Invalid signature when upgrading on Ubuntu 18.04

#1

sudo apt update

Err:9 http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_18.04 InRelease
The following signatures were invalid: EXPKEYSIG 4ABE1AC7557BEFF9 isv:ownCloud OBS Project isv:ownCloud@build.opensuse.org

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_18.04 InRelease: The following signatures were invalid: EXPKEYSIG 4ABE1AC7557BEFF9 isv:ownCloud OBS Project isv:ownCloud@build.opensuse.org
W: Failed to fetch http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_18.04/InRelease The following signatures were invalid: EXPKEYSIG 4ABE1AC7557BEFF9 isv:ownCloud OBS Project isv:ownCloud@build.opensuse.org
W: Some index files failed to download. They have been ignored, or old ones used instead.

I tried some “magic fu” from other Google results:
wget -qO - http://download.owncloud.org/download/repositories/stable/Ubuntu_18.04/Release.key | sudo apt-key add -

But that made no difference.

sudo apt-key list

pub rsa2048 2016-09-25 [SC] [expired: 2020-01-18]
1B07 204C D71B 690D 409F 57D2 4ABE 1AC7 557B EFF9
uid [ expired] isv:ownCloud OBS Project isv:ownCloud@build.opensuse.org

Maybe this expired key is the problem?

What is the correct “magic fu” to fetch a new key from soemwhere?

1 Like
#2

Yes, your key is expired. The SUSE download page explicitly says you should fetch the key from their place to avoid using old keys. Some platforms do that automatically, but Ubuntu apparently does not(?)

The key you grabbed, seems to be a completely unrelated key. It does not seem to be coming from the openSUSE OBS at all. To me, it looks more like a key for server package signing, rather than desktop client – but also not expired at all.

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2013-08-26 [SC] [expires: 2023-08-23]
      DDA2C105C4B73A6649AD2BBD47AE7F72479BC94B
uid           ownCloud build service <obsrun@localhost>
sub   rsa2048 2013-08-26 [E] [expires: 2023-08-23]
sub   dsa2048 2013-08-26 [S] [expires: 2023-08-23]
sub   elg2048 2013-08-26 [E] [expired: 2018-08-25]

.

The relevant key, (as advertised in https://software.opensuse.org//download.html?project=isv%3AownCloud%3Adesktop&package=owncloud-client -> Ubuntu)
is this one

curl -sL http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_18.04/Release.key | gpg -
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2016-09-25 [SC] [expires: 2022-04-02]
      1B07204CD71B690D409F57D24ABE1AC7557BEFF9
uid           isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>

It looks all right to me…

Hmm. Do we need to push the extended key to some keyservers?

1 Like
#3

Hi,
using the Release.key from OBS helps:

curl -sL http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_18.04/Release.key | apt-key add

This fixed it for me.

2 Likes
#4

@plettich Thanks for confirming!
I’ve done some web crawling, and it seems, indeed, the keyservers out there disagree, weather our key exists, is expired, or is valid:

./check_gpg_keyserver.sh 1B07204CD71B690D409F57D24ABE1AC7557BEFF9
##### remote keyservers
hkp://pool.sks-keyservers.net : pub   rsa2048 2016-09-25 [SC] [expires: 2021-04-18]
keys.gnupg.net                : pub   rsa2048 2016-09-25 [SC] [expires: 2021-04-18]
pgp.mit.edu                   : pub   rsa2048 2016-09-25 [SC] [expired: 2019-09-19]
uid           [ expired] isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>
hkp://keyserver.ubuntu.com    : pub   rsa2048 2016-09-25 [SC] [expires: 2021-04-18]
hkp://keyring.debian.org      : --
zimmermann.mayfirst.org       : pub   rsa2048 2016-09-25 [SC] [expired: 2019-09-19]
uid           [ expired] isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>
pgp.surfnet.nl                : pub   rsa2048 2016-09-25 [SC] [expires: 2021-04-18]
pgp.key-server.io             : pub   rsa2048 2016-09-25 [SC] [expires: 2021-04-18]
1 Like
#5

Works, thanks:

wget http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_18.04/Release.key
sudo apt-key add Release.key

Now sudo apt update finds the new ownCloud client 2.6.1

2 Likes
#6

I don’t have any information if Ubuntu apt-get would grab keys from the public key servers at all.
(I can see that e.g. Fedora is updating keys frequently.)

In case it does, I’ve pushed the updated key to the list of servers above. They now all report an expiry date of 2022-04-02 – hope that helps in the unattended update case, or somewhere else :slight_smile: