Closed dwm9100b closed 8 months ago
Same on my Linux Mint
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04 InRelease: The following signatures were invalid: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project <home:jstaf@build.opensuse.org>
W: Failed to fetch http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04/InRelease The following signatures were invalid: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project <home:jstaf@build.opensuse.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Same into Zorin OS 16.3, with binaries from OneDriver based on Ubuntu 20.04
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04 InRelease: The following signatures were invalid: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project <home:jstaf@build.opensuse.org>
W: Failed to fetch http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04/InRelease The following signatures were invalid: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project <home:jstaf@build.opensuse.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Get this error when sudo apt update. looks like the key has expired and is not updated.
Feil:7 http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_22.04 InRelease De følgende signaturene var ugyldige: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project home:jstaf@build.opensuse.org
Hmm, this is really weird. OBS is supposed to manage and renew GPG keys independently of any manual intervention. However - I checked and the key in the repository is indeed expired:
root@c197f9e8f914:/etc/apt/sources.list.d# curl -fsSL https://download.opensuse.org/repositories/home:jstaf/xUbuntu_20.04/Release.key | gpg --show-keys
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
pub rsa2048 2021-07-26 [SC] [expired: 2023-10-04]
25B82636B2CF874F78AA035EDEB315783E3C88E2
uid home:jstaf OBS Project <home:jstaf@build.opensuse.org>
But when you check the signing keys for the repository, it is autorenewed and happy: https://build.opensuse.org/projects/home:jstaf/signing_keys. After doing some googling, it looks like the GPG key autorenews itself, but then the old key stays stuck in the repository? https://github.com/fish-shell/fish-shell/issues/8869.
I did a new build for Ubuntu 23.10 since that just came out a few days ago, and it had the new, correct key. I think I need to force a build for each repository independently before they will update, which is super annoying. Let me do that and then see if anything is required client-side to use the autorenewed key:
curl -fsSL https://download.opensuse.org/repositories/home:jstaf/xUbuntu_23.10/Release.key | gpg --show-keys
pub rsa2048 2021-07-26 [SC] [expires: 2025-11-29]
25B82636B2CF874F78AA035EDEB315783E3C88E2
uid home:jstaf OBS Project <home:jstaf@build.opensuse.org>
Yeah that fixed it. Apparently this is a known issue with apt/OBS: https://github.com/openSUSE/open-build-service/issues/322
However another issue is that builds stopped working for Ubuntu 20 and Debian 11 because those distros don't have a new enough Go version (1.16+) to build things anymore, so those repositories still have the old key. I either need to remove my use of newer Go features or drop support for those distributions entirely (currently leaning towards the second option because I want to actually be able to use Go features from 2+ years ago, just update your OS for these old systems). I'll leave this one open for now until I decide what to do with Ubuntu 20/Debian 11.
Just kidding, I fixed the compatibility with Ubuntu 20/Debian 11/CentOS 8 in the latest version. So now every repo should have the non-expired key.
Thank you so much for taking some time to help us and fix this for us. This software is really important to me <3
When running update I get the following error:
GPG error: http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04 InRelease: The following signatures were invalid: EXPKEYSIG DEB315783E3C88E2 home:jstaf OBS Project home:jstaf@build.opensuse.orgThe repository 'http://download.opensuse.org/repositories/home:/jstaf/xUbuntu_20.04 InRelease' is not signed.
Options?