Ubuntu 22.04: The repository 'https://xpra.org jammy InRelease' is not signed

[Rush-iam]

Describe the bug
Can't install actual Xpra package

To Reproduce
Add keys:

wget -O /usr/share/keyrings/xpra.asc https://xpra.org/gpg.asc
wget -P /etc/apt/sources.list.d https://raw.githubusercontent.com/Xpra-org/xpra/master/packaging/repos/jammy/xpra.sources

Try to update:

apt update

Get errors:

Get:11 https://xpra.org jammy InRelease [4,096 B]               
Err:11 https://xpra.org jammy InRelease
  The following signatures were invalid: EXPKEYSIG 18ADB31CF18AD6BB Antoine Martin <[email protected]>

W: GPG error: https://xpra.org jammy InRelease: The following signatures were invalid: EXPKEYSIG 18ADB31CF18AD6BB Antoine Martin <[email protected]>
E: The repository 'https://xpra.org jammy InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

System Information:

• Server OS: Ubuntu 22.04

[totaam]

Please try downloading the key again:

sudo wget -O /usr/share/keyrings/xpra.asc https://xpra.org/gpg.asc

[Rush-iam]

It now works, thank you!

[BillyCroan]

The path to the key on the website changed from xpra.asc to gpg.asc. I thought I'd highlight that for people like me who didn't see the diffeence at first.

if https://xpra.org/xpra.asc isn't working for you, use https://xpra.org/gpg.asc . That worked for me 2023-05-21

[totaam]

Yes, use the new path for the updated key file with a longer expiry date. (why? see here: #3858 (comment))

[BillyCroan]

If each release needs a new key, might it be good to door them in a directory structure, or use filenames that communicate this? I.e.

/Sigs/Debian/10/gpg.key
Or
/Sigs/Ubuntu/Bionic.key

[totaam]

@BillyCroan I propose #3863 instead.

[allo-]

wget -O /usr/share/keyrings/xpra.asc https://xpra.org/gpg.asc

does not work for me:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://xpra.org bullseye InRelease: The following signatures were invalid: EXPKEYSIG 18ADB31CF18AD6BB Antoine Martin [email protected]

When putting it in /etc/apt/trusted.gpg.d I also get an error because it is armored (-a flag when using gpg --export). Importing it into a personal keyring and exporting it in gpg instead of asc format works for not getting a warning about an invalid key, but still doesn't help to verify the package list of the xpra repo.

[robh-projects]

still broken for me

[normanr]

$ curl -s https://winswitch.org/gpg.asc | gpg --show-keys 
pub   dsa1024 2007-04-18 [SC] [expired: 2023-05-05]
      C11C0A4DF702EDF6C04F458C18ADB31CF18AD6BB
uid                      Antoine Martin <[email protected]>
uid                      [jpeg image of size 4992]
sub   elg2048 2007-04-18 [E] [expired: 2023-05-05]

[normanr]

There's an updated version the key on keyservers, but it hasn't been exported to https://winswitch.org/gpg.asc yet. I managed to update the key by doing:

tmp_keyring=$(mktemp)
keyid=$(gpg --show-key --with-colons xpra.asc | grep ^fpr: | head -n 1 | cut -d: -f10)
gpg --primary-keyring $tmp_keyring --recv-keys $keyid
gpg --primary-keyring $tmp_keyring --export -a $keyid > xpra.asc
rm $tmp_keyring

[mmol67]

Not working for me. What to do?

[allo-]

What keyserver do you use for gpg?

[mmol67]

What keyserver do you use for gpg?

See https://github.com/orgs/Xpra-org/discussions/3892

[totaam]

The correct ticket for GPG key issues is #3863