Expired DEB SIgning Key

[Michael Tughan]

Hello all,

Just a note that it appears that GerritForge's DEB signing key, used to sign the packages in their APT repository, expired on February 8th and is no longer trusted by my Ubuntu system. Can someone look into it and see about getting a new key issued?

From "apt update":

Ign:8 http://bionic.gerritforge.com gerrit InRelease
Hit:10 http://bionic.gerritforge.com gerrit Release
Err:11 mirror://mirrorlist.gerritforge.com/bionic gerrit Release.gpg
The following signatures were invalid: EXPKEYSIG 847005AE619067D5 GerritForge <in...@gerritforge.com>

...

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://bionic.gerritforge.com gerrit Release: The following signatures were invalid: EXPKEYSIG 847005AE619067D5 GerritForge <in...@gerritforge.com>
W: Failed to fetch mirror://mirrorlist.gerritforge.com/bionic/dists/gerrit/Release.gpg The following signatures were invalid: EXPKEYSIG 847005AE619067D5 GerritForge <in...@gerritforge.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.

And from "apt-key list":

/etc/apt/trusted.gpg
--------------------
pub rsa3072 2019-02-09 [SC] [expired: 2021-02-08]
9911 F82E 2783 6B7F AE85 090D 8470 05AE 6190 67D5
uid [ expired] GerritForge <in...@gerritforge.com>

Thanks,

Michael Tughan

[luca.mi...@gmail.com]

Sent from my iPhone

On 13 Feb 2021, at 13:52, Michael Tughan <mtu...@gmail.com> wrote:



Hello all,

Just a note that it appears that GerritForge's DEB signing key, used to sign the packages in their APT repository, expired on February 8th and is no longer trusted by my Ubuntu system. Can someone look into it and see about getting a new key issued?

Apologies for that: will look into it and get a new signing key to re-release the packages.

Luca

From "apt update":

Ign:8 http://bionic.gerritforge.com gerrit InRelease
Hit:10 http://bionic.gerritforge.com gerrit Release
Err:11 mirror://mirrorlist.gerritforge.com/bionic gerrit Release.gpg
The following signatures were invalid: EXPKEYSIG 847005AE619067D5 GerritForge <in...@gerritforge.com>

...

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://bionic.gerritforge.com gerrit Release: The following signatures were invalid: EXPKEYSIG 847005AE619067D5 GerritForge <in...@gerritforge.com>
W: Failed to fetch mirror://mirrorlist.gerritforge.com/bionic/dists/gerrit/Release.gpg The following signatures were invalid: EXPKEYSIG 847005AE619067D5 GerritForge <in...@gerritforge.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.

And from "apt-key list":

/etc/apt/trusted.gpg
--------------------
pub rsa3072 2019-02-09 [SC] [expired: 2021-02-08]
9911 F82E 2783 6B7F AE85 090D 8470 05AE 6190 67D5
uid [ expired] GerritForge <in...@gerritforge.com>

Thanks,

Michael Tughan

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/ca8d73d8-e432-4486-b826-b1ef2f288494n%40googlegroups.com.

[Luca Milanesio]

On 13 Feb 2021, at 14:09, luca.mi...@gmail.com wrote:

Sent from my iPhone

On 13 Feb 2021, at 13:52, Michael Tughan <mtu...@gmail.com> wrote:



Hello all,

Just a note that it appears that GerritForge's DEB signing key, used to sign the packages in their APT repository, expired on February 8th and is no longer trusted by my Ubuntu system. Can someone look into it and see about getting a new key issued?

Apologies for that: will look into it and get a new signing key to re-release the packages.

Luca

From "apt update":

Ign:8 http://bionic.gerritforge.com gerrit InRelease
Hit:10 http://bionic.gerritforge.com gerrit Release
Err:11 mirror://mirrorlist.gerritforge.com/bionic gerrit Release.gpg
The following signatures were invalid: EXPKEYSIG 847005AE619067D5 GerritForge <in...@gerritforge.com>

...

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://bionic.gerritforge.com gerrit Release: The following signatures were invalid: EXPKEYSIG 847005AE619067D5 GerritForge <in...@gerritforge.com>
W: Failed to fetch mirror://mirrorlist.gerritforge.com/bionic/dists/gerrit/Release.gpg The following signatures were invalid: EXPKEYSIG 847005AE619067D5 GerritForge <in...@gerritforge.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.

And from "apt-key list":

/etc/apt/trusted.gpg
--------------------
pub rsa3072 2019-02-09 [SC] [expired: 2021-02-08]
9911 F82E 2783 6B7F AE85 090D 8470 05AE 6190 67D5
uid [ expired] GerritForge <in...@gerritforge.com>

Hi Michael,

The public key has been extended and it should now work as expected.

Let me know in case of any further issues.

Luca.

[Michael Tughan]

Thanks Luca. I needed to run "sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 847005AE619067D5" in order to download the updated key from the Ubuntu keyserver in order to clear the expired signature error, but it works fine afterwards.