Expired GPG key error for Cawbird Debian repository

[Nardol]

When running apt update, I have the following error for Cawbird repository:

W: Impossible de récupérer https://download.opensuse.org/repositories/home:/IBBoard:/cawbird/Debian_10/InRelease  Les signatures suivantes ne sont pas valables : EXPKEYSIG A7A55B845DCFCBE2 home:IBBoard OBS Project <home:IBBoard@build.opensuse.org>

I tried to re-download the GPG key with no change.

Thanks.

[IBBoard]

Ugh, looks like it's #39 again. I'll have to work out how to regenerate my keys. Would be nice if the system told me!

[jdrch]

Same problem here on Ubuntu 21.10.

[IBBoard]

It's not quite #39, because that was specifically about a weak key whereas this is just expired.

For my future reference:

# Install 80+ packages just to get the `osc` command-line
zypper addrepo https://download.opensuse.org/repositories/openSUSE:/Tools/openSUSE_Tumbleweed/openSUSE:Tools.repo
zypper install osc

# Extend key
KEY_ID=$(osc signkey home:IBBoard | grep -Po "(?<=keyid=\")[^\"]+")
osc signkey --extend home:IBBoard

# Rebuild everything
osc rebuild home:IBBoard:cawbird --all
osc rebuild home:IBBoard:cawbird-unstable --all

It should now be rebuilding. You will probably need to download the new key. You might be able to use apt-key adv in some way with --recv-keys A7A55B845DCFCBE2 but I'm not sure which options it needs for keyservers etc. Maybe apt-key adv --recv-keys --keyserver keys.gnupg.net (although gpg2 -vv --keyserver keys.gnupg.net --recv-keys A7A55B845DCFCBE2 is still listing the old key, so I don't know where OSC publishes it to!)

[jdrch]

@IBBoard It seems key maintenance is a PITA everywhere. Microsoft's repos have key trouble pretty frequently, which is amazingly bad for such a large company.

[IBBoard]

If people can a) check that it's working and b) tell me the apt command that updates the keys then I can announce it on Twitter (and try to remember to do this again in two year's time!)

[neogeographica]

Works for me on elementary OS 5 (based on Ubuntu 18.04).

wget -nv https://download.opensuse.org/repositories/home:IBBoard:cawbird/xUbuntu_18.04/Release.key -O - | sudo apt-key add -

(For Ubuntu after 20.04 it looks like apt-key will no longer be an option... someone else will have to chime in about that. Cf. https://askubuntu.com/questions/1295102/how-do-i-add-repo-gpg-keys-as-apt-key-is-deprecated for what looks like a plausible substitute.)

[IBBoard]

Yeah, that's the most direct way of doing it 🙂 Apparently there should be a way to do it via GPG key servers as well, if anyone knows how that works.

[jdrch]

@neogeographica Yep that works for me now, thanks!

[tassoman]

Expired for Ubuntu 20.04 also

curl -fsSL https://download.opensuse.org/repositories/home:IBBoard:cawbird/xUbuntu_20.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home_IBBoard_cawbird.gpg > /dev/null

W: Si è verificato un errore nel verificare la firma. Il repository non è aggiornato e verranno usati i file indice precedenti. Errore GPG: http://download.opensuse.org/repositories/home:/IBBoard:/cawbird/xUbuntu_20.04 InRelease: Le seguenti firme non erano valide: EXPKEYSIG A7A55B845DCFCBE2 home:IBBoard OBS Project home:IBBoard@build.opensuse.org

Maybe the key can be re-generated sized 4096?

[IBBoard]

Expired for Ubuntu 20.04 also

Ugh, I told it to rebuild everything. And as far as I can tell from the last modified repo dates then it did because Cawbird Unstable is showing 14th December (except for CentOS 8, which is broken, some old or broken openSUSE Leap versions, and a couple of distros that triggered their own rebuilds after that because of dependency changes)

osc signkey home:IBBoard:cawbird shows my main home:IBBoard key. The key is wrapped in XML with an expiry date of 1708630861 which is February 2024. Copying and pasting the public PGP block confirms this:

$ echo "-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

mQENBF2Xk6sBCAChqNQYg52cTivBelaTpta0tgUBlhwKi0+onUVqf/9pOx8TKjcT
4tSKmWJNoCoji6O4c/pjNGxElY2KNY0nQ3bNf8fJffSpjaYlzzp2OqwgUvkEFkcD
H8LYgZVLmJokdj/fG/cSf8kZn4dU/PxUwzhGA5sJiMzBbBxpoZS1ZMZuqIQY3m4q
2/XaPIgCi/v4VAe5Lu3DGo0u9vvLEYF73kVigNdc9desBn23CKDcmapbhyPLffd/
K2VTKFOaYKkGizesFyICLakr5kr01OFmzDaxQs4DzcXVN5hAdvqvwmMZRUifbAhq
neB/+YYmW6bJe9dWupEz6hcdMeKWd6DqA9lDABEBAAG0OmhvbWU6SUJCb2FyZCBP
QlMgUHJvamVjdCA8aG9tZTpJQkJvYXJkQGJ1aWxkLm9wZW5zdXNlLm9yZz6JAT4E
EwEIACgFAmG4800CGwMFCQhAD6IGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EKelW4Rdz8vifHwH/3+DTH+M8oVG9pfxWz9PpjlWj6UQDZHxGONQ8rUDc24XS2tt
hu5/KKGnKLn1bZ8pVcMtXAzmjanHudviVaaya6UCGnHTXoJy55NkSmTKkP7f+LUw
lDmB/em3xA5r+KEePEKC2qKFBgVnVgyzXIWaK+aeTL1tXql0jzjLlaisb1K0M0dF
dnIpYe0w/J/v6p0GnQwrio6hcka5X5jviUSvUh5MyFw21mLCcQMMTtkEnsypa2oY
Jjh0VbkAj3W2h/GtXUmodZ4PNXRmXvEpgY4obfN1DPolV26YS5gvZqJ6kdHYCmXz
63TmM/usiNOAAgb3e/QZ5P/cSTqRZiZPQd+1Wa+IRgQTEQIABgUCXZeTqwAKCRA7
MBG3a51lI2PpAKCBnhZWIJwbPg2nj73mRJkj4tF3IACgswBiGTBqX+6IXp4XfHe8
v32GePw=
=VDVk
-----END PGP PUBLIC KEY BLOCK-----
" | gpg --show-keys
pub   rsa2048 2019-10-04 [SC] [expires: 2024-02-22]
      EDC682701D792970AD8645E7A7A55B845DCFCBE2
uid                      home:IBBoard OBS Project <home:IBBoard@build.opensuse.org>

Rebuilds are in progress AGAIN, so hopefully it works for everyone this time.

Maybe the key can be re-generated sized 4096?

Maybe. But a) it won't make a difference to this problem and b) as far as I can tell, OSC doesn't give me any options on that kind of thing.

[IBBoard]

GPG tells me that I've got the right key, so if it's not working then Apt must have another key somewhere else that it's using.

curl -fsSL https://download.opensuse.org/repositories/home:IBBoard:cawbird/xUbuntu_20.04/Release.key | gpg --show-keys
pub   rsa2048 2019-10-04 [SC] [expires: 2024-02-22]
      EDC682701D792970AD8645E7A7A55B845DCFCBE2
uid                      home:IBBoard OBS Project <home:IBBoard@build.opensuse.org>

[tassoman]

There was a keys messup in the /etc/apt/trusted.gpg.d/ So I've removed the old keys from there, then downloaded the new key as seen on OBS project website. :ok: