[SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

Ogis1975 · 2022-09-07 13:29:07

ralph.ronnquist wrote:

@Ogis1975: So what's your purpose with that kind of post?

Please excuse my poor English. First of all, I wanted to ask why the persons responsible for maintaining the repository keys did not update them in time? Second of all, I wanted to ask about these people, i.e. Devuan developers approach to security. Is it normal that the people responsible for storing these keys have not updated them in time? Is it normal that these keys have to be manually downloaded and installed in a potentially dangerous way?

P.S.

I just want to reiterate that personally I have been using Debian for over ten years. I have NEVER had such or similar problems. Maybe Devuan developers should review their approach to security and not be so irresponsible? Personally, I'm about to migrate back to Debian land, since the Debian developers take security much more seriously.....

P.P.S

I don't want to offend anyone. This is just my opinion...

Last edited by Ogis1975 (2022-09-07 13:29:53)

alexkemp · 2022-09-07 17:48:11

Ogis1975's is a reasonable question to ask.

If you get offended by the question then

That is the response of a child, not of a grown adult
No-one can ever then expect that you will take this matter seriously & responsibly
The future then will be filled with an infinite repetition of these (and other) issues, with zero fix in sight

Now yes, of course, you also get idiotic responses from entitled fools that have zero respect for the continual efforts of unpaid volunteers on their behalf. Those people do not deserve any respect, but that does not mean that Ogis1975's question is not a reasonable one to ask.

Many thanks to Ralph for his continual efforts on Devuan's behalf. It is a new venture & I fully expect bumps along the road. As long as things continually improve I have few complaints & immense gratitude for the simple fact that it is available to the world & to me.

_ds_ · 2022-09-07 20:11:49

Also, for those of us using apt-cacher-ng:

find /var/cache/apt-cacher-ng -name \*InRelease\* -delete

This may delete a little more than necessary, but it does the job.

ralph.ronnquist · 2022-09-07 23:21:33

alexkemp wrote:

Ogis1975's is a reasonable question to ask.

I disagree: it's a totally useless question.

Obviously there has been some kind of process failure when everyone in the whole community, including you and Ogis1975 as well as myself, failed to notice that the repository key was about to expire.

You don't have to ask about that. Rather you should ask yourself: "how can I help in the future?" and then act towards that.

xinomilo · 2022-09-08 07:52:30

a calendar thingy for anyone/@ll in devuan core team with access to the key, should be easy to do. (to save same trouble next year.)

ralph, users do not have access to gpg keys, nor do they sign packages with that key "everyday", nor do they run `apt-key list` everyday....
i think it's mostly up to the core team to just put some reminders on key/security processes.
yes, users can help, but you should not rely on others noticing in the first place for core/critical(imho), things.

2c.

Camtaf · 2022-09-08 08:53:56

@Ogis1975:

When Devuan has as many maintainers as Debian has, I would likely expect the same, but until then......

(These things happen.....some other software maintainers have been known to forget to renew keys too.)

EDIT: So glad this problem was sorted out so quickly, many thanks.

Last edited by Camtaf (2022-09-08 08:55:22)

Evenson · 2022-09-08 11:55:23

Hi, joined the forum just now and wanted to ask if maybe the keys should not have an expiry date or is this a security issue if they have no expiry?

Many thanks for the quick fix though.

Edit to add, i found this interesting stackechange post about this, albeit a bit old.
https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security/79386#79386

Last edited by Evenson (2022-09-08 12:07:01)

Ogis1975 · 2022-09-08 15:12:04

ralph.ronnquist wrote:

alexkemp wrote:
Ogis1975's is a reasonable question to ask.
I disagree: it's a totally useless question.

Yes, of course. You won't get far with that attitude. By the way, even distrowatch mentioned this key issue. Great promotion for this distro.

P.S.

I have already migrated my machines to Debian land.

MiyoLinux · 2022-09-08 16:39:42

This is something that I take for granted...as I'm sure many others do.

If someone will tell me to tell me how to keep up with the renewal date(s), I will gladly accept that responsibility in order to help the project.

I may be the creator of a Devuan respin, but I'm not ashamed to admit my lack of knowledge in certain areas. I'm always happy to learn something new.

Lay it on me baby!

Contact me here or by email.

golinux · 2022-09-08 18:29:17

MiyoLinux wrote:

This is something that I take for granted...as I'm sure many others do.
If someone will tell me to tell me how to keep up with the renewal date(s), I will gladly accept that responsibility in order to help the project.
I may be the creator of a Devuan respin, but I'm not ashamed to admit my lack of knowledge in certain areas. I'm always happy to learn something new.
Lay it on me baby!
Contact me here or by email.

Oh Miyo . . . you are one in a million!! Someone who understands the dynamics of what sustains "free software" and actually steps up to DO something!!! You will be contacted shortly. Promise . . .

brocashelm · 2022-09-08 20:55:21

What Camtaf said. It's a small project that's run by a few volunteers, so I don't understand the need to escalate things, when there are some workarounds for this. Manually installing the updated DEB file worked for me.

Be like our friend MiyoLinux and offer to help out.

ralph.ronnquist · 2022-09-08 21:35:47

At https://ido.rrq.id.au/download there is an initial collection of trial installer ISOs that need to be tested in a range of settings.

Everyone here who doesn't devalue themselves with the label "just a Devuan user" should grab at least one of them and run it through a number of variations, and then report on it, maybe as an email to me. Refer to usecases.html for the primary use case division. VM trials as well as bare-metal trials are good.

