Debian8 OpenSuse repository using invalid GPG Key

*nix specific usage questions

Debian8 OpenSuse repository using invalid GPG Key

Postby jeromecc » Sat Dec 05, 2015 7:43 pm

Hi!

I wanted to try an up to date version of Retroshare on my Debian 8 Stable Jessie laptop.
I followed instructions there: http://retroshare.sourceforge.net/downloads.html
When I do
sudo apt-get udpate
I get this error message:
W: GPG error: http://download.opensuse.org Release: The following signatures were invalid: KEYEXPIRED 1382601045
When I do sudo apt-get install retroshare06
I get:
WARNING: The following packages cannot be authenticated!
libsqlcipher0 retroshare06
Install these packages without verification? [y/N]

Which is a bit scary for a secure application used for sensitive data like Retroshare.

Could you ask the repository maintainer to update his key or better: create a new one?
The key used to sign the package is a 1024 bit long DSA key.
DSA keys in general and short ones in particular are not considered secure anymore....

Thanks.
jeromecc
 
Posts: 1
Joined: Sat Dec 05, 2015 7:26 pm

Re: Debian8 OpenSuse repository using invalid GPG Key

Postby Svampen » Thu Dec 10, 2015 3:36 pm

The release key must be imported by the user first to be trusted:

Code: Select all
wget -qO http://download.opensuse.org/repositories/home:AsamK:RetroShare/Debian_8.0/Release.key | sudo apt-key add -
Svampen
 
Posts: 71
Joined: Tue Jan 20, 2009 2:35 pm

Re: Debian8 OpenSuse repository using invalid GPG Key

Postby isaaclw » Fri Aug 18, 2017 3:59 pm

Code: Select all
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/sources.list.d/retroshare06.list"
wget -qO - http://download.opensuse.org/repositories/home:AsamK:RetroShare/Debian_8.0/Release.key | sudo apt-key add -
sudo apt-get update


Produces this output:

Code: Select all
isaac@tesla:~$ sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/sources.list.d/retroshare06.list"
isaac@tesla:~$ wget -qO - http://download.opensuse.org/repositories/home:AsamK:RetroShare/Debian_8.0/Release.key | sudo apt-key add -
OK
isaac@tesla:~$ sudo apt-get update
Hit:1 http://security.debian.org stretch/updates InRelease         
Ign:2 http://ftp.us.debian.org/debian stretch InRelease
Hit:3 http://ftp.us.debian.org/debian stretch-updates InRelease         
Hit:4 http://ftp.us.debian.org/debian stretch-backports InRelease       
Hit:5 http://ftp.us.debian.org/debian stretch Release                   
Ign:6 http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  InRelease
Get:8 http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Release [1,003 B]
Get:9 http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Release.gpg [189 B]
Ign:9 http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Release.gpg
Hit:10 http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Packages
Fetched 1,192 B in 2s (541 B/s)
Reading package lists... Done
W: GPG error: http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Release: The following signatures were invalid: E2CE3677C8015772D097B0AA9418A47921691F91
W: The repository 'http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0  Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.


Google seems to indicate that this key is expired.
isaaclw
 
Posts: 14
Joined: Thu Oct 18, 2012 1:03 pm


Return to RetroShare for Linux and friends

Who is online

Users browsing this forum: No registered users and 0 guests

cron