New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apt updates from apt.freedom.press silently failing due to key expiry #713
Comments
I just want to note that the updater runs successfully without error on prod and the client seems to work fine, but still looking into reproing by following your steps. I can also verify this assumption after some more testing and report back here:
|
I'm still getting the EXPKEYSIG failure when running |
Removing stale copies in |
@zenmonkeykstop pushed a re-signed That means it's now available via apt-qa: https://apt-qa.freedom.press/ Switching my template to apt-qa, I can successfully run I would suggest opening a PR from |
I can confirm that this was resolved via https://github.com/freedomofpress/securedrop-debian-packages-lfs/pull/56 ; templates that previously failed to update apt.freedom.press are now re-fetching the index and installing packages. |
Steps to reproduce
prod
sudo apt update
insd-small-buster-template
Expected behavior
Package index is updated
Actual behavior
apt
prints an error:The repo is dual-signed, but one of the keys expiring appears to be sufficient for
apt
to no longer consider the signature valid.apt
exits0
, and our updater (which triggers updates via Salt) does not error out. However, given the output above, I am assuming updates we issue will no longer be successfully fetched or applied until we switch to the single valid signing key.The text was updated successfully, but these errors were encountered: