Owncloud client update problem on Fedora 38 -

$sudo dnf update

error: Verifying a signature using certificate 06D7EADE708A40FA136EB4540700205DFD41A71A (devel OBS Project <devel@s2.owncloud.com>):
  1. Certificiate 0700205DFD41A71A invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2022-01-28T16:58:04Z
  2. Key 0700205DFD41A71A invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2022-01-28T16:58:04Z
owncloud                                                                                                                                                             8.4 kB/s | 1.4 kB     00:00    
GPG key at https://download.owncloud.com/desktop/ownCloud/stable/latest/linux/Fedora_38/repodata/repomd.xml.key (0xFD41A71A) is already installed
The GPG keys listed for the "owncloud" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: owncloud-client-4.0.0-10896.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/stable/latest/linux/Fedora_38/repodata/repomd.xml.key
2 Likes

I can confirm I’m having the same issue:

error: Verifying a signature using certificate 06D7EADE708A40FA136EB4540700205DFD41A71A (devel OBS Project devel@s2.owncloud.com):

  1. Certificiate 0700205DFD41A71A invalid: certificate is not alive
    because: The primary key is not live
    because: Expired on 2022-12-02T14:18:51Z
  2. Key 0700205DFD41A71A invalid: key is not alive
    because: The primary key is not live
    because: Expired on 2022-12-02T14:18:51Z
    owncloud 15 kB/s | 1.4 kB 00:00
    GPG key at https://download.owncloud.com/desktop/ownCloud/stable/latest/linux/Fedora_38/repodata/repomd.xml.key (0xFD41A71A) is already installed
    The GPG keys listed for the “owncloud” repository are already installed but they are not correct for this package.
    Check that the correct key URLs are configured for this repository… Failing package is: owncloud-client-4.0.0-10896.x86_64
    GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/stable/latest/linux/Fedora_38/repodata/repomd.xml.key
1 Like

Duplicate for Owncloud client update problem on Fedora 38 repo · Issue #10839 · owncloud/client · GitHub . Please follow there…

1 Like

If the key becomes outdated, all you need to do is (re)import the key:

sudo rpm --import https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key

This step is described in Install package owncloud-client for instance. We extend the keys for 1 year typically when we make new releases.

In the docs, we have the key update explained for Debian/Ubuntu:
Installing the Desktop App :: ownCloud Documentation

We could add instructions for another distros there too…

1 Like

The method provided above does not work when Fedora is upgraded from F37 to F38. I removed owncloud repo, uninstalled owncloud-client, reinstalled repo following the instruction you provided and still have the error:

certificate 06D7EADE708A40FA136EB4540700205DFD41A71A (devel OBS Project <devel@s2.owncloud.com>):
  1. Certificiate 0700205DFD41A71A invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2017-12-06T14:18:26Z
  2. Key 0700205DFD41A71A invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2017-12-06T14:18:26Z
same issue.
The GPG keys listed for the "owncloud" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: ocqt5152-libQt5Core5-5.15.2-41.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for ocqt5152-libQt5DBus5-5.15.2-41.1.x86_64.rpm is not trusted. Failing package is: ocqt5152-libQt5DBus5-5.15.2-41.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for ocqt5152-libQt5Gui5-5.15.2-41.1.x86_64.rpm is not trusted. Failing package is: ocqt5152-libQt5Gui5-5.15.2-41.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for ocqt5152-libQt5Network5-5.15.2-41.1.x86_64.rpm is not trusted. Failing package is: ocqt5152-libQt5Network5-5.15.2-41.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for ocqt5152-libQt5PrintSupport5-5.15.2-41.1.x86_64.rpm is not trusted. Failing package is: ocqt5152-libQt5PrintSupport5-5.15.2-41.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for ocqt5152-libQt5Sql5-5.15.2-41.1.x86_64.rpm is not trusted. Failing package is: ocqt5152-libQt5Sql5-5.15.2-41.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for ocqt5152-libQt5Widgets5-5.15.2-41.1.x86_64.rpm is not trusted. Failing package is: ocqt5152-libQt5Widgets5-5.15.2-41.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for ocqt5152-libqt5-qtsvg-5.15.2-3.1.x86_64.rpm is not trusted. Failing package is: ocqt5152-libqt5-qtsvg-5.15.2-3.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for ocqt5152-libqt5-qttranslations-5.12.10-3.1.x86_64.rpm is not trusted. Failing package is: ocqt5152-libqt5-qttranslations-5.12.10-3.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for ocqt5152-libqt5-qtwayland-5.15.2-4.1.x86_64.rpm is not trusted. Failing package is: ocqt5152-libqt5-qtwayland-5.15.2-4.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for ocqt5152-qt5keychain1-0.12.0-7.1.x86_64.rpm is not trusted. Failing package is: ocqt5152-qt5keychain1-0.12.0-7.1.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
Public key for owncloud-client-4.0.0-0.daily20230512.10900.x86_64.rpm is not trusted. Failing package is: owncloud-client-4.0.0-0.daily20230512.10900.x86_64
 GPG Keys are configured as: https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Agreed. I’m not sure this issue is resolved because this method (reimporting the key using rpm) doesn’t work for F38 (upgraded from F37) On my PC, owncloud was deleted thoroughly but I get a similar error except the certificate is dated 2021 rather than 2017

