Page 1 of 1
EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 8:35 am
by anticapitalista
For those users getting the EXPKEYSIG error.
Method 1:
3 steps, in a terminal
1.
Code: Select all
wget 'https://download.tuxfamily.org/antix/releases/antix-archive-keyring.asc'
or
Code: Select all
wget 'http://repo.antixlinux.com/antix-archive-keyring.asc'
2.
Code: Select all
sudo apt-key add antix-archive-keyring.asc
3.
Method 2:
1. Download antix-archive-keyring_20019.3.13_all.deb from here:
http://repo.antixlinux.com
In the directory where you downloaded the deb, use gdebi to install or do this -
2.
Code: Select all
sudo dpkg -i antix-archive-keyring_20019.3.13_all.deb
3.
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 8:38 am
by Eadwine Rose
Code: Select all
eadwine@eadwineMX18:~
$ wget 'https://download.tuxfamily.org/antix/releases/antix-archive-keyring.asc'
--2019-03-13 13:37:54-- https://download.tuxfamily.org/antix/releases/antix-archive-keyring.asc
Resolving download.tuxfamily.org (download.tuxfamily.org)... 88.191.250.171, 88.191.250.18, 2a01:e0d:1:3:58bf:fa12:0:1, ...
Connecting to download.tuxfamily.org (download.tuxfamily.org)|88.191.250.171|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4053 (4.0K) [text/plain]
Saving to: ‘antix-archive-keyring.asc’
antix-archive-keyring.as 100%[==================================>] 3.96K --.-KB/s in 0s
2019-03-13 13:37:55 (22.2 MB/s) - ‘antix-archive-keyring.asc’ saved [4053/4053]
eadwine@eadwineMX18:~
$ sudo apt-key add antix-archive-keyring.asc
[sudo] password for eadwine:
OK
eadwine@eadwineMX18:~
$ apt-get update
Reading package lists... Done
W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
E: Unable to lock directory /var/lib/apt/lists/
W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)
I think the last line needs root?
Reloaded in synaptic and all is fine :)
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 8:44 am
by anticapitalista
Eadwine Rose wrote: Wed Mar 13, 2019 8:38 am
I think the last line needs root?
Reloaded in synaptic and all is fine :)
Changed to sudo - thanks
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 8:55 am
by fehlix
Or with one liner ;=):
Code: Select all
sudo -v ; wget 'https://download.tuxfamily.org/antix/releases/antix-archive-keyring.asc' -O- | sudo apt-key add - ; sudo apt-get update
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 9:04 am
by GuiGuy
I have done anti's method on this installation and it seems to have worked OK.
But do I now have to fix all my other installations? If so I suppose Fehlix's method looks a bit simpler - has anybody tried it yet?
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 9:11 am
by fehlix
GuiGuy wrote: Wed Mar 13, 2019 9:04 am
I have done anti's method on this installation and it seems to have worked OK.
But do I now have to fix all my other installations? If so I suppose Fehlix's method looks a bit simpler - has anybody tried it yet?
The used verification key (which is the pub-key part of the signing key) is stored
within this file:
Code: Select all
/etc/apt/trusted.gpg.d/antix-archive-keyring.gpg
Which can be verfified / checked by gpg:
Code: Select all
gpg --with-fingerprint --no-default-keyring --keyring /etc/apt/trusted.gpg.d/antix-archive-keyring.gpg --list-keys
/etc/apt/trusted.gpg.d/antix-archive-keyring.gpg
------------------------------------------------
pub rsa2048 2013-03-13 [SC] [expires: 2021-05-01]
ED57 48AC 0E57 5DD2 49A5 6B84 DB36 CDF3 452F 0C20
uid [ unknown] antiX (antix repo) <repo@antixlinux.com>
sub rsa2048 2013-03-13 [E] [expires: 2021-05-01]
Conclusion:
Instead of the download method for additonal installs you can copy the new keyring file
from
Code: Select all
/etc/apt/trusted.gpg.d/antix-archive-keyring.gpg
to your other installations.
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 9:42 am
by oops
fehlix wrote: Wed Mar 13, 2019 8:55 am
Or with one liner ;=):
Code: Select all
sudo -v ; wget 'https://download.tuxfamily.org/antix/releases/antix-archive-keyring.asc' -O- | sudo apt-key add - ; sudo apt-get update
That's worked, thank you felix & anticapitalista.
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 9:51 am
by anticapitalista
Added another method to directly download the deb and install via dpkg or gdebi
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 10:03 am
by GuiGuy
fehlix wrote: Wed Mar 13, 2019 9:11 am........
Conclusion:
Instead of the download method for additonal installs you can copy the new keyring file
from
Code: Select all
/etc/apt/trusted.gpg.d/antix-archive-keyring.gpg
to your other installations.
Thanks, Fehlix - that sounds a bit easier
.
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 10:06 am
by asqwerth
GuiGuy wrote: Wed Mar 13, 2019 10:03 am
fehlix wrote: Wed Mar 13, 2019 9:11 am........
Conclusion:
Instead of the download method for additonal installs you can copy the new keyring file
from
Code: Select all
/etc/apt/trusted.gpg.d/antix-archive-keyring.gpg
to your other installations.
Thanks, Fehlix - that sounds a bit easier
.
But after copying, you still need to add the new key. You only save on the step of downloading the key file.
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 10:16 am
by GuiGuy
asqwerth wrote: Wed Mar 13, 2019 10:06 am...........
But after copying, you still need to add the new key. You only save on the step of downloading the key file.
Will "sudo apt-get update" add it OK?
Edit:-
My question is really "How do I add the new key after I have copied it to the correct location?".
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 10:36 am
by fehlix
asqwerth wrote: Wed Mar 13, 2019 10:06 am
But after copying, you still need to add the new key. You only save on the step of downloading the key file.
You copy the updated trusted keyring not the keyfile: antix-archive-keyring.asc.
The file antix-archive-keyring.asc holds the public-signing key. It is not a gpg-keyring (despite the name)
The keyring is here: /etc/apt/trusted.gpg.d/antix-archive-keyring.gpg
with apt-key add you add/update public-key(s) from antix-archive-keyring.asc
into trusted keyring file /etc/apt/trusted.gpg.d/antix-archive-keyring.gpg.
The just provided deb-file is doing exactly the same.
Replacing the trusted keying /etc/apt/trusted.gpg.d/antix-archive-keyring.gpg
with a newer on.
HTH
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 10:37 am
by anticapitalista
If you copy /etc/apt/trusted.gpg.d/antix-archive-keyring.gpg to all your boxes, run apt-get update and a new antix-archive-keyring deb will show up for installation.
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 10:40 am
by fehlix
GuiGuy wrote: Wed Mar 13, 2019 10:16 am
asqwerth wrote: Wed Mar 13, 2019 10:06 am...........
But after copying, you still need to add the new key. You only save on the step of downloading the key file.
Will "sudo apt-get update" add it OK?
Edit:-
My question is really "How do I add the new key after I have copied it to the correct location?".
Just copy, the newly updated keyring. Thats it. The updated keyring hold the mew public-signing key.
Or use the new deb-package which was just provided by aniti ( see updated first post )
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 10:44 am
by fehlix
anticapitalista wrote: Wed Mar 13, 2019 10:37 am
If you copy /etc/apt/trusted.gpg.d/antix-archive-keyring.gpg to all your boxes, run apt-get update and a new antix-archive-keyring deb will show up for installation.
Indeed, the new antix-archive-keyring deb will again replace the existing "copied" and already valid /etc/apt/trusted.gpg.d/antix-archive-keyring.gpg, with the "same" already copied version. So by this this file is now also owned/provided by this deb-package.
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 10:47 am
by GuiGuy
anticapitalista wrote: Wed Mar 13, 2019 10:37 am
If you copy /etc/apt/trusted.gpg.d/antix-archive-keyring.gpg to all your boxes, run apt-get update and a new antix-archive-keyring deb will show up for installation.
Thanks, anti. Does that mean asquerth's advice was wrong?
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 10:49 am
by asqwerth
Ah so.
Follow anti and fehlix, not me!
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 4:00 pm
by KoO
Da man anticapitalista Thank You
Re: EXPKEYSIG error and fix
Posted: Wed Mar 13, 2019 10:34 pm
by Otter
Thank you very much. This worked.
Re: EXPKEYSIG error and fix
Posted: Thu Mar 14, 2019 7:34 pm
by BobbieAN
anticapitalista wrote: Wed Mar 13, 2019 8:35 am
For those users getting the EXPKEYSIG error.
Method 1:
3 steps, in a terminal
1.
Code: Select all
wget 'https://download.tuxfamily.org/antix/releases/antix-archive-keyring.asc'
or
Code: Select all
wget 'http://repo.antixlinux.com/antix-archive-keyring.asc'
2.
Code: Select all
sudo apt-key add antix-archive-keyring.asc
3.
Method 2:
1. Download antix-archive-keyring_20019.3.13_all.deb from here:
http://repo.antixlinux.com
In the directory where you downloaded the deb, use gdebi to install or do this -
2.
Code: Select all
sudo dpkg -i antix-archive-keyring_20019.3.13_all.deb
3.
Method 1 worked, tnx.
Re: EXPKEYSIG error and fix
Posted: Fri Mar 15, 2019 6:46 am
by gjon
Method 2:
1. Download antix-archive-keyring_20019.3.13_all.deb from here:
http://repo.antixlinux.com
In the directory where you downloaded the deb, use gdebi to install
Why is this an an unencrypted repo?
Re: EXPKEYSIG error and fix
Posted: Fri Mar 15, 2019 7:21 am
by anticapitalista
So you can download that deb
Re: EXPKEYSIG error and fix
Posted: Fri Mar 15, 2019 6:56 pm
by viewsonic
I just installed MX on main PC and got this error. oops's one liner fixed the problem. Thanks.
Re: EXPKEYSIG error and fix
Posted: Sat Mar 16, 2019 12:29 am
by asqwerth
I think an announcement and the new apt-get instructions should be posted on the announcement section of the forum because I understand the expiry of key is now also affecting the mx15/16 version of said Repo.
Re: EXPKEYSIG error and fix
Posted: Sat Mar 16, 2019 7:22 am
by richb
asqwerth wrote: Sat Mar 16, 2019 12:29 am
I think an announcement and the new apt-get instructions should be posted on the announcement section of the forum because I understand the expiry of key is now also affecting the mx15/16 version of said Repo.
If someone would compose the solution and post a blog on the website or here in MX News and Announcements I will add it. The subsequent posts and PM's seemingly giving different solutions have confused me. (change the repo, wait for the package to show in updates)
Re: EXPKEYSIG error and fix
Posted: Sun Mar 17, 2019 3:38 pm
by MX-16_fan
@all:
My general question would be
whether there would be some safer way of handling situations like that (from a user perspective) – safer than downloading new keys via the open internet.
I remember that there were similar situations with MX-16 or MX-17, and similar advice was given then.
Unfortunately, I'm no expert at all when it comes to this key/signature stuff, but my naïve
assumption would be that downloading authentication-related stuff via the open internet would be a no-go, as it breaks the signature/authentication chain of your protected Linux ecosystem.
To me, downloading keyrings via the open internet sounds like an invitation to MIT-attackers (
https://en.wikipedia.org/wiki/Man-in-the-middle_attack), who might in this way build bridgeheads that would allow them to compromise other your system.
Please
correct me if I'm wrong. As said, I'm not an expert, and I've never really understood the details of apt's handling of keyrings and signatures.
Greetings, and a great week to all of you, Joe
Re: EXPKEYSIG error and fix
Posted: Sun Mar 17, 2019 7:11 pm
by dolphin_oracle
MX-16_fan wrote: Sun Mar 17, 2019 3:38 pm
@all:
My general question would be
whether there would be some safer way of handling situations like that (from a user perspective) – safer than downloading new keys via the open internet.
I remember that there were similar situations with MX-16 or MX-17, and similar advice was given then.
Unfortunately, I'm no expert at all when it comes to this key/signature stuff, but my naïve
assumption would be that downloading authentication-related stuff via the open internet would be a no-go, as it breaks the signature/authentication chain of your protected Linux ecosystem.
To me, downloading keyrings via the open internet sounds like an invitation to MIT-attackers (
https://en.wikipedia.org/wiki/Man-in-the-middle_attack), who might in this way build bridgeheads that would allow them to compromise other your system.
Please
correct me if I'm wrong. As said, I'm not an expert, and I've never really understood the details of apt's handling of keyrings and signatures.
Greetings, and a great week to all of you, Joe
I may be off base but...
my understanding of this is that the issue isn't that the repos are encrypted (they aren't), but that they are signed. In order to verify the private signature of the signer of the repo packages, the end user needs the public key, which is what the archive package provides. So actually, its designed to work this way, a public key that is distributed and a private key that is secret. downloading the key from our own server via a link we provide, and having the key work against our own repos should be a strong indication that things are as they should be.
anyone that has ever added a key manually with "apt-key add -" faces a similar issue. I guess if you don't trust the public/private key relationship, you would have to assume that every mirror and every repository and release file was compromised. Since we the operators are saying that nothing was compromised, and the fact that the repo operators are pretty sharp people, I think we are safe in assuming that the keys are good.
the safer and less troublesome method is to update the key archive ahead of time. this one got missed this time. it happens, we are all human.
Re: EXPKEYSIG error and fix
Posted: Sun Mar 17, 2019 8:09 pm
by fehlix
MX-16_fan wrote: Sun Mar 17, 2019 3:38 pm
My general question would be
whether there would be some safer way of handling situations like that (from a user perspective) – safer than downloading new keys via the open internet.
That's actually a good question.
And yes, it is save and secure, even downloading a public-key through the un-encrypted internet is not the issue.
Because, the
here shown key-finger print is the key-element to verify the downloaded public-key of the signing key is legitimate.
The user can/should verify the key by it's fingerprint:
One method I have shown above:
Code: Select all
gpg --with-fingerprint --no-default-keyring --keyring /etc/apt/trusted.gpg.d/antix-archive-keyring.gpg --list-keys
/etc/apt/trusted.gpg.d/antix-archive-keyring.gpg
------------------------------------------------
pub rsa2048 2013-03-13 [SC] [expires: 2021-05-01]
ED57 48AC 0E57 5DD2 49A5 6B84 DB36 CDF3 452F 0C20
uid [ unknown] antiX (antix repo) <repo@antixlinux.com>
sub rsa2048 2013-03-13 [E] [expires: 2021-05-01]
And the shown key-fingerprint "ED57 48AC 0E57 5DD2 49A5 6B84 DB36 CDF3 452F 0C20"
is unique and after manually verification save and secure to use and to trust.
First of all, such situation shall not happen, and the issue was fixed 1 day later by providing an additional package through the normal secure update mechanism.
So the question is good, but if carefully proceeded even such unusual situation can be solved fairly securely.
HTH
Re: EXPKEYSIG error and fix
Posted: Mon Mar 18, 2019 3:14 pm
by MX-16_fan
@dolphin_oracle:
dolphin_oracle wrote: Sun Mar 17, 2019 7:11 pm
(...)
I may be off base but...
my understanding of this is that the issue isn't that the repos are encrypted (they aren't), but that they are signed. In order to verify the private signature of the signer of the repo packages, the end user needs the public key, which is what the archive package provides. So actually, its designed to work this way, a public key that is distributed and a private key that is secret. downloading the key from our own server via a link we provide, and having the key work against our own repos should be a strong indication that things are as they should be.
anyone that has ever added a key manually with "apt-key add -" faces a similar issue. I guess if you don't trust the public/private key relationship, you would have to assume that every mirror and every repository and release file was compromised. Since we the operators are saying that nothing was compromised, and the fact that the repo operators are pretty sharp people, I think we are safe in assuming that the keys are good.
the safer and less troublesome method is to update the key archive ahead of time. this one got missed this time. it happens, we are all human.
Thanks for this explanation. Greetings, and have a good week, Joe
Re: EXPKEYSIG error and fix
Posted: Mon Mar 18, 2019 3:18 pm
by MX-16_fan
@fehlix:
fehlix wrote: Sun Mar 17, 2019 8:09 pm
MX-16_fan wrote: Sun Mar 17, 2019 3:38 pm
My general question would be
whether there would be some safer way of handling situations like that (from a user perspective) – safer than downloading new keys via the open internet.
That's actually a good question.
And yes, it is save and secure, even downloading a public-key through the un-encrypted internet is not the issue.
Because, the
here shown key-finger print is the key-element to verify the downloaded public-key of the signing key is legitimate.
The user can/should verify the key by it's fingerprint:
One method I have shown above:
Code: Select all
gpg --with-fingerprint --no-default-keyring --keyring /etc/apt/trusted.gpg.d/antix-archive-keyring.gpg --list-keys
/etc/apt/trusted.gpg.d/antix-archive-keyring.gpg
------------------------------------------------
pub rsa2048 2013-03-13 [SC] [expires: 2021-05-01]
ED57 48AC 0E57 5DD2 49A5 6B84 DB36 CDF3 452F 0C20
uid [ unknown] antiX (antix repo) <repo@antixlinux.com>
sub rsa2048 2013-03-13 [E] [expires: 2021-05-01]
And the shown key-fingerprint "ED57 48AC 0E57 5DD2 49A5 6B84 DB36 CDF3 452F 0C20"
is unique and after manually verification save and secure to use and to trust.
First of all, such situation shall not happen, and the issue was fixed 1 day later by providing an additional package through the normal secure update mechanism.
So the question is good, but if carefully proceeded even such unusual situation can be solved fairly securely.
HTH
Thanks for the explanation. Appears to me that this might be a
valuable piece of information for the FAQ / Wiki / User Manual as well. Greetings, and have a nice week, Joe
Re: EXPKEYSIG error and fix
Posted: Mon Mar 18, 2019 3:31 pm
by fehlix
MX-16_fan wrote: Mon Mar 18, 2019 3:18 pm
Thanks for the explanation. Appears to me that this might be a
valuable piece of information for the FAQ / Wiki / User Manual as well. Greetings, and have a nice week, Joe
Yes, and probably needs to be a bit "end-user" tweaked also to make it even a bit simpler re the verification process for those "emergency" download fixes. But anyway, good you raised that point... I'm on the gpg usage "simplification" process for the Wiki anyway ... let's see whether I can scribble down so,e stuff "un-encrypted"
Re: EXPKEYSIG error and fix
Posted: Sat Mar 30, 2019 4:17 am
by JayM
fehlix wrote: Wed Mar 13, 2019 8:55 am
Or with one liner ;=):
Code: Select all
sudo -v ; wget 'https://download.tuxfamily.org/antix/releases/antix-archive-keyring.asc' -O- | sudo apt-key add - ; sudo apt-get update
Can this post be made a sticky at the top of the MX Help forum, or added to Tips&Tricks, or both? This issue is coming up frequently, whenever anyone's just installed MX/antiX and is trying to let the update manager do its thing and run the initial post-installation updates.
Thanks. (And thanks, anticapitalista for the solution and fehlix for making it easier to implement!)