repo-public.gpg expired today

GregO1778 · Post by **GregO1778** » Sat Jul 25, 2020 5:05 pm

Just ran into an issue when trying to update:

An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://build.openvpn.net/debian/openvpn/release/2.4 jessie InRelease: The following signatures were invalid: EXPKEYSIG 8E6DA8B4E158C569 Samuli Seppänen (OpenVPN Technologies, Inc) <samuli@openvpn.net>

Looks like the key expired today:

apt-key list | grep -A 1 expired
Warning: apt-key output should not be parsed (stdout is not a terminal)
pub rsa2048 2011-08-03 [SC] [expired: 2020-07-25]
30EB F4E7 3CCE 63EE E124 DD27 8E6D A8B4 E158 C569
uid [ expired] Samuli Seppänen (OpenVPN Technologies, Inc) <samuli@openvpn.net>

Is there an updated pgp key yet?

I did follow the steps here but it pulls the same key:
https://community.openvpn.net/openvpn/w ... twareRepos

TinCanTech · Post by **TinCanTech** » Sat Jul 25, 2020 6:49 pm

Thanks for the heads-up.

robinl · Post by **robinl** » Sun Jul 26, 2020 5:17 am

The keys on my ubuntu server expired. The openvpn repo can't be updated:

pub 2048R/E158C569 2011-08-03 [expired: 2020-07-25]
uid Samuli Seppänen (OpenVPN Technologies, Inc) <samuli@openvpn.net>

Failed to fetch https://build.openvpn.net/debian/openvp ... /InRelease The following signatures were invalid: KEYEXPIRED 1595684909 KEYEXPIRED 1595684909 KEYEXPIRED 1595684909

I tried to follow the community guide to update the keys but it still says it's expired:

sudo apt-key adv --keyserver keys.gnupg.net --recv-keys E158C569

wget -O - https://swupdate.openvpn.net/repos/repo ... pg|apt-key add -

kl1mov · Post by **kl1mov** » Sun Jul 26, 2020 9:03 pm

hi. Key was expired. Fix this please

johnruiz · Post by **johnruiz** » Mon Jul 27, 2020 7:00 am

Hi,

My key for the OpenVPN Ubuntu repository has expired.

I have followed the instructions in this page: https://community.openvpn.net/openvpn/w ... b_wGZb8dtA and added the key successfully.

However, when I run

Code: Select all

apt-get update

, I receive the following error:

W: Failed to fetch http://build.openvpn.net/debian/openvpn ... /InRelease The following signatures were invalid: EXPKEYSIG 8E6DA8B4E158C569 Samuli Seppänen (OpenVPN Technologies, Inc) <samuli@openvpn.net>

Thanks!

robinl · Post by **robinl** » Mon Jul 27, 2020 10:34 am

Same, there are already 2 topics opened about this. Mine got merged with another one without notice...
Also, it's a bit worrying to see that keys always expires, it happened a few years ago.
Isn't there a way to automate renewal ?

robinl · Post by **robinl** » Mon Jul 27, 2020 10:36 am

Already 4 topics opened about this, the others are in Forum & Website Support section.

I'm not sure why this is still no addressed... it's a pretty big deal since we won't get any update, unattended or not, until the keys are updated.
Isn't it a security issue ?

TinCanTech · Post by **TinCanTech** » Mon Jul 27, 2020 11:15 am

It will be fixed when Samuli can fix it. Until then .....

arktex54 · Post by **arktex54** » Mon Jul 27, 2020 5:00 pm

My request has been rightly added to "repo-public.gpg expired today" thread.

Hi. I have run the following commands and still get invalid signatures.

Debian 10.4
4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux

Code: Select all

apt-key del 30EBF4E73CCE63EEE124DD278E6DA8B4E158C569
apt-key del 8E6DA8B4E158C569
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
root@pi:~# apt update
Err:6 http://build.openvpn.net/debian/openvpn/stable buster InRelease
  The following signatures were invalid: EXPKEYSIG 8E6DA8B4E158C569 Samuli Seppänen (OpenVPN Technologies, Inc) <samuli@openvpn.net>

Code: Select all

root@pi:~# openvpn --version
OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

embarkadero · Post by **embarkadero** » Tue Jul 28, 2020 12:42 am

I believe the GPG key is expired and may need to be updated. I already tried deleting the key via

Code: Select all

apt-key del E158C569 && wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -

as indicated in https://community.openvpn.net/openvpn/w ... twareRepos to no avail. For reference, I'm on Ubuntu 16.04.

robinl · Post by **robinl** » Tue Jul 28, 2020 5:00 am

TinCanTech wrote: ↑
Mon Jul 27, 2020 11:15 am
It will be fixed when Samuli can fix it. Until then .....

Fair enough, and he probably have other things to do.

But I'm just curious to know why this isn't automated and/or why this isn't a priority. Case might be that there is a vulnerability in a version of openvpn and we wouldn't be able to update through apt or to have a proper unattended server because of the key expiry.
It might not be the case today but it might become a security issue one day...

And because there is no announcement, people keep on creating topics: in off-topic (actually I don't see why it's off topic), in Forum & Website Support.
I don't see why it's not in Server Administration.

Post by **Pippin** » Tue Jul 28, 2020 6:57 am

Keys are updated:
viewtopic.php?f=20&t=30710

ruslanp · Post by **ruslanp** » Tue Jul 28, 2020 2:03 pm

I cannon update OpenVPN from the Debian/Ubuntu repo (https://community.openvpn.net/openvpn/w ... twareRepos):

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://build.openvpn.net/debian/openvpn/stable bionic InRelease: The following signatures were invalid: EXPKEYSIG 8E6DA8B4E158C569 Samuli Seppänen (OpenVPN Technologies, Inc) <samuli@openvpn.net>

The signature was expired on 2020-07-25.

Please advise

ruslanp · Post by **ruslanp** » Tue Jul 28, 2020 2:11 pm

Found the solution viewtopic.php?f=20&t=30710

OpenVPN Support Forum

repo-public.gpg expired today

repo-public.gpg expired today

Re: repo-public.gpg expired today

OpenVPN repo keys expired

debian repo key expired

Expired Key

Re: Expired Key

Re: repo-public.gpg expired today

Re: repo-public.gpg expired today

EXPKEYSIG

GPG Key Expired

Re: repo-public.gpg expired today

Re: repo-public.gpg expired today

Expired Key

Re: Expired Key