Debian repo key expired

[turt2live]

Solution

#16960 (comment)

Original description

# apt update
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Get:5 https://packages.riot.im/debian default InRelease [2892 B]
Err:5 https://packages.riot.im/debian default InRelease
  The following signatures were invalid: EXPKEYSIG C2850B265AC085BD riot.im packages <[email protected]>
Reading package lists... Done
W: GPG error: https://packages.riot.im/debian default InRelease: The following signatures were invalid: EXPKEYSIG C2850B265AC085BD riot.im packages <[email protected]>
E: The repository 'https://packages.riot.im/debian default InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

[turt2live]

Same error for buster: https://paste.debian.net/1193805/

[turt2live]

theory is the gpg key may have expired from 2019, finally: https://matrix.org/blog/2019/04/11/we-have-discovered-and-addressed-a-security-breach-updated-2019-04-12 (would have rotated it around this time)

[me-minus]

I see the error too!

gpg -v /usr/share/keyrings/riot-im-archive-keyring.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: Note: signature key C2850B265AC085BD expired tor 15 apr 2021 01:42:12 CEST
pub rsa4096 2019-04-15 [SC] [expires: 2024-04-13]
12D4CD600C2240A9F4A82071D7B0B66941D01538
uid riot.im packages [email protected]
sig D7B0B66941D01538 2019-04-15 [selfsig]
sig 8A1F93D575B5E8D5 2019-04-15 [User ID not found]
sub rsa3072 2019-04-15 [S] [expired: 2021-04-14]
sig D7B0B66941D01538 2019-04-15 [keybind]

[turt2live]

Repo should be fixed now. There's an updated key that will have to be acquired: see the steps on https://element.io/get-started under the Linux link for details.

If people run into problems, please visit https://matrix.to/#/#element-web:matrix.org for support

[ashed]

sudo ls -la /usr/share/keyrings/
sudo rm /usr/share/keyrings/riot-im-archive-keyring.gpg

Then update keyring

https://element.io/get-started

Debian / Ubuntu (64-bit)

sudo apt install -y wget apt-transport-https

sudo wget -O /usr/share/keyrings/riot-im-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ default main" | sudo tee /etc/apt/sources.list.d/riot-im.list

sudo apt update

sudo apt install element-desktop

[DanLo-peratingSystem]

@ashed

You missed an URL on your 4th step (sudo wget...), here is the corrected and complete procedure :

#### Remove old key first : ###
sudo ls -la /usr/share/keyrings/                           # check for key existence
sudo rm /usr/share/keyrings/riot-im-archive-keyring.gpg    # remove

### Now get back the updated one : ###
sudo apt install -y wget apt-transport-https               # should already be OK.

sudo wget -O /usr/share/keyrings/riot-im-archive-keyring.gpg https://packages.riot.im/debian/riot-im-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ default main" | sudo tee /etc/apt/sources.list.d/riot-im.list

sudo apt update                                     # should probably find an element-desktop upgrade

[ashed]

#### Remove old key first : ###
sudo ls -la /usr/share/keyrings/                           # check for key existence
sudo rm /usr/share/keyrings/riot-im-archive-keyring.gpg    # remove

### Now get back the updated one : ###
sudo apt install -y wget apt-transport-https               # should already be OK.

sudo wget -O /usr/share/keyrings/riot-im-archive-keyring.gpg https://packages.riot.im/debian/riot-im-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ default main" | sudo tee /etc/apt/sources.list.d/riot-im.list

sudo apt update                                     # should probably find an element-desktop upgrade

I am so sorry. Thank you for fix.

[Rspigler]

AFAICT, the new key isn't signed by anyone.

Can someone confirm for me that this is the fingerprint of the new key?

12D4CD600C2240A9F4A82071D7B0B66941D01538

In the future, before changing keys, can you have the old key sign the new key?

[richvdh]

AFAICT, the new key isn't signed by anyone.

The key is unchanged. Only the expiry date has been updated.

Can someone confirm for me that this is the fingerprint of the new key?

12D4CD600C2240A9F4A82071D7B0B66941D01538

That is the fingerprint of the master key, yes, and has been for the last two years. The fingerprint of the signing subkey (which is the one that expired) was, and still is, 75741890063E5E9A46135D01C2850B265AC085BD.

[Rspigler]

So weird, I don't have that subkey locally (see it on keyservers though)

gpg --list-sigs riot.im packages

pub rsa4096 2019-04-15 [SC] [expires: 2024-04-13]
12D4CD600C2240A9F4A82071D7B0B66941D01538
uid [ unknown] riot.im packages [email protected]
sig 3 D7B0B66941D01538 2019-04-15 riot.im packages [email protected]
sub rsa3072 2019-04-15 [S] [expires: 2023-04-15]
sig D7B0B66941D01538 2021-04-15 riot.im packages [email protected]

Sorry about that, thank you!

[richvdh]

sub rsa3072 2019-04-15 [S] [expires: 2023-04-15]
sig D7B0B66941D01538 2021-04-15 riot.im packages [email protected]

This is probably the signing subkey, together with its signature by the master key. Try --with-subkey-fingerprints.

[Rspigler]

Ah, learn something new every day! That worked, thanks!

[gandru2]

Hi
Seems to still have the issue following the doc, first time i try to install element
Any help would be welcome
Thank
Regards

$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye

$ wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg
--2022-01-30 12:10:17--  https://packages.element.io/debian/element-io-archive-keyring.gpg
Resolving packages.element.io (packages.element.io)... 172.67.71.92, 104.26.15.62, 104.26.14.62, ...
Connecting to packages.element.io (packages.element.io)|172.67.71.92|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2577 (2,5K) [application/octet-stream]
Saving to: ‘/usr/share/keyrings/element-io-archive-keyring.gpg’

/usr/share/keyrings/eleme 100%[=====================================>]   2,52K  --.-KB/s    in 0s      

2022-01-30 12:10:17 (51,3 MB/s) - ‘/usr/share/keyrings/element-io-archive-keyring.gpg’ saved [2577/2577]

$ echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main" |tee /etc/apt/sources.list.d/element-io.list
deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main

$ cat /etc/apt/sources.list.d/element-io.list
deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main

$ apt update
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Get:4 https://packages.element.io/debian default InRelease [2 892 B]
Hit:5 https://packages.grafana.com/oss/deb stable InRelease
**Err:4 https://packages.element.io/debian default InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY C2850B265AC085BD**
Reading package lists... Done
W: GPG error: https://packages.element.io/debian default InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY C2850B265AC085BD
E: The repository 'https://packages.element.io/debian default InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

[msoutopico]

HI there. I got this issue today, I have followed the steps above shared by @ashed and @DanieLoche but I keep getting the same error when I do sudo apt update:

Err:10 https://packages.element.io/debian default InRelease                                        
  The following signatures were invalid: EXPKEYSIG C2850B265AC085BD riot.im packages <[email protected]>
Hit:19 https://packagecloud.io/AtomEditor/atom/any any InRelease      
Hit:20 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Fetched 9,622 B in 3s (2,789 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.element.io/debian default InRelease: The following signatures were invalid: EXPKEYSIG C2850B265AC085BD riot.im packages <[email protected]>
W: Failed to fetch https://packages.riot.im/debian/dists/default/InRelease  The following signatures were invalid: EXPKEYSIG C2850B265AC085BD riot.im packages <[email protected]>
W: Some index files failed to download. They have been ignored, or old ones used instead.

[t3chguy]

@msoutopico see pinned issue element-hq/element-desktop#807