kaltura / platform-install-packages

Official deployment packages to install the Kaltura platform on a server or cluster environments using native OS package managers
GNU Affero General Public License v3.0
520 stars 242 forks source link

Signature Error (Debian 10 / propus) #688

Open TDS-Software opened 3 years ago

TDS-Software commented 3 years ago

Hi,

I get a Signature-Error: (when trying apt update)

W: GPG-Fehler: http://installrepo.kaltura.org/repo/apt/debian propus InRelease: Die folgenden Signaturen waren ungültig: 8118B7B578D4BA50032E3B740E221B84C95650AB

I tried to add this Key: (as described in the Installation-Readme)

http://installrepo.kaltura.org/repo/apt/debian/kaltura-deb-curr.gpg.key

my sources.list.d/kaltura.list:

deb [arch=amd64] http://installrepo.kaltura.org/repo/apt/debian propus main

I am on a fresh Debian 10.6 installation.

Thank you

odkr commented 3 years ago

This is really odd, because:

$ curl -s http://installrepo.kaltura.org/repo/apt/debian/dists/propus/InRelease | gpg
[...]
gpg: Signature made Mon Jul  6 15:44:25 2020 CEST
gpg:                using RSA key 0E221B84C95650AB
gpg: Can't check signature: No public key
$ curl -s http://installrepo.kaltura.org/repo/apt/debian/kaltura-deb-curr.gpg.key | gpg
[...]
pub   rsa2048 2019-09-08 [SC]
      8118B7B578D4BA50032E3B740E221B84C95650AB
uid           Kaltura Inc deb repo <community@kaltura.com>
sub   rsa2048 2019-09-08 [E]

At first, I thought somebody might just have used the wrong key to sign the repository. But that's not the case.

odkr commented 3 years ago

I just realised that the signature is, in fact, valid:

% curl -s http://installrepo.kaltura.org/repo/apt/debian/kaltura-deb-curr.gpg.key | gpg --import
gpg: key 0E221B84C95650AB: public key "Kaltura Inc deb repo <community@kaltura.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
% curl -s http://installrepo.kaltura.org/repo/apt/debian/dists/propus/InRelease | gpg --verify
gpg: Signature made Mon 06 Jul 2020 15:44:25 CEST
gpg:                using RSA key 0E221B84C95650AB
gpg: Good signature from "Kaltura Inc deb repo <community@kaltura.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8118 B7B5 78D4 BA50 032E  3B74 0E22 1B84 C956 50AB

Any idea why apt thinks otherwise?

odkr commented 3 years ago

I'm adding my research on this over at https://forum.kaltura.org/t/installing-from-debian-packages-in-buster-fails-because-of-a-signature-error/10922 in the hope that the developers will respond there.

odkr commented 3 years ago

A developer commented on the thread I've opened over at the Kaltura formus. Debian is no longer supported.