error: Verifying a signature using certificate 06D7EADE708A40FA136EB4540700205DFD41A71A (devel OBS Project <devel@s2.owncloud.com>):
  1. Certificiate 0700205DFD41A71A invalid: certificate is not alive
      because: The primary key is not live
      because: Expired on 2021-12-21T16:28:25Z
  2. Key 0700205DFD41A71A invalid: key is not alive
      because: The primary key is not live
      because: Expired on 2021-12-21T16:28:25Z
The GPG keys listed for the "owncloud" repository are already installed but they are not correct for this package.

So it looks like there is an older key hanging around somewhere but I can’t figure it out. Do the instructions need to be modified?
Thanks Peter

1 Like

Hey,

could it be possible that the mentioned rpm --import command is failing in general and thus the existing key isn’t getting replaced?

Maybe this is related to the following?

2 Likes

I tried

sudo rm /etc/yum.repos.d/owncloud.repo
sudo rpm --import https://download.owncloud.com/desktop/ownCloud/daily/4.0/linux/Fedora_38/repodata/repomd.xml.key
sudo dnf config-manager --add-repo https://download.owncloud.com/desktop/ownCloud/stable/latest/linux/Fedora_38/owncloud.repo
sudo dnf update

and getting the same problem, it can only be solved by sudo rm /etc/yum.repos.d/owncloud.repo (results in owncloud-client 2.10.1)

I tried to remove the key manually:

sudo rpm -q gpg-pubkey --qf ‘%{name}-%{version}-%{release} → %{summary}\n’
[ gpg-pubkey-fd41a71a-61a8d5cb → devel OBS Project devel@s2.owncloud.com public key ]

then

sudo rpm -e gpg-pubkey-fd41a71a-61a8d5cb

I run sudo dnf update, accepted to import the key again, and got an even worse result.
Now the expired key isn’t from 2022, but from 2017:

error: Verifying a signature using certificate 06D7EADE708A40FA136EB4540700205DFD41A71A (devel OBS Project devel@s2.owncloud.com):

  1. Certificiate 0700205DFD41A71A invalid: certificate is not alive
    because: The primary key is not live
    because: Expired on 2017-12-06T14:18:26Z
  2. Key 0700205DFD41A71A invalid: key is not alive
    because: The primary key is not live
    because: Expired on 2017-12-06T14:18:26Z

The issue appears to be within a change in Fedora’s crypto policies. We are working on a fix.

2 Likes

I have the same issue.

I’ve been hit by this bug too.
Strangely enough, if I download the repomd.xml.key file (with wget) and I check the expiration day of the key with gpg -v, I get an expiry date 2024-05-10, according to this, the key is not expired.
But when using the key with dnf I got the above mentioned messages “The primary ke is not live” Expired on 2017-12-06.
Does anyone understand what is going on?

@miguelquiros as far as I can tell, the main issue (the use of unsupported SHA-1 signatures) has been fixed, though not deployed yet. Could you please provide a set of commands which gives me the same output you see (re. expiry in 2017)?

A fix is expected in the upcoming 4.1 release.

1 Like

Sure. To get the error, I firstly delete the key with the command indicated in this trend:

sudo rpm -e gpg-pubkey-fd41a71a-61a8d5cb

(just to be sure that an old key is not in the way).

Then

sudo dnf update

This retrieves back the key and then, as described previously I got the error:

Certificate 0700205DFD41A71A invalid: certificate is not alive
because: The primary key is not live
because: Expired on 2017-12-06T14:18:26Z
Key 0700205DFD41A71A invalid: key is not alive
because: The primary key is not live
because: Expired on 2017-12-06T14:18:26Z

On the other hand, if I download the key to a file with:

wget (The URL for the key, The forum program does not let me to write an URL here!!!).

and then check the downloaded file with

gpg -v repomd.xml.key

The output is:

gpg: WARNING: no command supplied. Trying to guess what you mean …
pub rsa2048 2015-09-28 [SC] [expires: 2024-05-10]
06D7EADE708A40FA136EB4540700205DFD41A71A
uid devel OBS Project devel@s2.owncloud.com
sig 0700205DFD41A71A 2023-05-11 [selfsig]
sig 0700205DFD41A71A 2015-09-28 [selfsig]

I can see a expire date in the future, which is not consistent with dnf output and this gets me puzzled.

We have identified the problem. It lies within Fedora’s use of sequoia PGP as an alternative to good old GnuPG as the crypto backend for RPM. sequoia is a lot more picky about the keys it accepts. Unfortuantely, unlike most other projects’ keys, ours can be imported and later fails.

@jnweiger managed to generate the attached pubkey file which you can download and sudo rpm --import to fix the issue (you may have to sudo rpm -e gpg-pubkey-fd41a71a-56094c32 to remove the old key first).

