search

novena-next / docs

MIT License
13 stars 3 forks source link

signature/SSL issues with the novena.jookia.org repo #22

Closed hairymnstr closed 3 years ago

hairymnstr commented 3 years ago

I've followed through to step 4 but apt update is failing to get a connection to the repository via https. A browser test is also giving certificate warnings for https://novena.jookia.org

As a test I modified the apt lines to fetch over http but I still get an error this time that the key is invalid (expired?)

GPG error: http://novena.jookia.org buster InRelease: The following signatures were invalid: EXPKEYSIG 998...BB1 Jookia (Novena repo signing key)
Jookia commented 3 years ago

Oh no. Looks like acme.sh has failed. I'll work on fixing that though HTTP should still work.

I don't quite understand why it's marking those signatures as invalid. The subkey is expired but the signatures were made when they were valid. Is your clock set properly?

Running gpg --verify on the InRelease file gives me this:

jookia@novena-choice-citizen:~% gpg --recv-key '72365C0E95BD25A7EE20C812DDC2AFA22D5777A9'                  (exited 130) 20:37
gpg: key DDC2AFA22D5777A9: "Jookia (Novena repo signing key) <contact@jookia.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
jookia@novena-choice-citizen:~% wget 'http://novena.jookia.org/dists/buster/InRelease'
jookia@novena-choice-citizen:~% gpg --verify InRelease                                                                  20:33
gpg: Signature made Sat 25 Apr 2020 21:07:49 AEST
gpg:                using RSA key 6A507319184678F48B11A9EB998392494716BBB1
gpg: Good signature from "Jookia (Novena repo signing key) <contact@jookia.org>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 7236 5C0E 95BD 25A7 EE20  C812 DDC2 AFA2 2D57 77A9
     Subkey fingerprint: 6A50 7319 1846 78F4 8B11  A9EB 9983 9249 4716 BBB1

I guess I could try and extend the subkey this week.

Jookia commented 3 years ago

Okay, I've fixed the HTTPS. I'm going to need to fix GPG tomorrow or some time this week.

I misunderstood how expiry dates for GPG worked. I thought that expiry dates meant that signatures signed after that date would be invalid, but instead it means the key's validity after that date is invalid for any use. In effect expiry is a soft auto-revoke.

I don't want to revoke this key, so I'll try and extend the expiry this week.

tingox commented 3 years ago

I'm guessing this hasn't been fixed yet?

tingo@kg-novena:~$ date;sudo apt update
Wed 30 Dec 2020 09:16:06 AM CET
Hit:1 http://ftp.no.debian.org/debian buster InRelease
Hit:2 http://security.debian.org buster/updates InRelease                                                     
Hit:3 https://novena.jookia.org buster InRelease                                                              
Err:3 https://novena.jookia.org buster InRelease
  The following signatures were invalid: EXPKEYSIG 998392494716BBB1 Jookia (Novena repo signing key) <contact@jookia.org>
Reading package lists... Done
Building dependency tree       
Reading state information... Done
49 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://novena.jookia.org buster InRelease: The following signatures were invalid: EXPKEYSIG 998392494716BBB1 Jookia (Novena repo signing key) <contact@jookia.org>
W: Failed to fetch https://novena.jookia.org/dists/buster/InRelease  The following signatures were invalid: EXPKEYSIG 998392494716BBB1 Jookia (Novena repo signing key) <contact@jookia.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Jookia commented 3 years ago

Sorry unfortunately I haven't gotten to this. I'll try this week.

On Wed, Dec 30, 2020 at 12:18:09AM -0800, Torfinn Ingolfsen wrote:

I'm guessing this hasn't been fixed yet?

tingo@kg-novena:~$ date;sudo apt update
Wed 30 Dec 2020 09:16:06 AM CET
Hit:1 http://ftp.no.debian.org/debian buster InRelease
Hit:2 http://security.debian.org buster/updates InRelease                                                     
Hit:3 https://novena.jookia.org buster InRelease                                                              
Err:3 https://novena.jookia.org buster InRelease
  The following signatures were invalid: EXPKEYSIG 998392494716BBB1 Jookia (Novena repo signing key) <contact@jookia.org>
Reading package lists... Done
Building dependency tree       
Reading state information... Done
49 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://novena.jookia.org buster InRelease: The following signatures were invalid: EXPKEYSIG 998392494716BBB1 Jookia (Novena repo signing key) <contact@jookia.org>
W: Failed to fetch https://novena.jookia.org/dists/buster/InRelease  The following signatures were invalid: EXPKEYSIG 998392494716BBB1 Jookia (Novena repo signing key) <contact@jookia.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/novena-next/docs/issues/22#issuecomment-752370579

gpsamu commented 3 years ago

Hello. Just received my Novena today and ran through the update procedure. I also hit this issue but my system still boots etc and appears to be at Debian 10 - although not sure about the accelerated graphics.

Jookia commented 3 years ago

Fixed I think. It may take some time for the keys to propagate across key servers. If you've already run the script, try this (untested):

apt-key del '72365C0E95BD25A7EE20C812DDC2AFA22D5777A9'
gpg --recv-key '72365C0E95BD25A7EE20C812DDC2AFA22D5777A9'
gpg --export '72365C0E95BD25A7EE20C812DDC2AFA22D5777A9' | apt-key add -
apt update
apt -y upgrade
tingox commented 3 years ago

Just tested; the steps for updating the keys worked flawlessly, and now apt update and friends work without issues. Thanks!

gpsamu commented 3 years ago

Confirmed here also.

Jookia commented 3 years ago

Thanks for reporting the bug, thanks for testing the fix and thanks for your patience.

For what it's worth the reason this happened is because I assumed GPG expiry applied to when a key could make signatures- not how long the signatures would be valid. I think I'll rotate the key when creating new signatures and burn the old key instead.

hairymnstr commented 3 years ago

I can confirm the fix too.

Thanks for all your efforts on this, you've saved my Novenas from scrap!