Something wrong with Jitsi GPG key

emrah · May 30, 2020, 11:07am

wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -
gpg: no valid OpenPGP data found.

And while updated

apt-get --allow-insecure-repositories update
...
...
E: Failed to fetch https://download.jitsi.org/stable/Packages  Certificate verification failed:
The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not
handshake: Error in the certificate verification. [IP: 130.79.200.22 443]

Ismael_Molina_M · May 30, 2020, 12:18pm

Same issue here!

tabacha · May 30, 2020, 12:25pm

It is not the GPG Key, but the https keychain.

root@meet:~# wget  -v -O - https://download.jitsi.org/jitsi-key.gpg.key

--2020-05-30 12:11:57--  https://download.jitsi.org/jitsi-key.gpg.key
Resolving download.jitsi.org (download.jitsi.org)... 2001:660:2402::22, 130.79.200.22
Connecting to download.jitsi.org (download.jitsi.org)|2001:660:2402::22|:443... connected.
ERROR: The certificate of 'download.jitsi.org' is not trusted.
ERROR: The certificate of 'download.jitsi.org' has expired.

The download.jitisi.org key is singed by a key which is signed by a key which is expired., See: https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org&s=2001%3A660%3A2402%3A0%3A0%3A0%3A0%3A22&latest or screenshot

tabacha · May 30, 2020, 12:47pm

As a workaround you could change the url in /etc/apt/sources.list.d/jitsi_meet.list to http:

deb http://download.jitsi.org/ stable/

As the packages are still signed by gpg and the gpg key is valid, the security impact can be okay, if you a have proven the gpg key before.

simon42 · May 30, 2020, 12:51pm

This is definitely not best practice, but you can make apt skip the certificate check, if you have to install jitsi/jibri/… right now

echo 'Acquire::https::download.jitsi.org::Verify-Peer "false";' | tee /etc/apt/apt.conf.d/80jitsi-ssl-exceptions

Just don’t forget to remove this, after the certificate is working again…

Edit: Or just use http as @tabacha suggested…

CDN_Hammer · May 30, 2020, 12:48pm

Presumably there is a way to alert the devs that the key has expired?

tabacha · May 30, 2020, 12:50pm

I would suggest the admins to use lets-encrypt for https. Any other solution does not work better, as you did not change the certificates as often and not automaticly.

tabacha · May 30, 2020, 12:51pm

@simon42 if you do this with apt.conf, there will be no https checking for any repository.

simon42 · May 30, 2020, 12:53pm

Just updated my post to just disable the check of the jitsi server

echo 'Acquire::https::download.jitsi.org::Verify-Peer "false";' | tee /etc/apt/apt.conf.d/80jitsi-ssl-exceptions

KEYLETAL · May 30, 2020, 1:04pm

The issue has been reported on the official development site and the developers have been notified. Will be fixed shortly I think.

dllwillie · May 30, 2020, 1:48pm

Thanks guys I have spend entire day encountering this error