[Bug 1920640] Re: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
Oded Arbel
1920640 at bugs.launchpad.net
Wed Apr 14 09:56:11 UTC 2021
Re: #30 and #21. I have the same issue:
----8<----
$ for p in /etc/apt/trusted.gpg.d/ubuntu-*; do gpg --no-default-keyring --keyring $p --list-keys; done
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage at ubuntu.com>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg
-----------------------------------------------------
pub rsa4096 2016-03-21 [SC]
F2EDC64DC5AEE1F6B9C621F0C8CAB6595FDFF622
uid [ unknown] Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
F6ECB3762474EDA9D21B7022871920D1991BC93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster at ubuntu.com>
$ sudo apt install --reinstall ubuntu-dbgsym-keyring
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 2 not upgraded.
Need to get 6,904 B of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu groovy-updates/main amd64 ubuntu-dbgsym-keyring all 2020.06.17.3 [6,904 B]
Fetched 6,904 B in 0s (14.4 kB/s)
Supported
(Reading database ... 704337 files and directories currently installed.)
Preparing to unpack .../ubuntu-dbgsym-keyring_2020.06.17.3_all.deb ...
Unpacking ubuntu-dbgsym-keyring (2020.06.17.3) over (2020.06.17.3) ...
Setting up ubuntu-dbgsym-keyring (2020.06.17.3) ...
$ sudo apt update
[...]
Ign:28 http://ddebs.ubuntu.com groovy InRelease
Ign:29 http://ddebs.ubuntu.com groovy-updates InRelease
Hit:30 http://ddebs.ubuntu.com groovy Release
Get:31 http://ddebs.ubuntu.com groovy-updates Release [40.5 kB]
Get:32 http://ddebs.ubuntu.com groovy-updates Release.gpg [819 B]
Err:35 http://ddebs.ubuntu.com groovy Release.gpg
The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
Err:32 http://ddebs.ubuntu.com groovy-updates Release.gpg
The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
Fetched 213 kB in 4s (55.8 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ddebs.ubuntu.com groovy Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ddebs.ubuntu.com groovy-updates Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
W: Failed to fetch http://ddebs.ubuntu.com/dists/groovy/Release.gpg The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
W: Failed to fetch http://ddebs.ubuntu.com/dists/groovy-updates/Release.gpg The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.
$ apt-key export C8CAB6595FDFF622 | gpg --list-packets
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
version 4, algo 1, created 1458555883, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: C8CAB6595FDFF622
# off=528 ctb=b4 tag=13 hlen=2 plen=90
:user ID packet: "Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>"
# off=620 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid D14EF15DAFE11347
version 4, created 1458556323, md5len 0, sigclass 0x10
digest algo 8, begin of digest 6f 9e
hashed subpkt 2 len 4 (sig created 2016-03-21)
subpkt 16 len 8 (issuer key ID D14EF15DAFE11347)
data: [4096 bits]
# off=1163 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 5759F35001AA4A64
version 4, created 1496169986, md5len 0, sigclass 0x10
digest algo 10, begin of digest 23 81
hashed subpkt 2 len 4 (sig created 2017-05-30)
subpkt 16 len 8 (issuer key ID 5759F35001AA4A64)
data: [4095 bits]
# off=1706 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid 6C39C1C16A9DA7BE
version 4, created 1535168473, md5len 0, sigclass 0x10
digest algo 10, begin of digest be 90
hashed subpkt 33 len 21 (issuer fpr v4 4A90974BACE0A9A6AF09B3B16C39C1C16A9DA7BE)
hashed subpkt 2 len 4 (sig created 2018-08-25)
subpkt 16 len 8 (issuer key ID 6C39C1C16A9DA7BE)
data: [4092 bits]
# off=2272 ctb=89 tag=2 hlen=3 plen=574
:signature packet: algo 1, keyid C8CAB6595FDFF622
version 4, created 1458555883, md5len 0, sigclass 0x13
digest algo 2, begin of digest 0e 82
hashed subpkt 2 len 4 (sig created 2016-03-21)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 9 len 4 (key expires after 5y0d0h0m)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID C8CAB6595FDFF622)
data: [4096 bits]
