO images have to be fixed, though
Quoting Ralph Ronnquist, there is an initial collection of trial installer ISOs that need to be tested in a range of settings at:
https://ido.rrq.id.au/download/

Hi, thanks for your reply

I was able to install by installing the key package, like Morgennebel mentioned.

So what's the problem here ?

Replacing the key works just fine (and should be done), so what has to be tested ?
I don't see it.

BTW I'm all for testing software before releasing.
But right now the installer images don't work at all, and the fix seeems quite straightforward to me.

Regards.

ralph.ronnquist · 2022-09-09 09:20:38

BTW I'm all for testing software before releasing.
But right now the installer images don't work at all, and the fix seems quite straightforward to me.

Great. Welcome on board!
I'm probably doing things wrong yes, and need to retire.
We can rely on you taking over this?

Just in parenthesis: all the installers do still work fine as long as you avoid network mirror backing during installation. It of course means that you'll end up with a rather minimal system, but it's still one where you can use the manual patching (wget + dpkg) before using the network mirroring/access the first time.

linuxuser · 2022-09-09 09:54:17

ralph.ronnquist wrote:

BTW I'm all for testing software before releasing.
But right now the installer images don't work at all, and the fix seems quite straightforward to me.
Great. Welcome on board!
I'm probably doing things wrong yes, and need to retire.
We can rely on you taking over this?
Just in parenthesis: all the installers do still work fine as long as you avoid network mirror backing during installation. It of course means that you'll end up with a rather minimal system, but it's still one where you can use the manual patching (wget + dpkg) before using the network mirroring/access the first time.

Wow, hold your horses, Ralph, no offense meant ;-)
I have used Devuan without problems for a few years now, and see no reason for you to retire ;-)

Do I understand right, are you the only person supporting the installation part of Devuan ?
I don't know the Devuan community (yet) so please help me out here.

And I guess people who use network installers in expert mode should be able to manage for now.

When do you plan to have the updated install ISO's available ?

Regards.

ralph.ronnquist · 2022-09-09 10:19:29

No worries. I didn't think I took offense, but hmm maybe I did. But it is true that I do need to retire off Devuan and that new and more people need to step up and in; not necessarily you of course.

The installer ISOs are built using https://git.devuan.org/devuan/installer-iso.git which has been streamlined into an almost push-button state by now. But, whenever an ISO is built, it relies on the state of the repository at that particular time and it's always possible for some update inconsistency to slip in. It is therefore I think the installer ISOs typically need a broader testing than a single person running through it once.

linuxuser · 2022-09-09 10:50:47

I understand.

Good to see that Devuan is hosting it's own git, by the way.

Regards.

The officially official Devuan Forum!

#1 2022-09-03 18:02:19

[SOLVED] Invalid Signatures

#2 2022-09-03 18:36:17

Re: [SOLVED] Invalid Signatures

#3 2022-09-03 23:12:56

Re: [SOLVED] Invalid Signatures

#4 2022-09-07 04:44:44

Re: [SOLVED] Invalid Signatures

#5 2022-09-07 05:43:45

Re: [SOLVED] Invalid Signatures

#6 2022-09-07 06:27:47

Re: [SOLVED] Invalid Signatures

#7 2022-09-07 14:41:25

Re: [SOLVED] Invalid Signatures

#8 2022-09-07 15:31:50

Re: [SOLVED] Invalid Signatures

#9 2022-09-07 17:42:14

Re: [SOLVED] Invalid Signatures

#10 2022-09-08 17:38:28

Re: [SOLVED] Invalid Signatures

#11 2022-09-08 23:39:59

Re: [SOLVED] Invalid Signatures

#12 2022-09-09 08:35:30

Re: [SOLVED] Invalid Signatures

#13 2022-09-09 09:20:38

Re: [SOLVED] Invalid Signatures

#14 2022-09-09 09:54:17

Re: [SOLVED] Invalid Signatures

#15 2022-09-09 10:19:29

Re: [SOLVED] Invalid Signatures

#16 2022-09-09 10:50:47

Re: [SOLVED] Invalid Signatures

Board footer