expired Opsi GPG key needs to be renewed

[tlbean]

When adding Opsi repository, I use the following commands:

Code: Alles auswählen

# Add Opsi repository.
echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_22.04 /" > /etc/apt/sources.list.d/opsi.list
wget -qO- http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_22.04/Release.key | sudo tee /etc/apt/trusted.gpg.d/Release.key

Code: Alles auswählen

# Fetch public keys.
tmp="$(mktemp)"
apt update 2>&1 | sed -En 's/.*NO_PUBKEY ([[:xdigit:]]+).*/\1/p' | sort -u > "${tmp}"
cat "${tmp}" | xargs sudo gpg --keyserver "hkps://keyserver.ubuntu.com:443" --recv-keys  # to /usr/share/keyrings/*
cat "${tmp}" | xargs -L 1 sh -c 'sudo gpg --yes --output "/etc/apt/trusted.gpg.d/$1.gpg" --export "$1"' sh  # to /etc/apt/trusted.gpg.d/*
rm "${tmp}"

I then use "apt update" to update the repositories, and I get the following error:

Code: Alles auswählen

ubuntu@or-dc1-ub:~/linuxha$ sudo apt update
Hit:1 http://security.ubuntu.com/ubuntu jammy-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu jammy InRelease                                                      
Hit:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease                                              
Hit:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Get:5 http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_22.04  InRelease [1551 B]
Err:5 http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_22.04  InRelease
  The following signatures were invalid: EXPKEYSIG D1F933E6D8361F81 home:uibmz:opsi OBS Project <home:uibmz:opsi@build.opensuse.org>
Reading package lists... Done
W: GPG error: http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_22.04  InRelease: The following signatures were invalid: EXPKEYSIG D1F933E6D8361F81 home:uibmz:opsi OBS Project <home:uibmz:opsi@build.opensuse.org>
E: The repository 'http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_22.04  InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I then use "apt-key list," and it lists the following expired Opsi key:

Code: Alles auswählen

ubuntu@or-dc1-ub:~/linuxha$ sudo apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   dsa1024 2002-02-28 [SCA]
      1719 003A CE3E 5A41 E2DE  70DF D97A 3AE9 11F6 3C51
uid           [ unknown] Jamie Cameron <jcameron@webmin.com>
sub   elg1024 2002-02-28 [E]

/etc/apt/trusted.gpg.d/D1F933E6D8361F81.gpg
-------------------------------------------
pub   rsa2048 2017-09-30 [SC] [expired: 2019-12-09]
      2E98 F7B5 A5B2 C8FE 7F60  9705 D1F9 33E6 D836 1F81
uid           [ expired] home:uibmz:opsi OBS Project <home:uibmz:opsi@build.opensuse.org>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

It looks like someone else experienced the exact same error and posted before: viewtopic.php?t=12713

By the way, I am able to reproduce this problem using a separate virtual machine, therefore the only thing I have concluded is that /etc/apt/trusted.gpg.d/D1F933E6D8361F81.gpg is expired and needs to be renewed.

[m.radtke]

Hi

our keys are currently valid.

Our stable testenvironment was running tonight and here's the apt list output

Code: Alles auswählen

root@jammy:~# apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2017-09-30 [SC] [expires: 2023-11-09]
      2E98 F7B5 A5B2 C8FE 7F60  9705 D1F9 33E6 D836 1F81
uid           [ unknown] home:uibmz:opsi OBS Project <home:uibmz:opsi@build.opensuse.org>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

Regards

Mathias

[tlbean]

Take a look at this URL: https://keyserver.ubuntu.com/pks/lookup ... n&op=index

This shows that GPG key D1F933E6D8361F81 is expired on keyserver.ubuntu.com, therefore the following command is going to retrieve an expired key:

Code: Alles auswählen

sudo apt-key adv --keyserver hkps://keyserver.ubuntu.com --recv-key D1F933E6D8361F81

Please submit an updated Opsi GPG key to https://keyserver.ubuntu.com/.

Thank you for your assistance.

[m.radtke]

Hi

the key has just been updated with the new public PGP block

Regards

Mathias

[An45]

Hi
It seems the key expired again:
pub rsa2048 2017-09-30 [SC] [expirée : 2023-11-09]
2E98 F7B5 A5B2 C8FE 7F60 9705 D1F9 33E6 D836 1F81
uid [ expirée ] home:uibmz:opsi OBS Project <home:uibmz:opsi@build.opensuse.org>

The key isn't up to date on https://keyserver.ubuntu.com/.

[m.radtke]

Hi

thanks for the hint.

We will update it tomorrow

Regards
Mathias

EDIT: Update done

Code: Alles auswählen

sig  sig  d1f933e6d8361f81 2023-09-11T08:59:45Z 2025-11-19T08:59:45Z ____________________ [selfsig]