# off=2849 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
version 4, algo 1, created 1458555883, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: C8CAB6595FDFF622
# off=3377 ctb=b4 tag=13 hlen=2 plen=90
:user ID packet: "Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>"
# off=3469 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid D14EF15DAFE11347
version 4, created 1458556323, md5len 0, sigclass 0x10
digest algo 8, begin of digest 6f 9e
hashed subpkt 2 len 4 (sig created 2016-03-21)
subpkt 16 len 8 (issuer key ID D14EF15DAFE11347)
data: [4096 bits]
# off=4012 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 5759F35001AA4A64
version 4, created 1496169986, md5len 0, sigclass 0x10
digest algo 10, begin of digest 23 81
hashed subpkt 2 len 4 (sig created 2017-05-30)
subpkt 16 len 8 (issuer key ID 5759F35001AA4A64)
data: [4095 bits]
# off=4555 ctb=89 tag=2 hlen=3 plen=568
:signature packet: algo 1, keyid C8CAB6595FDFF622
version 4, created 1616793053, md5len 0, sigclass 0x13
digest algo 2, begin of digest 3a 42
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 2 len 4 (sig created 2021-03-26)
subpkt 16 len 8 (issuer key ID C8CAB6595FDFF622)
data: [4096 bits]
----8<----
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1920640
Title:
EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic
Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
Status in ubuntu-keyring package in Ubuntu:
Fix Released
Status in ubuntu-keyring source package in Bionic:
Fix Released
Status in ubuntu-keyring source package in Focal:
Fix Released
Status in ubuntu-keyring source package in Groovy:
Fix Released
Status in ubuntu-keyring source package in Hirsute:
Fix Released
Bug description:
[Impact]
* Cannot update apt metadata from ddebs.ubuntu.com whilst using
ubuntu-dbgsym-keyring package
[Test Plan]
* Install ubuntu-dbgsym-keyring package
* Add ddebs.ubuntu.com repository for your release
* sudo apt update must be successful
* Install ubuntu-dbgsym-keyring package
* Install and use `apt-key list` and check that there is no expiry on the dbgsym key
I.e. bad output
/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg
-----------------------------------------------------
pub rsa4096 2016-03-21 [SC] [expired: 2021-03-20]
F2ED C64D C5AE E1F6 B9C6 21F0 C8CA B659 5FDF F622
uid [ expired] Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
Good output has no [date] in the pub line.
[Where problems could occur]
* At the moment the signature was bumped by one year
* Meaning this issue will occur again in 2022
* Instead the key must be set to not expire & new round of SRUs issued
[Other Info]
* Original bug report
The public key used by the debugging symbols repository
/usr/share/keyrings/ubuntu-dbgsym-keyring.gpg from the package ubuntu-
dbgsym-keyring expired.
$ apt policy ubuntu-dbgsym-keyring
ubuntu-dbgsym-keyring:
Installed: 2020.02.11.2
Candidate: 2020.02.11.2
Version table:
*** 2020.02.11.2 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu focal/main i386 Packages
100 /var/lib/dpkg/status
$ gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-dbgsym-keyring.gpg --list-keys
/usr/share/keyrings/ubuntu-dbgsym-keyring.gpg
---------------------------------------------
pub rsa4096 2016-03-21 [SC] [expired: 2021-03-20]
F2EDC64DC5AEE1F6B9C621F0C8CAB6595FDFF622
uid [ expired] Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
Error message on "apt update":
E: The repository 'http://ddebs.ubuntu.com bionic-updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://ddebs.ubuntu.com bionic Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
E: The repository 'http://ddebs.ubuntu.com bionic Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://ddebs.ubuntu.com bionic-proposed Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive at lists.ubuntu.com>
E: The repository 'http://ddebs.ubuntu.com bionic-proposed Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1920640/+subscriptions
More information about the foundations-bugs
mailing list