You are not logged in.
At 2022-09-04, the devuan repository key BB23C00C61FC752C updated at 2017 expired, which has led to difficulties for many users. The key has been corrected in the repository by expanding the validity period, and a new version of devuan-keyring, version 2022.09.04, is available.
It is only slightly complicated for an end user to get that new version installed given that their currently installed key version has expired. My proposed hands-on is as follows:
First alternative: this method removes the old local InRelease file for the distribution manually, and then installs the new devuan-keyring with "lowered apt security barriers". The sequence of commands are (example for chimaera; change appropriately for beowulf and ascii):
# rm /var/lib/apt/lists/deb.devuan.org_merged_dists_chimaera_InRelease
# apt-get update --allow-unauthenticated --allow-insecure-repositories
# apt-get install devuan-keyring --allow-unauthenticated
Second alternative: Anyone uncomfortable with those command line options should rather download the new keyring directly, eg
# wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb
# sha256sum devuan-keyring_2022.09.04_all.deb 96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d
# dpkg -i devuan-keyring_2022.09.04_all.deb
Further alternatives: if you have your own method that works, then that is fine too.
When the new devuan-keyring has been installed the apt system is operated as per usual.
Online
I'm generating a sha256sum of:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
not the one you posted... Please recheck, thank you.
*** UPDATED POST ***
** There is a hyperlink here... If you use that, you get the above, since the complete url was truncated, one could not simply copy the wget *FILE_LOCATION/FILENAME*
wget generated the correct sum, but it would be better to give users here something verbatim. . .
wget deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb
Last edited by JesterOfSorts (2022-09-04 09:19:25)
Offline
I am getting exactly 96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d on my download checked with gtkhash.
Would suggest you download again and recheck.
Edith: saw that the address given was a link and used right click - copy link adress in FF.
Last edited by rolfie (2022-09-04 09:30:09)
Offline
Considering the situation are you going to soon release the updated ISO in which this problem will be fixed?
Offline
2nd alternative, step 2:
sha256sum -c <<'END'
96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d *devuan-keyring_2022.09.04_all.deb
END
No output hash to compare manually this way.
Offline
I am getting exactly 96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d on my download checked with gtkhash.
Would suggest you download again and recheck.
Edith: saw that the address given was a link and used right click - copy link adress in FF.
I've never had an issue with right-click save as before today. Could it be the current FF in daedalus?
right-click save as will give me a totally different file and throws a security warning that the download is not safe...
When i right-click copy address, and paste it downloads the correct file/checksum...
Offline
Considering the situation are you going to soon release the updated ISO in which this problem will be fixed?
Yes, it would be an excellent contribution to the Devuan project to refresh any of the various installer ISOs for this.
Online
DandyKenguru wrote:Considering the situation are you going to soon release the updated ISO in which this problem will be fixed?
Yes, it would be an excellent contribution to the Devuan project to refresh any of the various installer ISOs for this.
How can this be accomplished locally?
Offline
The first step would be to determine which, if any, installation use case(s) need attention.
Online
this warning about package authentication is kind of annoying and pops up for every 'install' command
WARNING: The following packages cannot be authenticated!
chromium chromium-common libfreetype6 libjsoncpp25 libffi8
libwayland-client0
Install these packages without verification? [y/N]
any chance of getting around it?
Offline
At 2022-09-04, the devuan repository key BB23C00C61FC752C updated at 2017 expired, which has led to difficulties for many users. The key has been corrected in the repository by expanding the validity period, and a new version of devuan-keyring, version 2022.09.04, is available..
Thanks Ralph!
...oh...wait. You're "Down Under", so let me fix that...
¡ɥdlɐɹ sʞuɐɥʇ
LOLOLOLOLOL!
Seriously though...I thank you, and it's much appreciated! Take care!
I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.
Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned.
Offline
this warning about package authentication is kind of annoying and pops up for every 'install' command
any chance of getting around it?
As said above should fix it...
# wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb
# dpkg -i devuan-keyring_2022.09.04_all.deb
...& don't forget to
sudo apt-get update
Before trying to install programs.
Last edited by Camtaf (2022-09-05 13:21:28)
Offline
well, is it possible that the alternatives are not quite the same?
after
apt update --allow-insecure-repositories && apt install devuan-keyring --allow-unauthenticated
executed yesterday morning
here the warnings are very active
The following NEW packages will be installed:
freeglut3 libgumbo1 libmujs2 libssl3 mupdf
0 upgraded, 5 newly installed, 0 to remove and 1217 not upgraded.
Need to get 43.9 MB of archives.
After this operation, 79.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
WARNING: The following packages cannot be authenticated!
freeglut3 libgumbo1 libmujs2 libssl3 mupdf
Install these packages without verification? [y/N]
Last edited by amaro (2022-09-05 14:09:51)
Offline
I would suggest using the 2nd alternative (using Ralphe's suggestion) using wget....but that's just me.
...to each, his own.
I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.
Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned.
Offline
obviously, to paraphrase Orwell, 'All alternatives are effective, but some are more effective than others.'
the 2nd one really made a difference
# apt install cmus
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
libjsoncpp24
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
cmus-plugin-ffmpeg libcddb2 libdiscid0
Suggested packages:
libroar2
The following NEW packages will be installed:
cmus cmus-plugin-ffmpeg libcddb2 libdiscid0
0 upgraded, 4 newly installed, 0 to remove and 1216 not upgraded.
Need to get 346 kB of archives.