EDIT: my alternate email is rrq at rrq dot id dot au

aitor · 2022-09-08 22:58:16

ralph.ronnquist wrote:

At https://ido.rrq.id.au/download there is an initial collection of trial installer ISOs that need to be tested in a range of settings.
Everyone here who doesn't devalue themselves with the label "just a Devuan user" should grab at least one of them and run it through a number of variations, and then report on it, maybe as an email to me. Refer to usecases.html for the primary use case division. VM trials as well as bare-metal trials are good.
EDIT: my alternate email is rrq at rrq dot id dot au

Thanks for your work, Ralph

dave · 2022-09-11 20:32:49

An update on this key problem: It seems to have been fixed. [ Sometime after 9/9 ]

Without changing anything or manually doing a key import, my apt-get update & upgrade procs now work as designed.

I wasn't really looking forward to a manual intervention on my dozen or so systems. Some of which are sometimes difficult to reach. :-(

So: Many thanks to whomever got the archive signed. I'm guessing here, but probably with an old but unexpired key... ??

But it works.

Thanx.

guuml.dev1 · 2022-09-11 23:08:01

Sorry for being late to the party at So 11 Sep 2022 21:44:59 CEST,
date +%c, you know?

Last sunday noon, aka So 04 Sep 12:00, my usual workflow (as root) was disrupted by an EXPKEYSIG error: WTF? Network error caused by provider? No. – DNS problem? No. – What is going on? This looks like a serious problem to my local machine and has to be fixed NOW!

Wait, eight days later, I want to make a long story short. Since my 1st beginning with Linux kernels and GNU software on rpm based machines I know a true zen say:

Security is a matter of trust.

Once upon the time an "update" process "distrust his master voice" and therefor ignores my well choosen configuration. I've lost data and recovering from this accident takes some time. The change to debian packaging system, change of distribution, was one of the consequences. And the step from debian/jessie to devuan/jessie some years later wasn't that difficult to continue the way with GNU/Linux. Back to the failing apt update (as root;)

I'm not a C-programmer and I have only a vague understanding of so-called ~~elliptic curves~~"internet security", but last week there was a urgent need for me to find some thing like a Devuan Cryptographic Key. But where? And HOW TO know that this is the right key?

Thanks to ralph.ronnquist I've found two answers. (There has always to be an alternative to init freedom;-) The 1st alternative is "allow-unauthenticated" and/or "allow-insecure-repositories". Does not sound trustworthy, really? The second way looks better to me:

As a "normal user" with UID>=1000 download the new key to a directory of your choice:
```
wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb
```
Note: Meanwhile https://www.devuan.org/os/keyring states
```
apt-get install devuan-keyring
```
but I tend to disagree: wget does one thing download one file, but apt installing one file may affect other packages.

Verify the checksum by your own, that's to say:

sha256sum ./devuan-keyring_2022.09.04_all.deb

has an output of

96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d  ./devuan-keyring_2022.09.04_all.deb

Make sure that's ok!

Now inject this proved file to your system:
```
# dpkg -i ./devuan-keyring_2022.09.04_all.deb
```
Note: sudo want's user's password, but I'll prefer a real root shell.
Then update the package information:
```
# apt update
```

Summary:

As far as I can trust myself;-) I have copied that proved deb-file to an USB stick. Using this file with dpkg -i just before any apt update works on every devuan/jessie 'til chimaera I can reach! AND it keeps my last DVD alive: Around easter 2022 I have burned that raw DVD with chimaera to check discless hardware without internet connection. Updating the keyring is just a small step just before getting another host up and running.

last but not least:

apt-cache policy devuan-keyring
devuan-keyring:
Installiert: 2022.09.04
Installationskandidat: 2022.09.04
Versionstabelle:
*** 2022.09.04 500
500 http://deb.devuan.org/merged chimaera/main amd64 Packages
100 /var/lib/dpkg/status

apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

man apt-key
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.

Thanks for all your work and a better new week.

dave · 2022-09-12 15:30:23

@guuml.dev1 : You were probably composing your note and didn't see my previous post #39 at 16:32:49 ...

It looks like whomever is in charge of the archive keeps managed to get them resigned with a valid signature.

So suddenly, apt/apt-get updates just started working (magically) again with no need for a manual intervention.

Now: It Just Works. [tm]

[ On my systems which are running chimaera and beowulf. ]

Last edited by dave (2022-09-12 15:38:25)

joril · 2022-09-19 15:30:21

ralph.ronnquist wrote:

At https://ido.rrq.id.au/download there is an initial collection of trial installer ISOs that need to be tested in a range of settings.

Hi Ralph,
there are no files at https://ido.rrq.id.au/download anymore, is the test period over?
Thanks for your time!

ralph.ronnquist · 2022-09-20 10:17:46

As the key issue was fixed without needing ISO remake, the trial remakes were removed.

joril · 2022-09-20 11:32:10

I see... Great, thanks!

The officially official Devuan Forum!

#26 2022-09-07 13:29:07

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#27 2022-09-07 17:48:11

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#28 2022-09-07 20:11:49

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#29 2022-09-07 23:21:33

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#30 2022-09-08 07:52:30

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#31 2022-09-08 08:53:56

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#32 2022-09-08 11:55:23

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#33 2022-09-08 15:12:04

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#34 2022-09-08 16:39:42

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#35 2022-09-08 18:29:17

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#36 2022-09-08 20:55:21

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#37 2022-09-08 21:35:47

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#38 2022-09-08 22:58:16

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#39 2022-09-11 20:32:49

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#40 2022-09-11 23:08:01

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#41 2022-09-12 15:30:23

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#42 2022-09-19 15:30:21

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#43 2022-09-20 10:17:46

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

#44 2022-09-20 11:32:10

Re: [SOLVED] invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository

Board footer