Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GPG signature expired #307

Closed
2 tasks
arminfelder opened this issue Jul 25, 2022 · 18 comments
Closed
2 tasks

GPG signature expired #307

arminfelder opened this issue Jul 25, 2022 · 18 comments
Labels
bug Something isn't working

Comments

@arminfelder
Copy link

OS/Platform

Debian, Ubuntu, and derivatives

Installed

OS/Platform's package manager

Version

all

Tested upstream?

  • I have tried reproducing this issue in Chrome and it could not be reproduced there
  • I have tried reproducing this issue in vanilla Chromium and it could not be reproduced there

Description

GPG signature has been expired

How to Reproduce?

curl -s 'https://download.opensuse.org/repositories/home:/ungoogled_chromium/Debian_Bullseye/Release.key' | gpg

Actual behaviour

apt is refusing the repository, because the signature expired

Expected behaviour

signature should be valid

Relevant log output

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2020-04-24 [SC] [expired: 2022-07-03]
      157C212D66D9B95118C5EDD302456C79B2FD48BF
uid           home:ungoogled_chromium OBS Project <home:[email protected]>

Additional context

No response

@arminfelder arminfelder added the bug Something isn't working label Jul 25, 2022
@networkException networkException transferred this issue from ungoogled-software/ungoogled-chromium Jul 25, 2022
@therob84
Copy link

therob84 commented Aug 10, 2022

While this bug is probably in clearing process - how can I meanwhile get completely rid of this error message (most likely by temporarily uninstalling)?

By now it is hindering me from an upgrade process of my system (Linux Mint 20.3 --> 21 (ubuntu 22.04)).
I already tried apt remove --purge ungoogled-chromium and manually removed the GPG keys in the UI of Pkexec.
But the error message is still the show blocker of my upgrade progress.
In short: I can't find uninstall information if I followed installation process of OBS package from here.
Any help?

Edit: I finally found how to remove the repo after purging (missed it in first try): LinuxMint 'update manager' --> Edit --> Software Sources --> 'Additional Repositories' remove ungoogled-chromium entry.

@networkException
Copy link
Member

Sorry to hear that this broke your updates completely. I'm not really sure how to proceed here sadly

@NGeorgescu
Copy link

run the following as root:

# cd /etc/apt/sources.list.d/ && echo -e "#$(cat home-ungoogled_chromium.list)" > home-ungoogled_chromium.list

(or just manually prepend a "#" to your file in /etc/apt/sources.list.d). This will remove the repo as a source.

I'm new here but it looks like this issue has been around for a while. Is this repo maintained or what is the deal?

@networkException
Copy link
Member

The debian packaging is effectively unmaintained. I fear we and the current maintainer are lacking the capacity to keep it updated. At the moment I would recommend using the flatpak

@ghost
Copy link

ghost commented Sep 6, 2022

Why not just create a new GPG key?

@PF4Public
Copy link

PF4Public commented Sep 6, 2022

Why not just create a new GPG key?

The debian packaging is effectively unmaintained.

@ghost
Copy link

ghost commented Sep 6, 2022

Why not just create a new GPG key?

The debian packaging is effectively unmaintained.

Meaning it shouldn't be used or nobody wants to update it?

@networkException
Copy link
Member

Meaning that there is nobody to update it

@ghost
Copy link

ghost commented Sep 6, 2022

Would have to build it myself then?

@PF4Public
Copy link

Would have to build it myself then?

That would be one of the options, recommended one even.

@arebokert
Copy link

The debian packaging is effectively unmaintained.

I don't know if I've missed something, but shouldn't this repo then say something like (at the top)

"The debian package repo is effectively unmaintained, please refer to the main repo for instructions on how to build from source" ?

I was not aware and tried to add the repo only to get the error and find this issue. It would save many people time to just have that disclaimer.

@ghost
Copy link

ghost commented Apr 10, 2023

No longer relevant.

@ghost ghost closed this as completed Apr 10, 2023
@fir3-1ce
Copy link

How is this no longer relevant? I'm getting the error message now

@iskunk
Copy link
Contributor

iskunk commented Nov 19, 2023

How is this no longer relevant? I'm getting the error message now

Note that the OBS repo hasn't been maintained for some time. Even if you got past the signature issue, Debian_Bullseye is no longer present, and Debian_Sid only has version 112 from last April.

I plan to get the repo back online eventually, but it's a work in progress. (You can build u-c from source yourself using the conversion framework recently added here, but that's obviously a lot of ask of our users.)

@fir3-1ce
Copy link

@iskunk
Thanks, but I ended up just installing the Jammy deb directly from the OpenSUSE website. I assume that's not maintained either?

I didn't know about that conversion page, but I did actually try compiling from source via the "Building a Binary Package" instructions on the main page. I installed all the dependencies successfully, but when it came to the final step (dpkg-buildpackage -b -uc), it failed. So that's when I just downloaded the precompiled deb.

Is there any urgent reason I should still compile from source if the deb package works? Any major security issues?

@iskunk
Copy link
Contributor

iskunk commented Nov 25, 2023

The Ubuntu section of the OBS site is no better off, I'm afraid. Only the Arch Linux one has a current version.

I would strongly advise not running version 112.

To illustrate why, I would suggest having a look at the changelog for version 119.0.6045.159, which is current as of this writing. (That link is actually to the Debian package changelog, not the official Chromium one, but it will do for our purposes.)

There, you can see that the latest version is a security release. There are two CVEs listed, each one indicating a security vulnerability of one form or another. Those two are fixed in that release.

Now, the version currently in the Jammy section is 112.0.5615.121, which came out in mid-April. You have to scroll down a bit to find it in the log (Ctrl-F is probably best). Look, that one was also a security release, with one fixed CVE.

Okay. Now... scroll up from the entry for that old version, and take note of every CVE listed above.

Alllll those CVEs are unaddressed in the version of Chromium that you downloaded 😓

Compiling Chromium from source can be tricky. The main scripts in this repo haven't been maintained lately---that's ultimately why the OBS repo has fallen behind. The conversion framework works, FWIW, but that is additional tooling that you may or may not be comfortable with using.

The easiest option, assuming you are on Ubuntu jammy or later, would be to use the XtraDeb build (or, alternately, the XtraDeb source, which has already been run through the conversion process).

@satonotdead
Copy link

It still unmantained? Furthermore, why this isue is closed?

@iskunk
Copy link
Contributor

iskunk commented Oct 27, 2024

It still unmantained? Furthermore, why this isue is closed?

Hi @satonotdead,

At this point, the solution is in #349, and it is awaiting review by the project principals. Please follow that issue to stay on top of the Debian repo coming back to life!

This issue has been closed for a while, but it is really a side effect of the problem (lack of repo maintenance), not the problem itself. Even if the signature were updated, we don't have a current package to distribute (using that signature) yet, so there's not much point in addressing this issue alone.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

9 participants