Something wrong with Jitsi GPG key

Something wrong with Jitsi GPG key

wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -
gpg: no valid OpenPGP data found.

And while updated

apt-get --allow-insecure-repositories update
...
...
E: Failed to fetch https://download.jitsi.org/stable/Packages  Certificate verification failed:
The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not
handshake: Error in the certificate verification. [IP: 130.79.200.22 443]
1 Like

Same issue here!

It is not the GPG Key, but the https keychain.

root@meet:~# wget  -v -O - https://download.jitsi.org/jitsi-key.gpg.key

--2020-05-30 12:11:57--  https://download.jitsi.org/jitsi-key.gpg.key
Resolving download.jitsi.org (download.jitsi.org)... 2001:660:2402::22, 130.79.200.22
Connecting to download.jitsi.org (download.jitsi.org)|2001:660:2402::22|:443... connected.
ERROR: The certificate of 'download.jitsi.org' is not trusted.
ERROR: The certificate of 'download.jitsi.org' has expired.

The download.jitisi.org key is singed by a key which is signed by a key which is expired., See: https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org&s=2001%3A660%3A2402%3A0%3A0%3A0%3A0%3A22&latest or screenshot

2 Likes

As a workaround you could change the url in /etc/apt/sources.list.d/jitsi_meet.list to http:

deb http://download.jitsi.org/ stable/

As the packages are still signed by gpg and the gpg key is valid, the security impact can be okay, if you a have proven the gpg key before.

1 Like

This is definitely not best practice, but you can make apt skip the certificate check, if you have to install jitsi/jibri/… right now

echo 'Acquire::https::download.jitsi.org::Verify-Peer "false";' | tee /etc/apt/apt.conf.d/80jitsi-ssl-exceptions

Just don’t forget to remove this, after the certificate is working again…

Edit: Or just use http as @tabacha suggested…

Presumably there is a way to alert the devs that the key has expired?

1 Like

I would suggest the admins to use lets-encrypt for https. Any other solution does not work better, as you did not change the certificates as often and not automaticly.

@simon42 if you do this with apt.conf, there will be no https checking for any repository.

Just updated my post to just disable the check of the jitsi server

echo 'Acquire::https::download.jitsi.org::Verify-Peer "false";' | tee /etc/apt/apt.conf.d/80jitsi-ssl-exceptions
2 Likes

The issue has been reported on the official development site and the developers have been notified. Will be fixed shortly I think.

3 Likes

Thanks guys I have spend entire day encountering this error