Opened 6 months ago

Closed 6 months ago

Last modified 6 weeks ago

#2654 closed defect (fixed)

Signature on Ubuntu Focal Repo expired.

Reported by: jk464@… Owned by:
Priority: critical Milestone:
Component: other Version: 1.25.x
Keywords: Cc:
uname -a: Linux 85b21df39a12 6.6.31-linuxkit #1 SMP Thu May 23 08:36:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: N/a

Description

The repo:

deb http://nginx.org/packages/ubuntu/ focal nginx

Is signed with an expired GPG key:

Err:3 http://nginx.org/packages/ubuntu focal InRelease

The following signatures were invalid: EXPKEYSIG ABF5BD827BD9BF62 nginx signing key <signing-key@…>

pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14]

573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62

uid nginx signing key <signing-key@…>

Change History (6)

comment:1 by jk464@…, 6 months ago

Double checking - and yes that repo is definitely signed with the expired key

❯ wget http://nginx.org/packages/ubuntu/dists/focal/InRelease
--2024-06-14 16:28:49-- http://nginx.org/packages/ubuntu/dists/focal/InRelease
Resolving nginx.org (nginx.org)... 52.58.199.22, 3.125.197.172
Connecting to nginx.org (nginx.org)|52.58.199.22|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3602 (3.5K) [application/octet-stream]
Saving to: ‘InRelease

InRelease 100%[====================================================================================================================================================================================================>] 3.52K --.-KB/s in 0s

2024-06-14 16:28:50 (54.5 MB/s) - ‘InRelease’ saved [3602/3602]

❯ gpgv InRelease
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/Users/sswann/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made Wed 29 May 21:47:10 2024 BST
gpgv: using RSA key ABF5BD827BD9BF62
gpgv: Can't check signature: No public key

comment:2 by thresh, 6 months ago

Hello!

The validity of the key was extended recently so you should re-download the key:

curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \

| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

as per https://nginx.org/en/linux_packages.html

See https://blog.nginx.org/blog/updating-pgp-key-for-nginx-software for more details.

Version 1, edited 6 months ago by thresh (previous) (next) (diff)

comment:3 by jk464@…, 6 months ago

Trying that - still no success - the repo is still showing as signed by the previous key (ABF5BD827BD9BF62):

[4/9] RUN curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null   && gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg   && echo "deb http://nginx.org/packages/ubuntu/ focal nginx" > /etc/apt/sources.list.d/nginx.list   && apt-get update   && apt-get install -y nginx   && rm -f /etc/apt/sources.list.d/nginx.list:
0.267   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
0.267                                  Dload  Upload   Total   Spent    Left  Speed
100 11809  100 11809    0     0   9711      0  0:00:01  0:00:01 --:--:--  9727
1.535 pub   rsa4096 2024-05-29 [SC]
1.535       8540A6F18833A80E9C1653A42FD21310B49F6B46
1.535 uid                      nginx signing key <signing-key-2@nginx.com>
1.535
1.538 pub   rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
1.538       573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
1.538 uid                      nginx signing key <signing-key@nginx.com>
1.538
1.539 pub   rsa4096 2024-05-29 [SC]
1.539       9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3
1.539 uid                      nginx signing key <signing-key-3@nginx.com>
1.539
2.984 Err:1 http://nginx.org/packages/ubuntu focal InRelease
2.984   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABF5BD827BD9BF62
6.986 Reading package lists...
7.829 W: GPG error: http://nginx.org/packages/ubuntu focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABF5BD827BD9BF62
7.829 E: The repository 'http://nginx.org/packages/ubuntu focal InRelease' is not signed.

comment:4 by jk464@…, 6 months ago

Nvm I needed to run

apt-key add /usr/share/keyrings/nginx-archive-keyring.gpg

after to get it working - fixed now - thank you for the help!

Can the update GPG key be added to the hkp://keyserver.ubuntu.com:80 key server? Thanks.

comment:5 by thresh, 6 months ago

Yep. I've just pushed the keys to keyserver.ubuntu.com and pgp.mit.edu.

Thanks!

comment:6 by thresh, 6 months ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.