You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During a recent prod install (for testing #705), I observed a failure related to the FPF apt repo:
----------
ID: configure-apt-test-apt-repo
Function: pkgrepo.managed
Name: deb [arch=amd64] https://apt.freedom.press buster main
Result: False
Comment: Failed to configure repo 'deb [arch=amd64] https://apt.freedom.press buster main': W: GPG error: https://apt.freedom.press buster Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 310F561200F4AD77
E: The repository 'https://apt.freedom.press buster Release' is not signed.
Started: 21:47:56.138879
Duration: 5054.719 ms
Changes:
----------
Clearly related to #700, although we were careful to update the securedrop-keyring package to ensure both keys were present. The NO_PUBKEY message refers to the old/current key, suggesting that only the new key is present in the template.
The error output above is from the provisioning of whonix-gw-15, where we do install the keyring package, but only after initial provisioning. Unlike the SDW templates, there is no SD/FPF key present inside the template before we add packages to it, so the initial bootstrapping fails, since it used only the new key.
Solution would be to resign the buster Release file with the new key pronto.
The text was updated successfully, but these errors were encountered:
As a temporary workaround, first-time installers can copy the old/current pubkey into whonix-gw-15 directly from dom0, at /srv/salt/sd/sd-workstation/securedrop-release-signing-pubkey-LEGACY.asc, then apt-key add - it in the TemplateVM.
During a recent prod install (for testing #705), I observed a failure related to the FPF apt repo:
Clearly related to #700, although we were careful to update the
securedrop-keyring
package to ensure both keys were present. The NO_PUBKEY message refers to the old/current key, suggesting that only the new key is present in the template.The error output above is from the provisioning of
whonix-gw-15
, where we do install the keyring package, but only after initial provisioning. Unlike the SDW templates, there is no SD/FPF key present inside the template before we add packages to it, so the initial bootstrapping fails, since it used only the new key.Solution would be to resign the buster Release file with the new key pronto.
The text was updated successfully, but these errors were encountered: