Topic: syncing to repo.novena.io

Life was busy when y Novena arrived, after a day playing with it it went on the shelf, now I want to spend some time with it and (after I got the undercharged battery fixed) I'm trying to turn it into my hacking laptop .... strangely the wifi has stopped working ..... first though I'm trying to sync up to date .... but the novena repository's keys seem bad (refreshing them from public keystores seems to give the same key)

Any ideas? "apt-get update" fives the following


W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: //repo.novena.io jessie InRelease: The following signatures were invalid: KEYEXPIRED 1446629246 KEYEXPIRED 1446629246 KEYEXPIRED 1446629246 KEYEXPIRED 1446629246

W: Failed to fetch //repo.novena.io/repo/dists/jessie/InRelease

W: Some index files failed to download. They have been ignored, or old ones used instead.

("http:" removed to get around forum limitations)

Re: syncing to repo.novena.io

by "forum limitations" I mean that the forum software wont let me post a message with 2 urls in it, the error message from apt-get did, the original error messages had correct http: prefixes in them

Re: syncing to repo.novena.io

Maybe manually installing the kosagi-repo package, then re-trying to sync would help?

http://repo.novena.io/debian/pool/main/k/kosagi-repo/

You might also be able to hack around the keys by removing them from /etc/apt.d/repos/kosagi.conf (that's probably not the right file path). I think there's a key hash in the config file there, and if you remove it, it might bypass the check. Obviously not good for security, and I don't even know if it'll work, but it's another thing you might try.

Re: syncing to repo.novena.io

I just noticed this as well.

It seems the key expired a few days ago, and they have yet to post a new one:

# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   4096R/03C7B7EC 2014-11-04
uid                  Kosagi Debian Signing Key (Signing key for Kosagi debian repos) <xobs@kosagi.com>
sub   4096R/BE17A7FB 2014-11-04

I've just emailed the address listed: xobs@kosagi.com

Re: syncing to repo.novena.io

As far as I can tell, there's no way to sign a repo with two keys.  The solution we came up with was to move to a new repo, which dbtayl mentioned.  That change was pushed last month, but of course that doesn't help people who haven't done an apt-get update since then.

The new repo has a new key 4096R/4C0E70D9 expiring 2020-08-24.  It is in the kosagi-repo package mentioned.

You can get it from the older repo, signed by the expired key, at:

http://repo.novena.io/repo/pool/main/k/kosagi-repo/

Or from the new repo, signed with the new key, at:

http://repo.novena.io/debian/pool/main/k/kosagi-repo/

Re: syncing to repo.novena.io

xobs wrote:

As far as I can tell, there's no way to sign a repo with two keys.  The solution we came up with was to move to a new repo, which dbtayl mentioned.  That change was pushed last month, but of course that doesn't help people who haven't done an apt-get update since then.

The new repo has a new key 4096R/4C0E70D9 expiring 2020-08-24.  It is in the kosagi-repo package mentioned.

You can get it from the older repo, signed by the expired key, at:

...

Or from the new repo, signed with the new key, at:

...

According to my understanding, following procedure should update the key when booting via the mmc-image.

sudo apt-get update

Is it necessary to run

sudo apt-get install debian-keyring debian-archive-keyring

in order to provide all the necessary keys, too?

The new repository was missing kosagi-repo_1.1-r1_all.deb at the time of this post. Is this on purpose?

Re: syncing to repo.novena.io

The new repository doesn't have 1.1-r1 of kosagi-repo because that is an older version of the package.  It points to the old repo, which is using an expired key.

You won't be able to get the new key anymore using "apt-get update" because it won't accept the older repo anymore, due to the fact that the key is expired.

Re: syncing to repo.novena.io

I tried resolving this by deleting the expired key:

apt-key del 03C7B7EC
apt-key del BE17A7FB

Then installing the new one:

apt-get install debian-keyring
gpg --keyserver pgp.mit.edu --recv-keys 4C0E70D9
gpg --armor --export 4C0E70D9 | apt-key add -

All of that seemed to succeed, but when I tried this:

apt-key update

I get this error:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo.novena.io jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 602D46AE38D68B72

W: Failed to fetch http://repo.novena.io/repo/dists/jessie/InRelease  

W: Some index files failed to download. They have been ignored, or old ones used instead.

So do I need to change the contents of /etc/apt/sources.list as well?

Re: syncing to repo.novena.io

At this point, yes.

I will put together a new version of kosagi-repo today with http://repo.novena.io/repo/ removed, so that error will go away now.  It will be version 1.3-r1.

Re: syncing to repo.novena.io

I could not remove repo.novena.io from /etc/apt/sources.list as it was not there in the first place, but I was still getting key errors.

I eventually found it in /etc/apt/sources.list.d/kosagi.list  once I removed it from there things worked

11 (edited by briny 2015-11-21 15:18:43)

Re: syncing to repo.novena.io

I believe I have the new key installed:

# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   4096R/4C0E70D9 2015-08-26 [expires: 2020-08-24]
uid                  Kosagi Debian Signing Key (Signing key for Kosagi debian repos) <xobs@kosagi.com>
sub   4096R/02214FD5 2015-08-26 [expires: 2020-08-24]

But when when I run

# apt-get update

I get the following:

W: There is no public key available for the following key IDs:
9D6D8F6BC857C906
W: GPG error: http://repo.novena.io jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F899B4CA0F7B2548
W: There is no public key available for the following key IDs:
7638D0442B90D010

Re: syncing to repo.novena.io

Keys 9D6D8F6BC857C906 and 7638D0442B90D010 seem to be Debian release keys from the Debian developers. Others have apparently installed the updated keys using:

 $ sudo apt-get install debian-archive-keyring debian-keyring

However, I am still getting the middle error (tt changed to xx):

 W: GPG error: hxxp://repo.novena.io jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F899B4CA0F7B2548 

So, are we still missing a Kosagi public key for something?

briny wrote:

I believe I have the new key installed:

# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   4096R/4C0E70D9 2015-08-26 [expires: 2020-08-24]
uid                  Kosagi Debian Signing Key (Signing key for Kosagi debian repos) <xobs@kosagi.com>
sub   4096R/02214FD5 2015-08-26 [expires: 2020-08-24]

But when when I run

# apt-get update

I get the following:

W: There is no public key available for the following key IDs:
9D6D8F6BC857C906
W: GPG error: http://repo.novena.io jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F899B4CA0F7B2548
W: There is no public key available for the following key IDs:
7638D0442B90D010

13 (edited by chris4795 2015-12-01 08:07:08)

Re: syncing to repo.novena.io

Hey All,

If you are still having issues, make sure this repository is in /etc/apt/sources.list (or /etc/apt/sources.list.d/kosagi.list)

# Newer repo with a key that goes through 2020.  Signed with 4C0E70D9.
deb http://repo.novena.io/debian/ jessie main
deb-src http://repo.novena.io/debian/ jessie main

This is a different repo. delete the old repo.

The new key is here (like xobs said earlier):
http://repo.novena.io/debian/pool/main/k/kosagi-repo/

Re: syncing to repo.novena.io

Yes, I have the new key and the new repo, and when apt-get checks the package lists at the new repo, it's an unknown key that it complains about. Not 4C0E70D9, which I have, but Key ID 0F7B2548, which I can't find anywhere.

ERROR: signatures couldn't be verified because public key not available: NO_PUBKEY F899B4CA0F7B2548

If I remove http://repo.novena.io/debian/ from my sources list, I stop getting that error, but won't be getting Novena package updates either. So it's that repo that is failing with the key I just mentioned.

chris4795 wrote:

Hey All,

If you are still having issues, make sure this repository is in /etc/apt/sources.list (or /etc/apt/sources.list.d/kosagi.list)

# Newer repo with a key that goes through 2020.  Signed with 4C0E70D9.
deb http://repo.novena.io/debian/ jessie main
deb-src http://repo.novena.io/debian/ jessie main

This is a different repo. delete the old repo.

The new key is here (like xobs said earlier):
http://repo.novena.io/debian/pool/main/k/kosagi-repo/

Re: syncing to repo.novena.io

I just had to go through this on an old board I was bringing up to date so I wrote up instructions here:

http://www.kosagi.com/w/index.php?title … a_repo_key

Apparently, there will be a v1.2 of the kosagi repo package that will get rid of the warning but for now I can confirm it worked on a board that came with an (out of date) factory stock image.

16 (edited by chris4795 2015-12-18 06:11:33)

Re: syncing to repo.novena.io

Hey All,

To get rid of the public key error, I used this:

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C906
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010

Re: syncing to repo.novena.io

xobs wrote:

The new repository doesn't have 1.1-r1 of kosagi-repo because that is an older version of the package.  It points to the old repo, which is using an expired key.

You won't be able to get the new key anymore using "apt-get update" because it won't accept the older repo anymore, due to the fact that the key is expired.

Got it, thank you. I have been using your reply together with bunnie's instructions and chris4795's post. Checking out the new repository revealed version 1.3-r1 being available.

wget http://repo.novena.io/debian/pool/main/k/kosagi-repo/kosagi-repo_1.3-r1_all.deb
sudo dpkg -i kosagi-repo_1.3-r1_all.deb
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C906
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
sudo apt-get update

The following

sudo apt-get dist-upgrade

gave no errors. It also included "linux-image-novena" in the package list, thus showing the new repo being validated and used per instructions.

Thank you all for the support.