After this operation, 1,080 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://devuan.ipacct.com/devuan/merged daedalus/main i386 libcddb2 i386 1.3.2-7 [51.5 kB]
Get:2 http://devuan.ipacct.com/devuan/merged daedalus/main i386 libdiscid0 i386 0.6.2-3 [15.5 kB]
Get:3 http://devuan.ipacct.com/devuan/merged daedalus/main i386 cmus i386 2.10.0-2 [266 kB]
Get:4 http://devuan.ipacct.com/devuan/merged daedalus/main i386 cmus-plugin-ffmpeg i386 2.10.0-2 [13.8 kB]
Fetched 346 kB in 3s (138 kB/s)
Selecting previously unselected package libcddb2.
(Reading database ... 135362 files and directories currently installed.)
Preparing to unpack .../libcddb2_1.3.2-7_i386.deb ...
Unpacking libcddb2 (1.3.2-7) ...
Selecting previously unselected package libdiscid0:i386.
Preparing to unpack .../libdiscid0_0.6.2-3_i386.deb ...
Unpacking libdiscid0:i386 (0.6.2-3) ...
Selecting previously unselected package cmus.
Preparing to unpack .../cmus_2.10.0-2_i386.deb ...
Unpacking cmus (2.10.0-2) ...
Selecting previously unselected package cmus-plugin-ffmpeg.
Preparing to unpack .../cmus-plugin-ffmpeg_2.10.0-2_i386.deb ...
Unpacking cmus-plugin-ffmpeg (2.10.0-2) ...
Setting up libcddb2 (1.3.2-7) ...
Setting up libdiscid0:i386 (0.6.2-3) ...
Setting up cmus (2.10.0-2) ...
Setting up cmus-plugin-ffmpeg (2.10.0-2) ...
Processing triggers for man-db (2.10.2-2) ...
Processing triggers for libc-bin (2.34-7) ...
thank you, MiyoLinux!
Offline
At 2022-09-04,
Second alternative: Anyone uncomfortable with those command line options should rather download the new keyring directly, eg
# wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb
# sha256sum devuan-keyring_2022.09.04_all.deb 96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d
# dpkg -i devuan-keyring_2022.09.04_all.deb
Why dont use apt instead of use directly dpkg?
apt install ./devuan-keyring_2022.09.04_all.deb
Offline
Why dont use apt instead of use directly dpkg?
Because apt performs the authentication checks that are broken until the new keyring package is installed.
Brianna Ghey — Rest In Power
Offline
mobin2008 wrote:Why dont use apt instead of use directly dpkg?
Because apt performs the authentication checks that are broken until the new keyring package is installed.
you right but works for me
Offline
But how could this happen? I do not understand anything. How could those overseeing Devuan miss something of such importance? After all, the repository key is one of the cornerstones of security...As long as I've been using Debian, this nonsense has never happened...I think Devuan developers should take security more seriously (just my opinion and I didn't mean to offend anyone).
What economists call over-production is but a production that is above the purchasing power of the worker, who is reduced to poverty by capital and state.
----+- Peter Kropotkin -+----
Offline
@Ogis1975: So what's your purpose with that kind of post?
Online
@Ogis1975: So what's your purpose with that kind of post?
Perhaps Ogis1975 is wanting to volunteer to take on the task of monitoring the expiration dates of all the Devuan certificates . . .
Online
What's the procedure for this monitoring? Can anybody do it, or does it require expertise of some kind?
Offline
I am not really qualified to answer this question but imagine it would require something like:
1. Locate all Devuan keys and expiration dates.
2. Set up auto notifications to developers well in advance of expiration dates.
3. Actually remember to do it (or learn how to do it yourself).
Online
I am not really qualified to answer this question but imagine it would require something like:
1. Locate all Devuan keys and expiration dates.
2. Set up auto notifications to developers well in advance of expiration dates.
3. Actually remember to do it (or learn how to do it yourself).
Back in March, decided to upgrade machine 2 to ssd, so first upgraded spare machine 1 to small ssd and started using machine 1, so machine 2 could be worked on.
Then there was an emergency, and all projects had to be boxed and shelved.
Last week the emergency finished, then this morning machine 1 had an unbooting grub.
So, back on machine 2, which wouldn't boot, but got it booting by installing lmde5 in a spare partition. 6 month old devuan beowulf booted off the new grub. Apt update resulted in EXPKEYSIG BB23C00C61FC752C Devuan Repository errors.
For a moment, I actually thought about just running it without updates until I got debian working again.
Decided against that, searched these lists. What luck, the keys expired just two days before I needed them!
The real risk here, is users not promptly applying security updates, and I was almost one of them.
Offline
Hello everyone!
First off: I greatly appreciate devuan and use it every day on several machines! Thank you to all the contributors!
Now back to topic:
After fixing this issue using your guide (as well as a "apt-key del BB23C00C61FC752C" beforehand...),
I realized that the new GPG key also expires within a year...
I strongly recommend using individual GPG keys per release that do not expire before the respective release's end-of-life!
That also happens to be debian's approach from what I can see:
Debian/Buster key expires: 2027-04-12
Debian/Bullseye key expires: 2029-01-15
(says my "apt-key list" command anway)
You could take those expiration dates as template for your own keys and add a couple months or a year on top to account for the delay between debian releases and their respective devuan counter-part.
With the currently provided new key we can expect the exact same problem to happen next year,
that's why I would be happy if you could consider this approach.
Thank you!
Offline