The signing key in
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg does not appear
to be expired, so I guess some repository metadata signature has
expired. Does anyone else encounter this issue?
The signing key in
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg does not appear
to be expired, so I guess some repository metadata signature has
expired. Does anyone else encounter this issue?
Had the same thing today and saw that some machines had a newer archive key in:
/usr/share/keyrings/tor-archive-keyring.gpg
I also ran into this issue. Following the current instructions [1] and adding a signed-by
in sources.list fixed this for me:
deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] Index of /torproject.org <DISTRIBUTION> main
Looks like the expiration date on the key was changed and the package deb.torproject.org-keyring
only updates that key in /usr/share/keyrings/. I can't but wonder if everyone that doesn't have a
signed-by is affected, which must be quite a few.
The signing key in
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg does not appear
to be expired, so I guess some repository metadata signature has
expired. Does anyone else encounter this issue?
gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg
/dev/null
I thought that the package deb.torproject.org-keyring should keep the
signing key up-to-date, however the package was installed and is the
newest version (unattended-upgrades activated for TorProject
repository).
# apt install deb.torproject.org-keyring
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
deb.torproject.org-keyring is already the newest version
(2022.04.27.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
The signing key in
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg does not appear
to be expired, so I guess some repository metadata signature has
expired. Does anyone else encounter this issue?
Yeah I had the public signing key in both /etc/apt/trusted.gpg.d and
/usr/share/keyrings. I had to manually update the key in
/usr/share/keyrings/tor-archive-keyring.gpg as that file was referenced
by my sources.list file. Not sure how it ended up in two places. Thanks
for pointing this out!
···
On Tue, 14 Jun 2022 19:19:54 +0200 Peter Gerber <tor-lists@arbitrary.ch> wrote:
Looks like the expiration date on the key was changed and the package
deb.torproject.org-keyring only updates that key in
/usr/share/keyrings/. I can't but wonder if everyone that doesn't
have a signed-by is affected, which must be quite a few.