packages.netxms.org – signing keys are expired (again, d'oh)

Started by Alex Kirhenshtein, March 28, 2022, 03:45:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Alex Kirhenshtein

March 28, 2022, 03:45:25 PM
As some of you already noticed – our signing key for deb repository is expired.
Normally we update the key and ship updated version of the netxms-release package, which transparently install correct version into trusted keys. This time we missed it and now most of you have expired key, which prevent further upgrades.

Error looks something like this:
Code Select
...
Err:4 http://packages.netxms.org/debian bullseye InRelease
  The following signatures were invalid: EXPKEYSIG 179C0A80CDFADDB1 NetXMS Automatic Signing Key <[email protected]>
Reading package lists... Done
W: GPG error: http://packages.netxms.org/debian bullseye InRelease: The following signatures were invalid: EXPKEYSIG 179C0A80CDFADDB1 NetXMS Automatic Signing Key <[email protected]>
E: The repository 'http://packages.netxms.org/debian bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.


How to fix it:

1) If source and key was added by "netxms-release" package (recommended way), it's simple:

Code Select

curl --proto '=https' --tlsv1.2 -O https://packages.netxms.org/netxms-release_1.10_all.deb
dpkg -i netxms-release_1.10_all.deb
apt update


2) If key was manually added to trusted.gpg.d

Code Select

curl --proto '=https' --tlsv1.2 -o /etc/apt/trusted.gpg.d/netxms-keyring.gpg https://packages.netxms.org/netxms-keyring.gpg # adjust file location
apt update


I highly recommend you to migrate to netxms-release package.

3) If key was added with "apt-key add" command

Code Select
apt-key del 179C0A80CDFADDB11 # repease until apt-key list shows no key
curl --proto '=https' --tlsv1.2 -sSf https://packages.netxms.org/netxms.gpg | apt-key add -


Again, I highly recommend you to migrate to netxms-release package.

normalcy

#1
April 06, 2022, 02:50:09 PM
Hi, I tried updating using the package, and using the netxms-keyring.gpg however I found I still got the old version expiring on the 24/3 with those.

Seemed only the third option (curl --proto '=https' --tlsv1.2 -sSf https://packages.netxms.org/netxms.gpg | apt-key add -) gave me the updated key and allowed apt update to work?

Alex Kirhenshtein

#2
April 06, 2022, 03:15:05 PM
Check output of "apt-key list", most likely you have old key imported into another keystore.

Quote from: normalcy on April 06, 2022, 02:50:09 PM
Hi, I tried updating using the package, and using the netxms-keyring.gpg however I found I still got the old version expiring on the 24/3 with those.
Print
Go Up Pages1
User actions