#2654 closed defect (fixed)
Signature on Ubuntu Focal Repo expired.
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | critical | Milestone: | |
Component: | other | Version: | 1.25.x |
Keywords: | Cc: | ||
uname -a: | Linux 85b21df39a12 6.6.31-linuxkit #1 SMP Thu May 23 08:36:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: | N/a |
Description
The repo:
deb http://nginx.org/packages/ubuntu/ focal nginx
Is signed with an expired GPG key:
Err:3 http://nginx.org/packages/ubuntu focal InRelease
The following signatures were invalid: EXPKEYSIG ABF5BD827BD9BF62 nginx signing key <signing-key@…>
pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@…>
Change History (6)
comment:1 by , 6 months ago
comment:2 by , 6 months ago
Hello!
The validity of the key was extended recently so you should re-download the key:
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
as per https://nginx.org/en/linux_packages.html
See https://blog.nginx.org/blog/updating-pgp-key-for-nginx-software for more details.
comment:3 by , 6 months ago
Trying that - still no success - the repo is still showing as signed by the previous key (ABF5BD827BD9BF62):
[4/9] RUN curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg && echo "deb http://nginx.org/packages/ubuntu/ focal nginx" > /etc/apt/sources.list.d/nginx.list && apt-get update && apt-get install -y nginx && rm -f /etc/apt/sources.list.d/nginx.list: 0.267 % Total % Received % Xferd Average Speed Time Time Time Current 0.267 Dload Upload Total Spent Left Speed 100 11809 100 11809 0 0 9711 0 0:00:01 0:00:01 --:--:-- 9727 1.535 pub rsa4096 2024-05-29 [SC] 1.535 8540A6F18833A80E9C1653A42FD21310B49F6B46 1.535 uid nginx signing key <signing-key-2@nginx.com> 1.535 1.538 pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] 1.538 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 1.538 uid nginx signing key <signing-key@nginx.com> 1.538 1.539 pub rsa4096 2024-05-29 [SC] 1.539 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3 1.539 uid nginx signing key <signing-key-3@nginx.com> 1.539 2.984 Err:1 http://nginx.org/packages/ubuntu focal InRelease 2.984 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABF5BD827BD9BF62 6.986 Reading package lists... 7.829 W: GPG error: http://nginx.org/packages/ubuntu focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABF5BD827BD9BF62 7.829 E: The repository 'http://nginx.org/packages/ubuntu focal InRelease' is not signed.
comment:4 by , 6 months ago
Nvm I needed to run
apt-key add /usr/share/keyrings/nginx-archive-keyring.gpg
after to get it working - fixed now - thank you for the help!
Can the update GPG key be added to the hkp://keyserver.ubuntu.com:80 key server? Thanks.
comment:5 by , 6 months ago
Yep. I've just pushed the keys to keyserver.ubuntu.com and pgp.mit.edu.
Thanks!
comment:6 by , 6 months ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Double checking - and yes that repo is definitely signed with the expired key
❯ wget http://nginx.org/packages/ubuntu/dists/focal/InRelease
--2024-06-14 16:28:49-- http://nginx.org/packages/ubuntu/dists/focal/InRelease
Resolving nginx.org (nginx.org)... 52.58.199.22, 3.125.197.172
Connecting to nginx.org (nginx.org)|52.58.199.22|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3602 (3.5K) [application/octet-stream]
Saving to: ‘InRelease’
InRelease 100%[====================================================================================================================================================================================================>] 3.52K --.-KB/s in 0s
2024-06-14 16:28:50 (54.5 MB/s) - ‘InRelease’ saved [3602/3602]
❯ gpgv InRelease
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/Users/sswann/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made Wed 29 May 21:47:10 2024 BST
gpgv: using RSA key ABF5BD827BD9BF62
gpgv: Can't check signature: No public key