The Retroshare forums

[jeromecc]

Hi!

I wanted to try an up to date version of Retroshare on my Debian 8 Stable Jessie laptop.
I followed instructions there: http://retroshare.sourceforge.net/downloads.html
When I do
sudo apt-get udpate
I get this error message:
W: GPG error: http://download.opensuse.org Release: The following signatures were invalid: KEYEXPIRED 1382601045
When I do sudo apt-get install retroshare06
I get:
WARNING: The following packages cannot be authenticated!
libsqlcipher0 retroshare06
Install these packages without verification? [y/N]

Which is a bit scary for a secure application used for sensitive data like Retroshare.

Could you ask the repository maintainer to update his key or better: create a new one?
The key used to sign the package is a 1024 bit long DSA key.
DSA keys in general and short ones in particular are not considered secure anymore....

Thanks.

[Svampen]

The release key must be imported by the user first to be trusted:

Code: Select all

wget -qO http://download.opensuse.org/repositories/home:AsamK:RetroShare/Debian_8.0/Release.key | sudo apt-key add -

[isaaclw]

Code: Select all

sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/sources.list.d/retroshare06.list"
wget -qO - http://download.opensuse.org/repositories/home:AsamK:RetroShare/Debian_8.0/Release.key | sudo apt-key add -
sudo apt-get update


Produces this output:

Code: Select all

isaac@tesla:~$ sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/sources.list.d/retroshare06.list"
isaac@tesla:~$ wget -qO - http://download.opensuse.org/repositories/home:AsamK:RetroShare/Debian_8.0/Release.key | sudo apt-key add -
OK
isaac@tesla:~$ sudo apt-get update
Hit:1 http://security.debian.org stretch/updates InRelease         
Ign:2 http://ftp.us.debian.org/debian stretch InRelease
Hit:3 http://ftp.us.debian.org/debian stretch-updates InRelease         
Hit:4 http://ftp.us.debian.org/debian stretch-backports InRelease       
Hit:5 http://ftp.us.debian.org/debian stretch Release                   
Ign:6 http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  InRelease
Get:8 http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Release [1,003 B]
Get:9 http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Release.gpg [189 B]
Ign:9 http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Release.gpg
Hit:10 http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Packages
Fetched 1,192 B in 2s (541 B/s)
Reading package lists... Done
W: GPG error: http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Release: The following signatures were invalid: E2CE3677C8015772D097B0AA9418A47921691F91
W: The repository 'http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.


Google seems to indicate that this key is expired.