Debian repository signing key for packages.element.io expires on 2023-04-15
#807
Comments
|
One way to get everyone to update would be to build and distribute a |
|
See also matrix-org/synapse#10389 |
So a keyring package signed by the current key, containing the old and new key at first, then just the (future) current key until it is time to renew again? |
|
Typically we don't replace the key, just reissue the same on with an extended validity period. So: a keyring package signed by the current key, containing the current key. |
|
But having a package would help us in case we need to rotate a key too, right? |
|
yes |
|
Two birds with one stone then. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
|
Just for clarity, since it confused me for a while:
This is different to the key at https://packages.element.io/element-release-key.gpg. |
|
Thanks for your help with this @richvdh - new keyring has been deployed, along with a keyring package included in 1.11.25 onwards, I will ensure some announcement/docs are available for anything updating from <1.11.25 after the expiration date of the old keyring |
|
The previous GPG key securing our Debian repository packages.element.io expires on the 15th April 2023, we've reissued the same key with an extended validity period. If when running
Run |
|
@t3chguy Sadly not working for me : |
|
@t3chguy Alas, that didn't compute: |
|
@philclifford & @stayen what does your |
|
This worked for me: $ grep signed-by /etc/apt/sources.list.d/packages_riot_im_debian.list
deb [arch=amd64 signed-by=/usr/share/keyrings/element-desktop-keyring.gpg] https://packages.riot.im/debian/ bullseye main
$ sudo gpg --no-default-keyring \
--keyring /usr/share/keyrings/element-desktop-keyring.gpg \
--refresh-keys |
|
Thanks @eighthave : the grep '^deb.*elemen' /etc/apt/sources.list.d/*list
/etc/apt/sources.list.d/element-io.list:deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default mainAs shown above that file was already the new keyring. Only after the |
The second step seems like it should be unnecessary - the apt sources list only refers to @philclifford and @eighthave appear to have apt-sources lists (or some other apt configuration) which refer to the wrong keyring file. I'd recommend fixing that problem and deleting the second keyring file, otherwise you're going to have the same problem next time the key gets updated. |
On https://element.io/download#linux
Looks like I'm in sync. The trick with "--refresh-keys" from @eighthave comment above worked for me, though: after importing the keys, no complaints from apt. Thanks. |
|
The setup I'm referring to predates the element keyring package, that's why it
has a different path.
|
|
None of the solutions here offered are working here, I still get "The following signatures were invalid: EXPKEYSIG C2850B265AC085BD riot.im packages [email protected]" Using Ubuntu 22.04, anyone has the same system? |
|
@trancephorm I had that issue because in addition to the element-repo, I still had the old |
|
Yes I noticed that in the meantime and deleted old repo. Now it's ok, thank you... Isn't it possible that this repository information is also updated with .deb packages? It's a must if you ask me. |
|
In case anyone else ends up down this internet rabbit hole like me, the easier fix is simply sudo wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpgAssuming that is the key that has been used to sign in the output of grep signed-by /etc/apt/sources.list.d/packages_riot_im_debian.list
# or if on ubuntu
grep signed-by /etc/apt/sources.list.d/element-io.list |
Isn't that exactly what it says at #807 (comment)? Or am I missing some detail? |
Nope, you are correct. I missed that line at the end of that answer. I think I saw the image and then my brain thought "this is just someone reporting the same issue I am having". I'm happy to delete my answer if you think that is appropriate. |
Just wanted to check I wasn't missing something. |
|
I tried every solution here, twice, still no luck. I still get E: The repository 'https://packages.riot.im/debian default Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. |
I am still confronted with the same issue. Have tried all the above and more, but none really helped. |
|
Same here. None of the suggested fixes work for me. Using Ubuntu 20.04.LTS. |
|
Also running into the same issue. Tried all the suggestions, but am unable to move forward. Does anyone know a good way we could simply start over? |
|
Those still having trouble:
|
|
@richvdh Thank you for this - looks like the part of this that worked for me specifically was the second step:
@joho1968 take a look and see if these help you out as well. |
|
@richvdh . thank you for the tip! It helped to remove the files first. Now |
|
Had the same problem. The quick solution was:
|
|
Way to overcomplicate this. Don't break things for users if you can't publish steps to easily remedy it. Linking to private internal docs or letting users post 10 different workarounds is not good software engineering. |
What private internal docs? Users which were relatively up to date (2 months or less) would have had zero interruption as long as they followed instructions on element.io to begin with, as Other users can follow #807 (comment) assuming they installed following the instructions at element.io. There's an infinite number of ways you can modify your apt sources and gpg keyrings configurations to vary from the official installation instructions in which case no off the shelf instructions will help you. |
Yeah, I had some old riot stuff lying around apparently. After following the post you were quoting and removing |
|
I had the issue where The solution was to |
|
@Master-Koy its literally complaining about a different repository. Remove the faulty repository to unbreak your apt-get. |
|
No, as it depends on how you added deb.leap.se, I suggest asking them for help. |
|
How would I know, they're in your computer's apt sources. Our instructions don't mention deb.leap.se whatsoever. |
See #807 (comment)
The debian installation instructions for element desktop, at https://element.io/get-started#linux-details, suggest downloading the key at https://packages.element.io/debian/element-io-archive-keyring.gpg and configuring apt to trust it.
This key will expire on 2023-04-15. Before then it will be necessary to update the key and get everyone to download it again.
See element-hq/element-web#16960 for the last time this happened.
The text was updated successfully, but these errors were encountered: