ubuntu criu repo broken

[kolyshkin]

Description

We are testing criu as part of https://github.com/opencontainers/runc tests, using a repo listed at https://criu.org/Packages#Ubuntu.

As of today, apt update with this repo configured fails:

Get:23 https://download.opensuse.org/repositories/devel:/tools:/criu/xUbuntu_22.04  InRelease [1548 B]
Err:23 https://download.opensuse.org/repositories/devel:/tools:/criu/xUbuntu_22.04  InRelease
  The following signatures were invalid: EXPKEYSIG 30A8343A498D5A23 devel:tools OBS Project <devel:tools@build.opensuse.org>
Reading package lists...
W: GPG error: https://download.opensuse.org/repositories/devel:/tools:/criu/xUbuntu_22.04  InRelease: The following signatures were invalid: EXPKEYSIG 30A8343A498D5A23 devel:tools OBS Project <devel:tools@build.opensuse.org>
E: The repository 'https://download.opensuse.org/repositories/devel:/tools:/criu/xUbuntu_22.04  InRelease' is not signed.
Error: Process completed with exit code 100.

(the error is similar for ubuntu 20.04)

I'm not an expert but looks like the key signature has expired.

Steps to reproduce the issue:

for VER in 20.04 22.04; do
  PREFIX=https://download.opensuse.org/repositories/devel:/tools:/criu/xUbuntu
  REPO=${PREFIX}_$VER
  curl -fSsLl $REPO/Release.key > $VER.key
  gpg $VER.key
done

Describe the results you received:

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]
      428E4E348405CE7900DB99C230A8343A498D5A23
uid           devel:tools OBS Project <devel:tools@build.opensuse.org>
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]
      428E4E348405CE7900DB99C230A8343A498D5A23
uid           devel:tools OBS Project <devel:tools@build.opensuse.org>

Describe the results you expected:

GPG keys not being expired

[kolyshkin]

An alternative to using the above repo is to use the one at https://launchpad.net/~criu/+archive/ubuntu/ppa. Alas, it seems it was never updated for criu 3.18 (see #2287).

[kolyshkin]

Cc @rst0git

[rst0git]

pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]
      428E4E348405CE7900DB99C230A8343A498D5A23
uid           devel:tools OBS Project <devel:tools@build.opensuse.org>

Thanks @kolyshkin! The signing keys in OBS are updated automatically: https://build.opensuse.org/projects/devel:tools:criu/signing_keys I will trigger a rebuild for the OBS packages and update the PPA to 3.19.

[kolyshkin]

I wrote a short script (perhaps it can be used as a base for cron job to see if the key is about to expire?)

PREFIX=https://download.opensuse.org/repositories/devel:/tools:/criu

for VER in Debian_{10,11,12,Testing} Raspbian_{10,11} xUbuntu_{20.04,21.04,21.10,22.04,23.04}; do
  REPO="$PREFIX/$VER"
  echo "== $VER =="
  curl -fSsLl "$REPO/Release.key" | gpg --import-options show-only --import 2>&1 | grep -F 'expire'
done

Currently, this is what it shows:

== Debian_10 ==
pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]
== Debian_11 ==
pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]
== Debian_12 ==
pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]
== Debian_Testing ==
pub   rsa2048 2015-05-03 [SC] [expires: 2026-03-27]
== Raspbian_10 ==
pub   rsa2048 2015-05-03 [SC] [expires: 2026-03-27]
== Raspbian_11 ==
pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]
== xUbuntu_20.04 ==
pub   rsa2048 2015-05-03 [SC] [expires: 2026-03-27]
== xUbuntu_21.04 ==
pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]
== xUbuntu_21.10 ==
pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]
== xUbuntu_22.04 ==
pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]
== xUbuntu_23.04 ==
pub   rsa2048 2015-05-03 [SC] [expired: 2024-01-31]

(note "expires" vs "expired")

[kolyshkin]

@rst0git 🙏🏻

[rst0git]

@kolyshkin The version of CRIU for the Ubuntu packages in PPA and OBS has now been updated to 3.19.