search

jstaf / onedriver

A native Linux filesystem for Microsoft OneDrive
GNU General Public License v3.0
1.86k stars 91 forks source link

The GPG key is expired on opensuse.org #355

Closed dwm9100b closed 8 months ago

dwm9100b commented 9 months ago

When running update I get the following error:

GPG error: http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04 InRelease: The following signatures were invalid: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project home:jstaf@build.opensuse.orgThe repository 'http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04 InRelease' is not signed.

Options?

sopykt commented 9 months ago

Same on my Linux Mint

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04  InRelease: The following signatures were invalid: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project <home:jstaf@build.opensuse.org>
W: Failed to fetch http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04/InRelease  The following signatures were invalid: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project <home:jstaf@build.opensuse.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.
carvalholeo commented 9 months ago

Same into Zorin OS 16.3, with binaries from OneDriver based on Ubuntu 20.04

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04  InRelease: The following signatures were invalid: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project <home:jstaf@build.opensuse.org>
W: Failed to fetch http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04/InRelease  The following signatures were invalid: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project <home:jstaf@build.opensuse.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.
alexstrand7 commented 9 months ago

Get this error when sudo apt update. looks like the key has expired and is not updated.

Feil:7 http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_22.04 InRelease De følgende signaturene var ugyldige: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project home:jstaf@build.opensuse.org

jstaf commented 8 months ago

Hmm, this is really weird. OBS is supposed to manage and renew GPG keys independently of any manual intervention. However - I checked and the key in the repository is indeed expired:

root@c197f9e8f914:/etc/apt/sources.list.d# curl -fsSL https://download.opensuse.org/repositories/home:jstaf/xUbuntu_20.04/Release.key | gpg --show-keys
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
pub   rsa2048 2021-07-26 [SC] [expired: 2023-10-04]
      25B82636B2CF874F78AA035EDEB315783E3C88E2
uid                      home:jstaf OBS Project <home:jstaf@build.opensuse.org>

But when you check the signing keys for the repository, it is autorenewed and happy: https://build.opensuse.org/projects/home:jstaf/signing_keys. After doing some googling, it looks like the GPG key autorenews itself, but then the old key stays stuck in the repository? https://github.com/fish-shell/fish-shell/issues/8869.

I did a new build for Ubuntu 23.10 since that just came out a few days ago, and it had the new, correct key. I think I need to force a build for each repository independently before they will update, which is super annoying. Let me do that and then see if anything is required client-side to use the autorenewed key:

curl -fsSL https://download.opensuse.org/repositories/home:jstaf/xUbuntu_23.10/Release.key | gpg --show-keys
pub   rsa2048 2021-07-26 [SC] [expires: 2025-11-29]
      25B82636B2CF874F78AA035EDEB315783E3C88E2
uid                      home:jstaf OBS Project <home:jstaf@build.opensuse.org>
jstaf commented 8 months ago

Yeah that fixed it. Apparently this is a known issue with apt/OBS: https://github.com/openSUSE/open-build-service/issues/322

However another issue is that builds stopped working for Ubuntu 20 and Debian 11 because those distros don't have a new enough Go version (1.16+) to build things anymore, so those repositories still have the old key. I either need to remove my use of newer Go features or drop support for those distributions entirely (currently leaning towards the second option because I want to actually be able to use Go features from 2+ years ago, just update your OS for these old systems). I'll leave this one open for now until I decide what to do with Ubuntu 20/Debian 11.

jstaf commented 8 months ago

Just kidding, I fixed the compatibility with Ubuntu 20/Debian 11/CentOS 8 in the latest version. So now every repo should have the non-expired key.

carvalholeo commented 8 months ago

Thank you so much for taking some time to help us and fix this for us. This software is really important to me <3