[Touch-packages] [Bug 1937945] [NEW] old gpg keyserver no longer works
Public bug reported:
This is with lxc 1:4.0.6-0ubuntu1~20.04.1 on Ubuntu 20.04 LTS.
All lxc-create commands that need to download GPG keys fail with
something similar to:
$ lxc-create -n foobar -t download -- -d ubuntu -r focal -a amd64
The cached copy has expired, re-downloading...
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: foobar: lxccontainer.c: create_run_template: 1616 Failed to create
container from template
It turns out that the GPG keyserver used (pool.sks-keyservers.net) no
longer produces the expected responses. Upstream lxc has a ticket for
this:
https://github.com/lxc/lxc/issues/3894 ('lxc-create fails because
"ERROR: Unable to fetch GPG key from keyserver')
and it was fixed by changing:
DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
to:
DOWNLOAD_KEYSERVER="hkp://keyserver.ubuntu.com"
in this commit:
https://github.com/lxc/lxc/commit/f2a5d95d00a55bed27ef9920d67617cc75fecad8
** Affects: lxc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1937945
Title:
old gpg keyserver no longer works
Status in lxc package in Ubuntu:
New
Bug description:
This is with lxc 1:4.0.6-0ubuntu1~20.04.1 on Ubuntu 20.04 LTS.
All lxc-create commands that need to download GPG keys fail with
something similar to:
$ lxc-create -n foobar -t download -- -d ubuntu -r focal -a amd64
The cached copy has expired, re-downloading...
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: foobar: lxccontainer.c: create_run_template: 1616 Failed to
create container from template
It turns out that the GPG keyserver used (pool.sks-keyservers.net) no
longer produces the expected responses. Upstream lxc has a ticket for
this:
https://github.com/lxc/lxc/issues/3894 ('lxc-create fails because
"ERROR: Unable to fetch GPG key from keyserver')
and it was fixed by changing:
DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
to:
DOWNLOAD_KEYSERVER="hkp://keyserver.ubuntu.com"
in this commit:
https://github.com/lxc/lxc/commit/f2a5d95d00a55bed27ef9920d67617cc75fecad8
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1937945/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1920640] Re: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016)
Can you please show the output of: apt-key export C8CAB6595FDFF622 | gpg --list-packets ? I guess for some reason your apt keyring isn't updated correctly. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1920640 Title: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) Status in ubuntu-keyring package in Ubuntu: Fix Released Status in ubuntu-keyring source package in Bionic: Fix Released Status in ubuntu-keyring source package in Focal: Fix Released Status in ubuntu-keyring source package in Groovy: Fix Released Status in ubuntu-keyring source package in Hirsute: Fix Released Bug description: [Impact] * Cannot update apt metadata from ddebs.ubuntu.com whilst using ubuntu-dbgsym-keyring package [Test Plan] * Install ubuntu-dbgsym-keyring package * Add ddebs.ubuntu.com repository for your release * sudo apt update must be successful * Install ubuntu-dbgsym-keyring package * Install and use `apt-key list` and check that there is no expiry on the dbgsym key I.e. bad output /etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg - pub rsa4096 2016-03-21 [SC] [expired: 2021-03-20] F2ED C64D C5AE E1F6 B9C6 21F0 C8CA B659 5FDF F622 uid [ expired] Ubuntu Debug Symbol Archive Automatic Signing Key (2016) Good output has no [date] in the pub line. [Where problems could occur] * At the moment the signature was bumped by one year * Meaning this issue will occur again in 2022 * Instead the key must be set to not expire & new round of SRUs issued [Other Info] * Original bug report The public key used by the debugging symbols repository /usr/share/keyrings/ubuntu-dbgsym-keyring.gpg from the package ubuntu- dbgsym-keyring expired. $ apt policy ubuntu-dbgsym-keyring ubuntu-dbgsym-keyring: Installed: 2020.02.11.2 Candidate: 2020.02.11.2 Version table: *** 2020.02.11.2 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 500 http://archive.ubuntu.com/ubuntu focal/main i386 Packages 100 /var/lib/dpkg/status $ gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-dbgsym-keyring.gpg --list-keys /usr/share/keyrings/ubuntu-dbgsym-keyring.gpg - pub rsa4096 2016-03-21 [SC] [expired: 2021-03-20] F2EDC64DC5AEE1F6B9C621F0C8CAB6595FDFF622 uid [ expired] Ubuntu Debug Symbol Archive Automatic Signing Key (2016) Error message on "apt update": E: The repository 'http://ddebs.ubuntu.com bionic-updates Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://ddebs.ubuntu.com bionic Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) E: The repository 'http://ddebs.ubuntu.com bionic Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://ddebs.ubuntu.com bionic-proposed Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) E: The repository 'http://ddebs.ubuntu.com bionic-proposed Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1920640/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1920640] Re: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016)
