Devuan bug report logs - #705
Update failed due to an invalide signature

Package: amprolla; Maintainer for amprolla is Devuan Developers <devuan-dev@lists.dyne.org>;

Reported by: Klaus Ethgen <Klaus@ethgen.de>

Date: Mon, 5 Sep 2022 07:20:01 UTC

Severity: critical

Merged with 704

Done: Mark Hindley <mark@hindley.org.uk>

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.devuan.org
Subject: bug#705: [devuan-dev] bug#705: Acknowledgement (Update failed due to an invalide signature)
Reply-To: Olaf Meeuwissen <paddy-hack@member.fsf.org>, 705@bugs.devuan.org
Resent-From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: devuan-dev@lists.dyne.org
X-Loop: owner@bugs.devuan.org
Resent-Date: Tue, 06 Sep 2022 10:04:01 +0000
Resent-Message-ID: <handler.705.B705.166245859211263@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: followup 705
X-Devuan-PR-Package: devuan
X-Devuan-PR-Keywords: 
References: <YxWi7GN6UjFhvWaG@ikki.ethgen.ch> <handler.705.B.166236237917527.ack@bugs.devuan.org> <YxWrAZF+oHdmvQHa@ikki.ethgen.ch> <4aa6136d-7b31-7e05-ea2a-8e4c9b24ed37@centurion.net.nz> <YxWi7GN6UjFhvWaG@ikki.ethgen.ch>
Received: via spool by 705-submit@bugs.devuan.org id=B705.166245859211263
          (code B ref 705); Tue, 06 Sep 2022 10:04:01 +0000
Received: (at 705) by bugs.devuan.org; 6 Sep 2022 10:03:12 +0000
Delivered-To: devuanbugs@dyne.org
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Tue, 06 Sep 2022 10:03:11 +0000 (UTC)
Received: from mo-sw.mose-mail.jp (mo-sw1800-0.mose-mail.jp [202.238.237.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 133ED661868
	for <705@bugs.devuan.org>; Tue,  6 Sep 2022 12:02:42 +0200 (CEST)
Received: by mo-sw.mose-mail.jp (mose-mo-sw1800) id 286A2YLX027772; Tue, 6 Sep 2022 19:02:36 +0900
Received: from quark (localhost [127.0.0.1])
	by mbox.mose-mail.jp (mose-mbox1801) id 286A2WDX013711
	for <705@bugs.devuan.org>; Tue, 6 Sep 2022 19:02:33 +0900
Received: from olaf (uid 1000)
	(envelope-from olaf@ueda.ne.jp)
	id 305832
	by quark (DragonFly Mail Agent v0.13);
	Tue, 06 Sep 2022 19:02:32 +0900
From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
To: devuan developers internal list <devuan-dev@lists.dyne.org>
Cc: Klaus Ethgen <Klaus@ethgen.de>, 705@bugs.devuan.org,
        Daniel Reurich <daniel@centurion.net.nz>
In-reply-to: <4aa6136d-7b31-7e05-ea2a-8e4c9b24ed37@centurion.net.nz>
Date: Tue, 06 Sep 2022 19:02:32 +0900
Message-ID: <874jxkvn0n.fsf@quark>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Status: No, score=0.2 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS,UNPARSEABLE_RELAY,
	URIBL_BLOCKED autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org
Hi,

Daniel Reurich writes:

> Yes the key expired, and I probably noticed first by virtue of living in
> the future compared to everyone else.
>
> We should be adding a new signing key each release for the next future
> release, and ensuring it will endure for at least 2 future release.
> This should be done immediately following a release.

ACK, but predicting how long it will take for the next two releases to
see the light of day is not exactly easy because Debian/Devuan release
when ready.

How about uploading a new devuan-keyring package to stable-updates and
unstable when the key's validity period has reached roughly 1/3 of its
initial value?  So if you start with a key that's valid for the next 3
years, you would upload that new devuan-keyring package 2 years later.
This is completely independent of the release cycle and should work if
I'm not badly mistaken.

FTR, this idea is shamelessly stolen from the way cert-manager handles
TLS certificates in Kubernetes clusters by default, be it that uses 90
days for the certificate's validity period.

> This should be part of our "New Release - Devuan Devs guide to managing
> the new release process." - if such a document should exist.  (If it
> doesn't maybe we should create it.)
>
> Regards,
> 	Daniel
>
> On 5/09/22 19:53, Klaus Ethgen wrote:
>> Hi,
>>
>> The reason seems to be that the key is expired.
>>
>> The mitigation might be difficult. But you might have the way to do so.
>> Just sign the repository with the key
>> 72E3CB773315DFA2E464743D94532124541922FB instead of
>> E032601B7CA10BC3EA53FA81BB23C00C61FC752C.
>>
>> 72E3CB773315DFA2E464743D94532124541922FB is in
>> /etc/apt/trusted.gpg.d/devuan-keyring-2016-archive.gpg and never expire.
>>
>> After some months, just create a new key which never expire or expire
>> far in the future and use that for the repository.
>>
>> Regards
>>     Klaus
>>
>>
>> _______________________________________________
>> devuan-dev internal mailing list
>> devuan-dev@lists.dyne.org
>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/devuan-dev

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sun Nov 24 03:58:32 2024;