For the upcoming releases, we are working on a permanent solution. I may be updating the public key file on the mirrors manually for 4.0.0.

We are sorry for all the inconvenience, this problem was completely unexpected and very hard to troubleshoot. I will post an update once the issue has been resolved permanently. (Please note that that might involve generating a new key altogether, since in Fedora 39, our key may finally be rejected due to its old algorithms.)

owncloud.pub.txt (2.3 KB)

Edit: thanks @miguelquiros for the input. Some background: the key has multiple signatures attached, one of which is considered a “binding signature” by sequoia (a term they probably invented themselves as far as I can tell). This signature is the one that has expired in 2017. When removing the signature from the key using gpg --edit and the clean command, the key is rejected by sequoia again. This problem can’t be debugged by gpg only, this just causes one to follow red herrings. Eventually we managed to discover the outdated signature with pgpdump (and gpg --list-packets).

2 Likes

According to your message, I have done the following:

The problematic key was already deleted, but just in case I repeat the command:
sudo rpm -e gpg-pubkey-fd41a71a-56094c32

Then I have imported the new key:
sudo rpm --import owncloud.pub.txt

I have edited the owncloud.repo file and commented out the gpgkey line to avoid the problematic key to be retrieved again.

Then
sudo dnf update owncloud-client

And I get a reply where the following error is repeated many many times:

error: Verifying a signature using certificate 06D7EADE708A40FA136EB4540700205DFD41A71A (devel OBS Project devel@s2.owncloud.com):

  1. Certificiate 0700205DFD41A71A invalid: certificate is not alive
    because: The primary key is not live
    because: Expired on 2023-01-17T12:16:43Z
  2. Key 0700205DFD41A71A invalid: key is not alive
    because: The primary key is not live
    because: Expired on 2023-01-17T12:16:43Z

It looks like the date has changed to 2023 but in January so the key still appears as expired.
Nevertheless, the curious thing is that, despite the fact that the previous error message appears repeated more than 20 times in the screen, the package is in fact installed, the first messages are (sorry they are in Spanish):

Verificación de operación exitosa.
Ejecutando prueba de operaciones
Prueba de operación exitosa.
Ejecutando operación
Preparando : 1/1
Actualizando : owncloud-client-4.0.0-10896.x86_64 1/2

Then the expired key error message appears again twice and after that:

Ejecutando scriptlet: owncloud-client-4.0.0-10896.x86_64 1/2
Limpieza : owncloud-client-3.2.1-10355.x86_64 2/2

A new apparition of the error message and finally:

Ejecutando scriptlet: owncloud-client-3.2.1-10355.x86_64 2/2
Ejecutando scriptlet: owncloud-client-4.0.0-10896.x86_64 2/2
Ejecutando scriptlet: owncloud-client-3.2.1-10355.x86_64 2/2
Verificando : owncloud-client-4.0.0-10896.x86_64 1/2
Verificando : owncloud-client-3.2.1-10355.x86_64 2/2

Actualizado:
owncloud-client-4.0.0-10896.x86_64

¡Listo!

So, curiously enough, the error message about an expired key keeps on appearing (even if with a more recent date), it is repeated many many times (previously it appeared just once) but despite that, the package is finally updated!.

Thanks a lot for your work and for your explanation about the different signatures of the keys, even if I understand it just partially.

Great to hear that.

Our permanent solution to resolve the problem is to use a different key ( F05F7DD7953A07DF36579DAA498C45EBE94E7B37, ownCloud Client Team (Signing Key) <info@owncloud.com>) to sign Fedora 38+ builds. In the future (i.e., starting with release 5.0) we are going to use this key for all builds. We are going to publish proper upgrade instructions in our docs.

2 Likes

See Update failing on Fedora 38 even after following the guidelines · Issue #10854 · owncloud/client · GitHub. The issue has been resolved. We plan to release 4.1.0 within the next two weeks, which will be the first stable release to feature the new PGP key for Fedora 38.

Thanks to everyone who participated for your input, it helped us not only to track down the problem and find the root cause but also to resolve it properly.

2 Likes

Hello. I have updated to version 4.1.0 when the update tool of the system told that it was available. I have restored the owncloud.repo file so that the new key in owncloud website was retrieved.

After:
sudo dnf update owncloud-client

I still see in the screen the previous error message repeated many times:

error: Verifying a signature using certificate 06D7EADE708A40FA136EB4540700205DFD41A71A (devel OBS Project devel@s2.owncloud.com):

  1. Certificiate 0700205DFD41A71A invalid: certificate is not alive
    because: The primary key is not live
    because: Expired on 2023-01-17T12:16:43Z
  2. Key 0700205DFD41A71A invalid: key is not alive
    because: The primary key is not live
    because: Expired on 2023-01-17T12:16:43Z

But, despite this, the package is updated so maybe the message could be considered as a warning instead of an error.

So, even if the update now works, I do not think that the bug should be considered as fully solved, I think that the error message should not appear.

However, thanks for your work.