Note: this is a duplicate of bug #1920610, which was submitted a few hours earlier. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1920640 Title: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) Status in ubuntu-keyring package in Ubuntu: Confirmed Bug description: The public key used by the debugging symbols repository /usr/share/keyrings/ubuntu-dbgsym-keyring.gpg from the package ubuntu- dbgsym-keyring expired. $ apt policy ubuntu-dbgsym-keyring ubuntu-dbgsym-keyring: Installed: 2020.02.11.2 Candidate: 2020.02.11.2 Version table: *** 2020.02.11.2 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 500 http://archive.ubuntu.com/ubuntu focal/main i386 Packages 100 /var/lib/dpkg/status $ gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-dbgsym-keyring.gpg --list-keys /usr/share/keyrings/ubuntu-dbgsym-keyring.gpg - pub rsa4096 2016-03-21 [SC] [expired: 2021-03-20] F2EDC64DC5AEE1F6B9C621F0C8CAB6595FDFF622 uid [ expired] Ubuntu Debug Symbol Archive Automatic Signing Key (2016) Error message on "apt update": E: The repository 'http://ddebs.ubuntu.com bionic-updates Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://ddebs.ubuntu.com bionic Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) E: The repository 'http://ddebs.ubuntu.com bionic Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://ddebs.ubuntu.com bionic-proposed Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) E: The repository 'http://ddebs.ubuntu.com bionic-proposed Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1920640/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1920610] Re: The repository 'http://ddebs.ubuntu.com groovy Release' is not signed
Note: a duplicate bug #1920640 was added a few hours after this one. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1920610 Title: The repository 'http://ddebs.ubuntu.com groovy Release' is not signed Status in ubuntu-keyring package in Ubuntu: Confirmed Bug description: Did an update this morning and it looks like the key has expired. W: GPG error: http://ddebs.ubuntu.com groovy Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) E: The repository 'http://ddebs.ubuntu.com groovy Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://ddebs.ubuntu.com groovy-updates Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) E: The repository 'http://ddebs.ubuntu.com groovy-updates Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://ddebs.ubuntu.com groovy-proposed Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) E: The repository 'http://ddebs.ubuntu.com groovy-proposed Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1920610/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1920610] Re: The repository 'http://ddebs.ubuntu.com groovy Release' is not signed
The GPG key has simply expired, as of 2021-03-20: $ wget -q http://ddebs.ubuntu.com/dists/focal-proposed/Release http://ddebs.ubuntu.com/dists/focal-proposed/Release.gpg $ gpg --verify Release.gpg Release gpg: Signature made Fri 19 Mar 2021 04:52:53 AM CET gpg:using RSA key 0xC8CAB6595FDFF622 gpg: Good signature from "Ubuntu Debug Symbol Archive Automatic Signing Key (2016) " [expired] gpg: Note: This key has expired! Primary key fingerprint: F2ED C64D C5AE E1F6 B9C6 21F0 C8CA B659 5FDF F622 $ gpg --list-key 0xC8CAB6595FDFF622 pub rsa4096/0xC8CAB6595FDFF622 2016-03-21 [SC] [expired: 2021-03-20] Key fingerprint = F2ED C64D C5AE E1F6 B9C6 21F0 C8CA B659 5FDF F622 uid [ expired] Ubuntu Debug Symbol Archive Automatic Signing Key (2016) Time to generate a new key and distribute it, I guess. :-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1920610 Title: The repository 'http://ddebs.ubuntu.com groovy Release' is not signed Status in ubuntu-keyring package in Ubuntu: Confirmed Bug description: Did an update this morning and it looks like the key has expired. W: GPG error: http://ddebs.ubuntu.com groovy Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) E: The repository 'http://ddebs.ubuntu.com groovy Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://ddebs.ubuntu.com groovy-updates Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) E: The repository 'http://ddebs.ubuntu.com groovy-updates Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://ddebs.ubuntu.com groovy-proposed Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) E: The repository 'http://ddebs.ubuntu.com groovy-proposed Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1920610/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
