search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.38k stars 464 forks source link

Install fails due to expired PGP key #1168

Open risasoft opened 11 months ago

risasoft commented 11 months ago

Describe the problem Attempt to install via cli:

curl -fsSL https://pkgs.netbird.io/install.sh | sh

I am getting error about PGP key:

➜  ~ curl -fsSL https://pkgs.netbird.io/install.sh | sh
NetBird UI installation will be omitted as Linux does not run desktop environment
The installation will be performed using apt package manager
Hit:1 http://nova.clouds.archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://nova.clouds.archive.ubuntu.com/ubuntu jammy-updates InRelease                                                               
Hit:3 http://nova.clouds.archive.ubuntu.com/ubuntu jammy-backports InRelease                                                                                     
Hit:4 https://swupdate.openvpn.net/community/openvpn3/repos jammy InRelease                                                                                      
Get:5 https://pkgs.tailscale.com/stable/ubuntu jammy InRelease                                                                                                   
Hit:6 http://security.ubuntu.com/ubuntu jammy-security InRelease                            
Get:7 https://pkgs.netbird.io/debian stable InRelease [5934 B]        
Err:7 https://pkgs.netbird.io/debian stable InRelease
  The following signatures were invalid: EXPKEYSIG 83F79AD029778355 Wiretrustee <dev@wiretrustee.com>
Reading package lists... Done
W: GPG error: https://pkgs.netbird.io/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 83F79AD029778355 Wiretrustee <dev@wiretrustee.com>
E: The repository 'https://pkgs.netbird.io/debian stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
gene1wood commented 11 months ago

This key which expired today on 2023-09-25 is not only breaking new installs but apt upgrade also errors out now due to the key expiration

$ sudo bash -c "apt update && apt -y upgrade"
Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease
...snip...
Err:6 https://pkgs.wiretrustee.com/debian stable InRelease                                                                                                     
  The following signatures were invalid: EXPKEYSIG 83F79AD029778355 Wiretrustee <dev@wiretrustee.com>
Hit:8 https://downloads.plex.tv/repo/deb public InRelease                                                                               
...snip...
Get:29 http://us.archive.ubuntu.com/ubuntu focal-security/multiverse amd64 c-n-f Metadata [548 B]                                                              
Fetched 11.8 MB in 35s (341 kB/s)                                                                                                                              
Reading package lists... Done
Building dependency tree       
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://pkgs.wiretrustee.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 83F79AD029778355 Wiretrustee <dev@wiretrustee.com>
W: Failed to fetch https://pkgs.wiretrustee.com/debian/dists/stable/InRelease  The following signatures were invalid: EXPKEYSIG 83F79AD029778355 Wiretrustee <dev@wiretrustee.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  netbird
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 8,836 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 https://pkgs.wiretrustee.com/debian stable/main amd64 netbird amd64 0.23.4 [8,836 kB]
Fetched 8,836 kB in 18s (486 kB/s)                                                                                                                             
(Reading database ... 219541 files and directories currently installed.)
Preparing to unpack .../netbird_0.23.4_amd64.deb ...
Unpacking netbird (0.23.4) over (0.23.2) ...
Setting up netbird (0.23.4) ...
 Post Install of an upgrade
 Stopping the service
Netbird has been uninstalled
Netbird service has been installed
Netbird service has been started
mlsmaycon commented 11 months ago

@gene1wood @risasoft hello folks, our GPG public keys for deb and rpm based packages have expired. We updated them, and for you to be able to use the repository, you need to reimport the keys with the following commands:

deb based (Ubuntu, Debian, etc):

curl -sSL https://pkgs.netbird.io/debian/public.key | sudo gpg --dearmor --output /usr/share/keyrings/netbird-archive-keyring.gpg

rpm based (Centos, Fedora, Rocky, etc):

for pubring in /var/cache/dnf/NetBird-*/pubring /var/lib/yum/repos/*/*/NetBird/gpgdir /var/lib/yum/repos/*/*/NetBird/gpgdir-ro
do
  gpg --homedir $pubring --delete-key AA9C09AA9DEA2F58112B40DFDFFEAB2FD267A61F
done
PanagiotisS commented 11 months ago

Hello, the key https://pkgs.netbird.io/debian/public.key still reports that it has expired yesterday

$ curl -sSL https://pkgs.netbird.io/debian/public.key -o public.key 
$ gpg public.key                                                                                                                                        
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3072 2021-09-25 [SC]
      EFE37DF047DF7CCDF1FC54FA83F79AD029778355
uid           Wiretrustee <dev@wiretrustee.com>
sub   rsa3072 2021-09-25 [E] [expired: 2023-09-25]
gene1wood commented 11 months ago

I think it's correct now

$ curl -sSL https://pkgs.netbird.io/debian/public.key -o public.key
$ gpg public.key
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3072 2021-09-25 [SC]
      EFE37DF047DF7CCDF1FC54FA83F79AD029778355
uid           Wiretrustee <dev@wiretrustee.com>
sub   rsa3072 2021-09-25 [E]
gene1wood commented 11 months ago

@mlsmaycon Does this mean that every existing Linux netbird user will have to do this manual process? If so you may want to work on some communication (blog post, i dunno) since every Linux user will encounter this and maybe not find this GitHub issue.

gene1wood commented 11 months ago

Note that the instructions above work based on the assumption that the expired key file is located at /usr/share/keyrings/netbird-archive-keyring.gpg but mine was located at

/usr/share/keyrings/wiretrustee-archive-keyring.gpg

so I needed to remove that key before creating the new key.

shvchk commented 11 months ago

@gene1wood here's a list of known possible (old) keys and repo source files locations on Debian / Ubuntu + proper manual fix: https://github.com/netbirdio/public-keys/issues/1#issuecomment-1736322449

install.sh has been updated, so at least on Debian it should now fix all problems with expired keys or wrong repo source file location. Looks like it will also fix problems on RPM distros, although I didn't test that.

curl -fsSL https://pkgs.netbird.io/install.sh | sh

Remaining things to fix / check, imo:

lfarkas commented 10 months ago

fedora repo contains this:

name=Wiretrustee
baseurl=https://pkgs.wiretrustee.com/yum/
enabled=1
gpgcheck=0
gpgkey=https://pkgs.wiretrustee.com/yum/repodata/repomd.xml.key
repo_gpgcheck=1

and the gpgkey url still contains this:

pub   rsa3072 2021-09-25 [SC]
      AA9C09AA9DEA2F58112B40DFDFFEAB2FD267A61F
uid           Wiretrustee <dev@wiretrustee.com>
sub   rsa3072 2021-09-25 [E]

it means that the key file on your own server is still the old one! it has nothing to do with my keyring or anything else!

so why don't you simple replace the file???

lfarkas commented 10 months ago

is it that complicated to replace a file???

mlsmaycon commented 10 months ago

@lfarkas It might be a misunderstanding, the file has been replaced, and the output is correct.

Can you test in a clean environment by running a fedora docker container and running the install script as follows?

curl -fsSL https://pkgs.netbird.io/install.sh | sh
lfarkas commented 10 months ago

sorry a rpm -e `rpm -qa|grep gpg-pubkey help but it's would be nice to document it

fluidum commented 10 months ago

curl -fsSL https://pkgs.netbird.io/install.sh | sh

Err:6 https://pkgs.netbird.io/debian stable InRelease                            
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 83F79AD029778355
Hit:16 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy InRelease
Reading package lists... Done
W: GPG error: https://pkgs.netbird.io/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 83F79AD029778355
E: The repository 'https://pkgs.netbird.io/debian stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

gpg /usr/share/keyrings/netbird-archive-keyring.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3072 2021-09-25 [SC]
      EFE37DF047DF7CCDF1FC54FA83F79AD029778355
uid           Wiretrustee <dev@wiretrustee.com>
sub   rsa3072 2021-09-25 [E]

Ubuntu 22.04.3 LTS

EDIT: weird, works when doing so via Dockerfile

FROM ubuntu:latest
RUN apt update && \
apt install curl gpg -y && \
curl -fsSL https://pkgs.netbird.io/install.sh | sh
shvchk commented 10 months ago

@fluidum Try to delete old keys and repo source files manually an then re-add: https://github.com/netbirdio/public-keys/issues/1#issuecomment-1736322449

fluidum commented 10 months ago

@fluidum Try to delete old keys and repo source files manually an then re-add: netbirdio/public-keys#1 (comment)

FYI: Same result as before. It looks like it needs some deeper knowledge about apt troubleshooting in Ubuntu for some users. 

root@host:/etc/apt# sudo rm -f \
  /etc/apt/sources.list.d/netbird.list \
  /etc/apt/sources.list.d/wiretrustee.list \
  /etc/apt/trusted.gpg.d/wiretrustee.gpg \
  /usr/share/keyrings/netbird-archive-keyring.gpg \
  /usr/share/keyrings/wiretrustee-archive-keyring.gpg

curl -sSL https://pkgs.netbird.io/debian/public.key \
| sudo gpg --dearmor -o /usr/share/keyrings/netbird-archive-keyring.gpg

echo 'deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main' \
| sudo tee /etc/apt/sources.list.d/netbird.list

sudo apt update
deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main
Hit:1 http://asi-fs-n.contabo.net/ubuntu jammy InRelease
Hit:2 http://asi-fs-n.contabo.net/ubuntu jammy-updates InRelease                                                           
Hit:3 http://asi-fs-n.contabo.net/ubuntu jammy-backports InRelease                                                         
Get:4 https://pkgs.netbird.io/debian stable InRelease [5934 B]                                                                                      
Get:5 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security InRelease [7553 B]                                                                     
Hit:6 https://pkg.cloudflare.com/cloudflared jammy InRelease        
Hit:7 http://security.ubuntu.com/ubuntu jammy-security InRelease    
Get:8 https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates InRelease [7456 B]
Get:9 https://esm.ubuntu.com/infra/ubuntu jammy-infra-security InRelease [7450 B]
Get:10 https://esm.ubuntu.com/infra/ubuntu jammy-infra-updates InRelease [7449 B]
Err:4 https://pkgs.netbird.io/debian stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 83F79AD029778355
Reading package lists... Done
W: GPG error: https://pkgs.netbird.io/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 83F79AD029778355
E: The repository 'https://pkgs.netbird.io/debian stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details
shvchk commented 10 months ago

@fluidum strange, maybe you have netbird added in some other repo source file? you can find that with sudo grep -riE 'netbird|wiretrustee' /etc/apt

Hiyajomaho-num9 commented 9 months ago

image Why is the server not deployed in the United States? The download speed is too slow.

fluidum commented 8 months ago

My solution was:

chmod go+r /usr/share/keyrings/netbird-archive-keyring.gpg

bmcgonag commented 6 months ago

@fluidum is a rockstar. That is what worked for me with a ubuntu 22.04 LXC container in Proxmox. Run that command, then do the quick install command again, and it worked.