Stable repo key B4D2D216F1FD7806

Seems that with the new update, the stable repo got signed with a new gpg key:
I’m getting an error:

NO_PUBKEY B4D2D216F1FD7806

Is there an .asc file somewhere? Maybe I’m just missing something.
Seems the key is not yet available at my usual fetch keyservers.

https://keys.openpgp.org/search?q=dev@jitsi.org

1 Like

This works,

sudo apt-key adv --keyserver hkps://keys.openpgp.org --recv-keys B4D2D216F1FD7806
3 Likes

I think this is the key matching the apt-get error:

https://keys.openpgp.org/vks/v1/by-fingerprint/FFD65A0DA2BEBDEB73D44C8BB4D2D216F1FD7806

However:

gpg --import FFD65A0DA2BEBDEB73D44C8BB4D2D216F1FD7806.asc 
gpg: key B4D2D216F1FD7806: new key but contains no user ID - skipped

(I’m trying to import the key to export it in .gpg format and put it somewhere in /etc/apt/trusted.gpg.d)

So, it does not work for me. I’m using Debian 10.

After some search, I found this:

You are probably using the keys.openpgp.org keyserver, which has an owner approval system – it will strip all user IDs unless the owner of the corresponding email address has allowed them to be published.

This finally worked for me:

gpg --recv-keys FFD65A0DA2BEBDEB73D44C8BB4D2D216F1FD7806

Well, you can use;

wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -

It also seems to be updated already.

1 Like

There was a collision on openpgp.org; it did not like us using the same email for multiple keys. The gpg import should be working again if you re-download from keys.openpgp.org

Hmm… none of this is making apt happy for me.

wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -
OK

and

# gpg --recv-keys FFD65A0DA2BEBDEB73D44C8BB4D2D216F1FD7806
gpg: key B4D2D216F1FD7806: "Jitsi <dev@jitsi.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

or

gpg --refresh-keys
gpg: refreshing 1 key from hkps://keys.openpgp.org
gpg: key B4D2D216F1FD7806: "Jitsi <dev@jitsi.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

or

# apt-key adv --keyserver hkps://keys.openpgp.org --recv-keys B4D2D216F1FD7806
Executing: /tmp/apt-key-gpghome.doWETnrjnb/gpg.1.sh --keyserver hkps://keys.openpgp.org --recv-keys B4D2D216F1FD7806
gpg: key B4D2D216F1FD7806: "Jitsi <dev@jitsi.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

then still

# apt update

W: Failed to fetch https://download.jitsi.org/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B4D2D216F1FD7806

I admit to being a little dense regarding things gpg-related. Did I miss something?

Are you running this with root?
otherwise use sudo apt-key add -

yes, root.

also

# apt-key list

/etc/apt/trusted.gpg

pub rsa4096 2021-04-15 [SC]
FFD6 5A0D A2BE BDEB 73D4 4C8B B4D2 D216 F1FD 7806
uid [ unknown] Jitsi dev@jitsi.org
sub rsa4096 2021-04-15 [E]

…which I guess makes it pretty clear I still have a key that expired yesterday. Hmm.

could it be the case that you are under a proxy, cache or something.
The key is the correct one, it was issued yesterday not expired.

You have it ready on your trusted ring.

Comment the repository, check if you don’t have missing apt updates.
If you do install them and then try again, enable the repository back and go from there.

Also be careful, no need for you to rush, for my end this update broke things.
If you have a VM, try to take a snapshot or a backup in case you need to go back.

Cheers!

1 Like

Good advice! Maybe I’ll hold off then. Thanks for the help.

Or it can be that you have in sources.list:
deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/
If this is the case, just do:

curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
sudo apt update
14 Likes

That’s exactly what I had! And your fix worked. Should I change my deb source line to something else so I don’t have this problem again? Thank you!

1 Like

Nope. The last time this was changed was 5 years ago.

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://download.jitsi.org stable/ InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY B4D2D216F1FD7806

So, the usual way to handle key changes is to have a keyring package and add the new key there some time before switching the archive to this new key. This way, any user that update regularly will have the new key already installed and everything just work.

And there is already a jitsi-archive-keyring package. Unfortunately it only contains the old key, not the new key. Can you please add the new key here as well? And maybe make a note to do this first next time :slight_smile:.

1 Like

Yes we are planning to use the keyring package in the future. It was only used for the legacy Jitsi Desktop, we need to add it to the rest of the packages …

1 Like

Yes, it works for me on Ubuntu Bionic.