search

datto / dattobd

kernel module for taking block-level snapshots and incremental backups of Linux block devices
GNU General Public License v2.0
576 stars 122 forks source link

Repository key not considered valid on Debian stretch #104

Closed bg closed 7 years ago

bg commented 7 years ago

Hi,

I followed INSTALL.md to install, but even though apt-key imported Simon Watson's key, it is not considered valid on Debian stretch, i.e. apt update complains:

Err:13 https://cpkg.datto.com/repositories stretch InRelease
  The following signatures were invalid: D60DBD564DB3CE46591058595E99242593C3C8D9
Reading package lists... Done
W: GPG error: https://cpkg.datto.com/repositories stretch InRelease: The following signatures were invalid: D60DBD564DB3CE46591058595E99242593C3C8D9
E: The repository 'https://cpkg.datto.com/repositories stretch InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Yet here's Simon's key, in trusted.gpg:

# apt-key list simon
pub   rsa2048 2015-05-20 [SC]
      DC2F 4B0E B444 B303 AE65  8FCB 1674 354B 29FF 164C
uid           [ unknown] Simon Watson <swatson@datto.com>
sub   rsa2048 2015-05-20 [E]
sub   rsa2048 2015-05-20 [S]

What's up? I can tell apt to install anyway, but the curl method will fail because it is in noninteractive mode, so the bad key cannot be accepted and the script aborts.

bg commented 7 years ago

p.s. I realize I conflated dlad install (via curl) with dattobd install, but both use the same repo listed in INSTALL.md, i.e. cpkg.datto.com, so my complaint remains relevant, even though my goal is to install dlad (though I couldn't find any public tracker where I could file an issue about that).

crawfxrd commented 7 years ago

@Conan-Kudo can you comment on this?

Conan-Kudo commented 7 years ago

Hey @bg, thanks for reporting this issue.

Unfortunately, I knew this was going to happen when the Apt team announced the deprecation of the older key signatures, but my current problem is figuring out how to rotate the key to the newer one we use for the RPM repositories without breaking everyone.

bg commented 7 years ago

The usual way is to have a package in the repo which includes the key, e.g. debian has debian-archive-keyring. Examine that package for inspiration.

Ben

From: Neal Gompa (ニール・ゴンパ) Sent: Thursday, August 31, 2017 7:14PM To: Datto/dattobd Cc: Ben Armstrong, Mention Subject: Re: [datto/dattobd] Repository key not considered valid on Debian stretch (#104)

Hey @bg https://github.com/bg, thanks for reporting this issue.

Unfortunately, I knew this was going to happen when the Apt team announced the deprecation of the older key signatures, but my current problem is figuring out how to rotate the key to the newer one we use for the RPM repositories without breaking everyone.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/datto/dattobd/issues/104#issuecomment-326434825, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJya_X8DX1u8iFuVwerhtemIcSr9KzFks5sdzBVgaJpZM4O0nmj.

Conan-Kudo commented 7 years ago

@bg That doesn't help our customers figure out how to switch keys when the repository breaks. We ship our GPG keys in a package for the RPM systems, so rotating them is a matter of having the RPM package signed with both keys and letting it upgrade, then the rest is done.

I see now. We just automatically make them trusted by dropping the keys in /etc/apt/trusted.gpg.d...

bg commented 7 years ago

True, but arguably if it had been set up that way to begin with, you'd not be facing this problem now, as both the new and the old key would be trusted after they upgrade, so when the archive is finally signed with the new key instead of the old, they should already have the new key in /etc/apt/trusted.gpg.d from a prior upgrade of your archive keyring package. (I know that's not much help for the present situation, but at least going forward, upgrades to new repo keys should be seamless, provided users are staying up-to-date and the new key is pushed out through your apt repo in advance of the switch to signing with the new key).

Ben

From: Neal Gompa (ニール・ゴンパ) Sent: Friday, September 01, 2017 7:45AM To: Datto/dattobd Cc: Ben Armstrong, Mention Subject: Re: [datto/dattobd] Repository key not considered valid on Debian stretch (#104)

@bg https://github.com/bg That doesn't help our customers figure out how to switch keys when the repository breaks. We ship our GPG keys in a package for the RPM systems, so rotating them is a matter of having the RPM package signed with both keys and letting it upgrade, then the rest is done.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/datto/dattobd/issues/104#issuecomment-326550302, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJyaxAWqlQmGDVgYvexHigu8xhADpyBks5sd-BDgaJpZM4O0nmj.

Conan-Kudo commented 7 years ago

The new repository has been deployed and new instructions were committed in a12422e9bb56d7f991504ed1829c4649f3ff86e6.