search

ungoogled-software / ungoogled-chromium-debian

Debian, Ubuntu, and others packaging for ungoogled-chromium
386 stars 49 forks source link

GPG signature expired #307

Closed arminfelder closed 1 year ago

arminfelder commented 2 years ago

OS/Platform

Debian, Ubuntu, and derivatives

Installed

OS/Platform's package manager

Version

all

Tested upstream?

Description

GPG signature has been expired

How to Reproduce?

curl -s 'https://download.opensuse.org/repositories/home:/ungoogled_chromium/Debian_Bullseye/Release.key' | gpg

Actual behaviour

apt is refusing the repository, because the signature expired

Expected behaviour

signature should be valid

Relevant log output

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2020-04-24 [SC] [expired: 2022-07-03]
      157C212D66D9B95118C5EDD302456C79B2FD48BF
uid           home:ungoogled_chromium OBS Project <home:ungoogled_chromium@build.opensuse.org>

Additional context

No response

therob84 commented 2 years ago

While this bug is probably in clearing process - how can I meanwhile get completely rid of this error message (most likely by temporarily uninstalling)?

By now it is hindering me from an upgrade process of my system (Linux Mint 20.3 --> 21 (ubuntu 22.04)). I already tried apt remove --purge ungoogled-chromium and manually removed the GPG keys in the UI of Pkexec. But the error message is still the show blocker of my upgrade progress. In short: I can't find uninstall information if I followed installation process of OBS package from here. Any help?

Edit: I finally found how to remove the repo after purging (missed it in first try): LinuxMint 'update manager' --> Edit --> Software Sources --> 'Additional Repositories' remove ungoogled-chromium entry.

networkException commented 2 years ago

Sorry to hear that this broke your updates completely. I'm not really sure how to proceed here sadly

NGeorgescu commented 2 years ago

run the following as root:

# cd /etc/apt/sources.list.d/ && echo -e "#$(cat home-ungoogled_chromium.list)" > home-ungoogled_chromium.list

(or just manually prepend a "#" to your file in /etc/apt/sources.list.d). This will remove the repo as a source.

I'm new here but it looks like this issue has been around for a while. Is this repo maintained or what is the deal?

networkException commented 2 years ago

The debian packaging is effectively unmaintained. I fear we and the current maintainer are lacking the capacity to keep it updated. At the moment I would recommend using the flatpak

ghost commented 2 years ago

Why not just create a new GPG key?

PF4Public commented 2 years ago

Why not just create a new GPG key?

The debian packaging is effectively unmaintained.

ghost commented 2 years ago

Why not just create a new GPG key?

The debian packaging is effectively unmaintained.

Meaning it shouldn't be used or nobody wants to update it?

networkException commented 2 years ago

Meaning that there is nobody to update it

ghost commented 2 years ago

Would have to build it myself then?

PF4Public commented 2 years ago

Would have to build it myself then?

That would be one of the options, recommended one even.

arebokert commented 2 years ago

The debian packaging is effectively unmaintained.

I don't know if I've missed something, but shouldn't this repo then say something like (at the top)

"The debian package repo is effectively unmaintained, please refer to the main repo for instructions on how to build from source" ?

I was not aware and tried to add the repo only to get the error and find this issue. It would save many people time to just have that disclaimer.

ghost commented 1 year ago

No longer relevant.

fir3-1ce commented 1 year ago

How is this no longer relevant? I'm getting the error message now

iskunk commented 1 year ago

How is this no longer relevant? I'm getting the error message now

Note that the OBS repo hasn't been maintained for some time. Even if you got past the signature issue, Debian_Bullseye is no longer present, and Debian_Sid only has version 112 from last April.

I plan to get the repo back online eventually, but it's a work in progress. (You can build u-c from source yourself using the conversion framework recently added here, but that's obviously a lot of ask of our users.)

fir3-1ce commented 12 months ago

@iskunk Thanks, but I ended up just installing the Jammy deb directly from the OpenSUSE website. I assume that's not maintained either?

I didn't know about that conversion page, but I did actually try compiling from source via the "Building a Binary Package" instructions on the main page. I installed all the dependencies successfully, but when it came to the final step (dpkg-buildpackage -b -uc), it failed. So that's when I just downloaded the precompiled deb.

Is there any urgent reason I should still compile from source if the deb package works? Any major security issues?

iskunk commented 12 months ago

The Ubuntu section of the OBS site is no better off, I'm afraid. Only the Arch Linux one has a current version.

I would strongly advise not running version 112.

To illustrate why, I would suggest having a look at the changelog for version 119.0.6045.159, which is current as of this writing. (That link is actually to the Debian package changelog, not the official Chromium one, but it will do for our purposes.)

There, you can see that the latest version is a security release. There are two CVEs listed, each one indicating a security vulnerability of one form or another. Those two are fixed in that release.

Now, the version currently in the Jammy section is 112.0.5615.121, which came out in mid-April. You have to scroll down a bit to find it in the log (Ctrl-F is probably best). Look, that one was also a security release, with one fixed CVE.

Okay. Now... scroll up from the entry for that old version, and take note of every CVE listed above.

Alllll those CVEs are unaddressed in the version of Chromium that you downloaded :sweat:

Compiling Chromium from source can be tricky. The main scripts in this repo haven't been maintained lately---that's ultimately why the OBS repo has fallen behind. The conversion framework works, FWIW, but that is additional tooling that you may or may not be comfortable with using.

The easiest option, assuming you are on Ubuntu jammy or later, would be to use the XtraDeb build (or, alternately, the XtraDeb source, which has already been run through the conversion process).

satonotdead commented 3 weeks ago

It still unmantained? Furthermore, why this isue is closed?

iskunk commented 3 weeks ago

It still unmantained? Furthermore, why this isue is closed?

Hi @satonotdead,

At this point, the solution is in #349, and it is awaiting review by the project principals. Please follow that issue to stay on top of the Debian repo coming back to life!

This issue has been closed for a while, but it is really a side effect of the problem (lack of repo maintenance), not the problem itself. Even if the signature were updated, we don't have a current package to distribute (using that signature) yet, so there's not much point in addressing this issue alone.