Mint - 20 Adding an OBS repo signing keys using official instructions breaks subsequent PPA signing key installation

[smurphos]

Hi,

Noted this issue testing with installing ungoogled-chromium on Mint 20. Also tested on Ubuntu 20.04 and the steps taken do not cause the same issue so think this is a Mint specific bug. There are reports popping up on the forum of users with a similar problem having added an OBS repo to their sources.

To reproduce follow the official instructions to add some OBS repo, and it's signing key, and then try to add a PPA. Example output below is for ungoogled-chromium followed by adding the keepassxc PPA.

steve@steve-VirtualBox:~$ sudo wget -nv https://download.opensuse.org/repositories/home:ungoogled_chromium/Ubuntu_Focal/Release.key -O "/etc/apt/trusted.gpg.d/home:ungoogled_chromium.asc"
2020-06-28 05:22:11 URL:https://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal/Release.key [1126/1126] -> "/etc/apt/trusted.gpg.d/home:ungoogled_chromium.asc" [1]
steve@steve-VirtualBox:~$ apt update
Hit:1 http://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal  InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable InRelease                   
Hit:3 http://archive.ubuntu.com/ubuntu bionic InRelease                        
Hit:4 http://archive.ubuntu.com/ubuntu bionic-updates InRelease                
Hit:5 http://archive.ubuntu.com/ubuntu focal InRelease                         
Hit:6 http://archive.ubuntu.com/ubuntu focal-updates InRelease                 
Hit:7 http://archive.ubuntu.com/ubuntu focal-backports InRelease               
Hit:8 http://security.ubuntu.com/ubuntu bionic-security InRelease              
Hit:9 http://security.ubuntu.com/ubuntu focal-security InRelease    
Ign:10 http://packages.linuxmint.com ulyana InRelease
Hit:11 http://archive.canonical.com/ubuntu focal InRelease
Hit:12 http://packages.linuxmint.com ulyana Release
Reading package lists... Done
Building dependency tree       
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
steve@steve-VirtualBox:~$ sudo add-apt-repository ppa:phoerious/keepassxc
You are about to add the following PPA:
 KeePassXC Password Manager (official upstream PPA)

https://keepassxc.org/download/
 More info: https://launchpad.net/~phoerious/+archive/ubuntu/keepassxc
Press Enter to continue or Ctrl+C to cancel

Executing: /tmp/apt-key-gpghome.96c7RW0TWW/gpg.1.sh --keyserver hkps://keyserver.ubuntu.com:443 --recv-keys D89C66D0E31FEA2874EBD20561922AB60068FCD6
gpg: key 61922AB60068FCD6: public key "Launchpad PPA for Janek Bevendorff" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: invalid key resource URL '/tmp/apt-key-gpghome.96c7RW0TWW/home:ungoogled_chromium.asc.gpg'
gpg: keyblock resource '(null)': General error
gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
gpg: key 02456C79B2FD48BF: 1 signature not checked due to a missing key
gpg: key A6616109451BBBF2: 12 signatures not checked due to missing keys
gpg: key 3B4FE6ACC0B21F32: 3 signatures not checked due to missing keys
gpg: key D94AA3F0EFE21092: 3 signatures not checked due to missing keys
gpg: key C8CAB6595FDFF622: 2 signatures not checked due to missing keys
gpg: key 871920D1991BC93C: 1 signature not checked due to a missing key
gpg: Total number processed: 8
gpg:       skipped new keys: 8
steve@steve-VirtualBox:~$ apt update
[sudo] password for steve:               
Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease                
Get:3 http://ppa.launchpad.net/phoerious/keepassxc/ubuntu focal InRelease [18.0 kB]
Hit:4 http://archive.ubuntu.com/ubuntu focal InRelease                         
Hit:5 http://archive.ubuntu.com/ubuntu focal-updates InRelease                 
Hit:6 http://dl.google.com/linux/chrome/deb stable InRelease                   
Hit:7 http://archive.ubuntu.com/ubuntu focal-backports InRelease               
Hit:8 http://archive.canonical.com/ubuntu focal InRelease                      
Hit:9 http://security.ubuntu.com/ubuntu bionic-security InRelease              
Hit:10 http://security.ubuntu.com/ubuntu focal-security InRelease              
Ign:11 http://packages.linuxmint.com ulyana InRelease                          
Hit:12 http://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal  InRelease
Hit:13 http://packages.linuxmint.com ulyana Release
Err:3 http://ppa.launchpad.net/phoerious/keepassxc/ubuntu focal InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 61922AB60068FCD6
Reading package lists... Done
W: GPG error: http://ppa.launchpad.net/phoerious/keepassxc/ubuntu focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 61922AB60068FCD6
E: The repository 'http://ppa.launchpad.net/phoerious/keepassxc/ubuntu focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

Some reports from the forum from today - https://forums.linuxmint.com/viewtopic.php?f=47&t=323018 https://forums.linuxmint.com/viewtopic.php?f=90&t=322993 https://forums.linuxmint.com/viewtopic.php?f=18&t=322612

[smurphos]

Subsequent to raising this issue the official command format for adding OBS repo keys has been changed. The new command format is

curl -fsSL https://download.opensuse.org/repositories/home:ungoogled_chromium/Ubuntu_Focal/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home:ungoogled_chromium.gpg > /dev/null

This still results in breakage in Mint and PPAs can't be added after running this command.

