update

albertlauncher · May 2, 2024 · ca927aa · ca927aa
1 parent 198064e
commit ca927aa
Showing 1 changed file with 65 additions and 0 deletions.
diff --git a/src/_posts/2024-05-02-EXPKEYSIG.md b/src/_posts/2024-05-02-EXPKEYSIG.md
@@ -0,0 +1,65 @@
+---
+layout: docs
+title:  "GPG error: Signatures invalid: EXPKEYSIG"
+date: 2024-05-02 18:00
+---
+
+*tl;dr* (But keep in mind that that the key will expire again in future)
+
+```sh
+curl -fsSL "https://build.opensuse.org/projects/home:manuelschneid3r/signing_keys/download?kind=gpg" | gpg --dearmor > /etc/apt/trusted.gpg.d/home_manuelschneid3r.gpg
+```
+
+If you have Albert installed and recently tried to update your system you probably ran into this error:
+
+```
+# apt update
+Hit:1 http://ports.ubuntu.com/ubuntu-ports jammy InRelease
+Get:2 http://download.opensuse.org/repositories/home:/manuelschneid3r/xUbuntu_22.10  InRelease [1557 B]
+Hit:3 http://ports.ubuntu.com/ubuntu-ports jammy-updates InRelease
+Hit:4 http://ports.ubuntu.com/ubuntu-ports jammy-backports InRelease
+Hit:5 http://ports.ubuntu.com/ubuntu-ports jammy-security InRelease
+Err:2 http://download.opensuse.org/repositories/home:/manuelschneid3r/xUbuntu_22.10  InRelease
+  The following signatures were invalid: EXPKEYSIG 1488EB46E192A257 home:manuelschneid3r OBS Project <home:[email protected]>
+Reading package lists... Done
+W: GPG error: http://download.opensuse.org/repositories/home:/manuelschneid3r/xUbuntu_22.10  InRelease: The following signatures were invalid: EXPKEYSIG 1488EB46E192A257 home:manuelschneid3r OBS Project <home:[email protected]>
+E: The repository 'http://download.opensuse.org/repositories/home:/manuelschneid3r/xUbuntu_22.10  InRelease' is not signed.
+N: Updating from such a repository can't be done securely, and is therefore disabled by default.
+N: See apt-secure(8) manpage for repository creation and user configuration details.
+```
+
+The per repository key of most repos expired recently:
+
+```
+curl -fsSL "https://download.opensuse.org/repositories/home:manuelschneid3r/xUbuntu_22.04/Release.key" | gpg --dearmor | gpg --show-keys
+pub   rsa2048 2017-10-27 [SC] [expired: 2024-04-29]
+      A4B83CD05FDF5C5178482D4A1488EB46E192A257
+uid                      home:manuelschneid3r OBS Project <home:[email protected]>
+```
+
+Open Build Service updates this key only on publish and only if the key is expired.
+That's unfortunate because I would have to publish a release as soon as the key expired.
+And even if I did, DEB users have to manually add the new key.
+I started a discussion with the people of OBS.
+One solution would be to ship a dedicated package containing an up to date key.
+However that's quite some maintenance work.
+Fortunately the guys at OBS offered an alternative solution.
+Expiry dates of keys are [soon](https://github.com/openSUSE/open-build-service/pull/16082) user configurable.
+Setting the expiry date to some more years than the default two years will make this less of a problem since most users will have set up a new OS by then anyway.
+Until the mentioned PR has been merged and the key is still valid for around two years only users of the affected distributions have to run the command above to update the key.
+Everything should be fine until 2026-07-11 then.
+
+```
+curl -fsSL "https://build.opensuse.org/projects/home:manuelschneid3r/signing_keys/download?kind=gpg" | gpg --dearmor | gpg --show-keys
+pub   rsa2048 2017-10-27 [SC] [expires: 2026-07-11]
+      A4B83CD05FDF5C5178482D4A1488EB46E192A257
+uid                      home:manuelschneid3r OBS Project <home:[email protected]>
+```
+
+
+
+
+
+
+
+