search

Ximi1970 / systray-x

SysTray-X: A system tray extension for Thunderbird. Needs both the addon AND the companion app installed to work. Will not work with TB flatpaks or snaps.
Mozilla Public License 2.0
213 stars 15 forks source link

Debian repo key expired #150

Closed zcalusic closed 1 year ago

zcalusic commented 1 year ago

Debian repo key expired several days ago:

/etc/apt/trusted.gpg.d/systray-x-archive.gpg
--------------------------------------------
pub   rsa2048 2017-01-19 [SC] [expired: 2023-07-19]
      01A5 D4EF E73D 0F34 F825  3112 BEEF 5C36 07D8 6FE9
uid           [ expired] home:Ximi1970 OBS Project <home:Ximi1970@build.opensuse.org>

Using deb https://download.opensuse.org/repositories/home:/Ximi1970:/Mozilla:/Add-ons/Debian_10 ./ in /etc/apt/sources.list.d/systray-x.list.

Ximi1970 commented 1 year ago

Grrr. I will update the keys and rebuild the packages. Thanks for the headsup.

Ximi1970 commented 1 year ago

Keys renewed, should be valid till 2025-10-02. Build service is building the packages now. Will take a few hours I am afraid.

Ximi1970 commented 1 year ago

Repositories have been rebuild with the new keys

zcalusic commented 1 year ago

I'm afraid I still get:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://download.opensuse.org/repositories/home:/Ximi1970:/Mozilla:/Add-ons/Debian_10 ./ InRelease: The following signatures were invalid: EXPKEYSIG BEEF5C3607D86FE9 home:Ximi1970 OBS Project <home:Ximi1970@build.opensuse.org>
W: Failed to fetch https://download.opensuse.org/repositories/home:/Ximi1970:/Mozilla:/Add-ons/Debian_10/./InRelease  The following signatures were invalid: EXPKEYSIG BEEF5C3607D86FE9 home:Ximi1970 OBS Project <home:Ximi1970@build.opensuse.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Ximi1970 commented 1 year ago

Did you download and update the Release.key? No problems in my Debian 10 VM.

zcalusic commented 1 year ago

I expected that apt-get would instruct me that I need the to fetch some new key, but no, at no moment I'm told that.

What it looks to me is that you're still signing releases with the old, expired key.

I'm not an expert in this, but here's how I tried to reproduce:

wget https://download.opensuse.org/repositories/home:/Ximi1970:/Mozilla:/Add-ons/Debian_10/InRelease

apt-key adv --verify InRelease

gpg: Signature made Sun Aug  6 22:03:03 2023 CEST
gpg:                using RSA key BEEF5C3607D86FE9
gpg: Good signature from "home:Ximi1970 OBS Project <home:Ximi1970@build.opensuse.org>" [expired]
gpg: WARNING: Using untrusted key!

That BEEF... key is the one that expired 2023-07-19, almost a month ago.

Ximi1970 commented 1 year ago

That is the reason why you need to download the new Release.key (renewed public key) and add it again.

wget -q https://download.opensuse.org/repositories/home:/Ximi1970:/Mozilla:/Add-ons/Debian_10/Release.key
sudo apt-key add Release.key

I do not know how the repo keys are normally updated in Debian.

zcalusic commented 1 year ago

Hey, generally just like that. You put key somewhere, users download it and add it with apt-key (or more recently by putting it directly into designated folder). Usually apt-get complains it there's no key, it's expired or so...

OK, I added the new key as you instructed, and lo and behold it is working now.

I see how the confusion happened. The new key has exactly the same fingerprint, all is same just the detail about its expiration is different, here's how it looks in apt-key list:

/etc/apt/trusted.gpg.d/systray-x-archive-new.gpg
------------------------------------------------
pub   rsa2048 2017-01-19 [SC] [expires: 2025-10-02]
      01A5 D4EF E73D 0F34 F825  3112 BEEF 5C36 07D8 6FE9
uid           [ unknown] home:Ximi1970 OBS Project <home:Ximi1970@build.opensuse.org>

/etc/apt/trusted.gpg.d/systray-x-archive.gpg 
--------------------------------------------
pub   rsa2048 2017-01-19 [SC] [expired: 2023-07-19]
      01A5 D4EF E73D 0F34 F825  3112 BEEF 5C36 07D8 6FE9
uid           [ expired] home:Ximi1970 OBS Project <home:Ximi1970@build.opensuse.org>

As I already said, I'm far from expert in this area, but must also admit that I have never seen anything like this. In all other cases, after some debian repo key has expired, the new one had completely different fingerprint, and apt-get would point to that fact. In many cases pulling the new key from gpg server was all that was needed. Or fetching anew from some web page, all the same. But in all cases, the fingerprint was different, I didn't even think it was possible to resurrect an old expired key, and prolong its expiration, I guess I was wrong.

Then again, it's finally working again, I see there's a new version of systray-x available already, so thank you for your help with this! Not to mention keeping this (IMHO essential) extension alive and kicking, great job!