The new command format works fine in Ubuntu.

[xenopeek]

If you run apt-key list after running the command from above comment (also on Ubuntu 20.04) it doesn't list the added keyfile. Removing ':' from the filename of the keyfile in /etc/apt/trusted.gpg.d/ makes it work (apt-key list and adding PPAs). I can't say why Ubuntu's add-apt-repository allows for ':' in filenames in /etc/apt/trusted.gpg.d/ while standard APT commands like apt-key don't. OBS should probably not instruct to use ':' in filenames if standard APT commands don't support that.

That said it would be nice if mintsources and included add-apt-repository / apt-add-repository could handle filenames with invalid characters in them just as Ubuntu's add-apt-repository does.

[smurphos]

@xenopeek - I'm not sure that modifying the file name in the OBS key install command is the ideal solution for Mint.

After echo 'deb http://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal/ /' | sudo tee /etc/apt/sources.list.d/home:ungoogled_chromium.list curl -fsSL https://download.opensuse.org/repositories/home:ungoogled_chromium/Ubuntu_Focal/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/ungoogled_chromium.gpg > /dev/null

apt update - OK apt install ungoogled-chromium - OK apt-key list - OK adding a PPA - OK Key listed in Software Sources GUI - Not OK

Instead ( after sudo rm /etc/apt/trusted.gpg.d/ungoogled_chromium.gpg from last test) echo 'deb http://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal/ /' | sudo tee /etc/apt/sources.list.d/home:ungoogled_chromium.list wget -nv https://download.opensuse.org/repositories/home:ungoogled_chromium/Ubuntu_Focal/Release.key -O /tmp/home:ungoogled_chromium.asc; sudo apt-key add /tmp/home:ungoogled_chromium.asc

apt update - OK apt install ungoogled-chromium - OK apt-key list - OK adding a PPA - OK Key listed in Software Sources GUI - OK

[xenopeek]

Thanks for sticking with it. This indeed fixes the issue entirely. I replaced the wget command with bit shorter wget -nv https://download.opensuse.org/repositories/home:ungoogled_chromium/Ubuntu_Focal/Release.key -O - | sudo apt-key add - and that gives the same result: key is listed in mintsources and PPAs can be added after.

I think we can close this one?

[alicektx]

Hmmm, this will likely cause quite a bit of grief to people adding OBS repos. I (very partially only) noticed it few days ago with smplayer from obs. Thought the key most likely expired or something, really didn't paid any attention whatsoever. Next day i saw the instructions for adding the key were updated, ah nice, here we are. By sheer habit, i ran apt-key list afterwards, noticed such wasn't listed...ehhm, what? Figured it must be some silly glitch with illegal characters, renamed as smplayerdev.gpg instead of home:smplayerdev.gpg, all seemed fine then.

But it certainly neither crossed my mind that this is both a wider issue with OBS at the moment, nor did it happened that i tried adding some other ppa in-between before actually renaming such.

...from a very very quick look, behavior also doesn't look exactly the same, with older Mint 18.3 & mintsources 1.7.2 gui...

After echo 'deb http://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal/ /' | sudo tee /etc/apt/sources.list.d/home:ungoogled_chromium.list curl -fsSL https://download.opensuse.org/repositories/home:ungoogled_chromium/Ubuntu_Focal/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/ungoogled_chromium.gpg > /dev/null

apt update - OK apt install ungoogled-chromium - OK apt-key list - OK adding a PPA - OK Key listed in Software Sources GUI - Not OK

...hmmm, seems to be all OK here. Someone further broke something in between?... ;-)

[smurphos]

@xenopeek - I think it's worth keeping open if only to work out why the behaviour with the current OBS instructions and your adjusted version on Ubuntu 20.04 is different from Mint 20 - specifically the difference between the Software Sources GUI and Ubuntu's Software and Updates GUI, and why the current OBS instructions break PPA's on Mint but not Ubuntu.

On Ubuntu using the current OBS instructions

apt update - OK apt install ungoogled-chromium - OK apt-key list - not OK adding a PPA - OK Key listed in Software and Updates GUI - OK (but can't be removed via the GUI)

Instead using the adjusted command to remove the : curl -fsSL https://download.opensuse.org/repositories/home:ungoogled_chromium/Ubuntu_Focal/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/ungoogled_chromium.gpg > /dev/null

apt update - OK apt install ungoogled-chromium - OK apt-key list - OK adding a PPA - OK Key listed in Software and Updates GUI - OK

[nicolaasjan]

It seems OBS is working on it. https://github.com/openSUSE/software-o-o/issues/842

[nicolaasjan]

agraul closed this in #843 commit e42c2f4