-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GPG signature expired #307
Comments
While this bug is probably in clearing process - how can I meanwhile get completely rid of this error message (most likely by temporarily uninstalling)? By now it is hindering me from an upgrade process of my system (Linux Mint 20.3 --> 21 (ubuntu 22.04)). Edit: I finally found how to remove the repo after purging (missed it in first try): LinuxMint 'update manager' --> Edit --> Software Sources --> 'Additional Repositories' remove ungoogled-chromium entry. |
Sorry to hear that this broke your updates completely. I'm not really sure how to proceed here sadly |
run the following as root:
(or just manually prepend a "#" to your file in /etc/apt/sources.list.d). This will remove the repo as a source. I'm new here but it looks like this issue has been around for a while. Is this repo maintained or what is the deal? |
The debian packaging is effectively unmaintained. I fear we and the current maintainer are lacking the capacity to keep it updated. At the moment I would recommend using the flatpak |
Why not just create a new GPG key? |
|
Meaning it shouldn't be used or nobody wants to update it? |
Meaning that there is nobody to update it |
Would have to build it myself then? |
That would be one of the options, recommended one even. |
I don't know if I've missed something, but shouldn't this repo then say something like (at the top) "The debian package repo is effectively unmaintained, please refer to the main repo for instructions on how to build from source" ? I was not aware and tried to add the repo only to get the error and find this issue. It would save many people time to just have that disclaimer. |
No longer relevant. |
How is this no longer relevant? I'm getting the error message now |
Note that the OBS repo hasn't been maintained for some time. Even if you got past the signature issue, I plan to get the repo back online eventually, but it's a work in progress. (You can build u-c from source yourself using the conversion framework recently added here, but that's obviously a lot of ask of our users.) |
@iskunk I didn't know about that conversion page, but I did actually try compiling from source via the "Building a Binary Package" instructions on the main page. I installed all the dependencies successfully, but when it came to the final step ( Is there any urgent reason I should still compile from source if the deb package works? Any major security issues? |
The Ubuntu section of the OBS site is no better off, I'm afraid. Only the Arch Linux one has a current version. I would strongly advise not running version 112. To illustrate why, I would suggest having a look at the changelog for version 119.0.6045.159, which is current as of this writing. (That link is actually to the Debian package changelog, not the official Chromium one, but it will do for our purposes.) There, you can see that the latest version is a security release. There are two CVEs listed, each one indicating a security vulnerability of one form or another. Those two are fixed in that release. Now, the version currently in the Jammy section is 112.0.5615.121, which came out in mid-April. You have to scroll down a bit to find it in the log (Ctrl-F is probably best). Look, that one was also a security release, with one fixed CVE. Okay. Now... scroll up from the entry for that old version, and take note of every CVE listed above. Alllll those CVEs are unaddressed in the version of Chromium that you downloaded 😓 Compiling Chromium from source can be tricky. The main scripts in this repo haven't been maintained lately---that's ultimately why the OBS repo has fallen behind. The conversion framework works, FWIW, but that is additional tooling that you may or may not be comfortable with using. The easiest option, assuming you are on Ubuntu jammy or later, would be to use the XtraDeb build (or, alternately, the XtraDeb source, which has already been run through the conversion process). |
It still unmantained? Furthermore, why this isue is closed? |
Hi @satonotdead, At this point, the solution is in #349, and it is awaiting review by the project principals. Please follow that issue to stay on top of the Debian repo coming back to life! This issue has been closed for a while, but it is really a side effect of the problem (lack of repo maintenance), not the problem itself. Even if the signature were updated, we don't have a current package to distribute (using that signature) yet, so there's not much point in addressing this issue alone. |
OS/Platform
Debian, Ubuntu, and derivatives
Installed
OS/Platform's package manager
Version
all
Tested upstream?
Description
GPG signature has been expired
How to Reproduce?
curl -s 'https://download.opensuse.org/repositories/home:/ungoogled_chromium/Debian_Bullseye/Release.key' | gpg
Actual behaviour
apt is refusing the repository, because the signature expired
Expected behaviour
signature should be valid
Relevant log output
Additional context
No response
The text was updated successfully, but these errors were encountered: