Unable to update due key expired (EXPKEYSIG 02456C79B2FD48BF)

[sahsanu]

Hello,

Trying to update, I've received the following errors in my Ubuntu based OS:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal  InRelease: The following signatures were invalid: EXPKEYSIG 02456C79B2FD48BF home:ungoogled_chromium OBS Project <home:ungoogled_chromium@build.opensuse.org>
W: Failed to fetch http://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal/InRelease  The following signatures were invalid: EXPKEYSIG 02456C79B2FD48BF home:ungoogled_chromium OBS Project <home:ungoogled_chromium@build.opensuse.org>

Seems the key used to sign packages (at least for Ubuntu Focal) expired yesterday (2022-07-03).

/etc/apt/trusted.gpg.d/home-ungoogled_chromium.gpg
--------------------------------------------------
pub   rsa2048 2020-04-24 [SC] [expired: 2022-07-03]
      157C 212D 66D9 B951 18C5  EDD3 0245 6C79 B2FD 48BF
uid           [ expired] home:ungoogled_chromium OBS Project <home:ungoogled_chromium@build.opensuse.org>

Thank you in advance for taking a look to this issue.

[JamesClarke7283]

+1 Also @sahsanu there is probably no new update for you as the newer version is not even packaged.

You can see here its version 95.0.4638.54-1:
https://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal/amd64/

There seems to be major maintainability issues with the Debian based packaging of this, i think you should build the debpack yourself for now. see issue #291 for why.

[azzydoesgit]

There seems to be major maintainability issues with the Debian based packaging of this, i think you should build the debpack yourself for now. see issue #291 for why.

I am "new" to Linux, and enjoy using apt (or just .debs) so that my update process involves a couple commands. Is there a way to automate the building of a new .deb every time new source code for the "stable branch" is released? @JamesClarke7283

[networkException]

There is nobody maintaining this repository at the moment unfortionately (see #301).

Generally our goal is to get stable updates out as fast as possible, I hope that we will be able to live up to those standarts soon

[JamesClarke7283]

There seems to be major maintainability issues with the Debian based packaging of this, i think you should build the debpack yourself for now. see issue #291 for why.

I am "new" to Linux, and enjoy using apt (or just .debs) so that my update process involves a couple commands. Is there a way to automate the building of a new .deb every time new source code for the "stable branch" is released? @JamesClarke7283

Hi sorry for late reply, welcome to the GNU/Linux Community @azzydoesgit. Regarding your question, Yes you can, you can setup a build server or just a cronjob on your local system(set commands/programs which runs at a set schedule) which runs a bash script to check, build and install it.

I could help you with this if you wanted to get in touch, my contact details are on my website, i have quite a few different platforms which are libre friendly.
https://www.james-clarke.ynh.fr/

You can make it check if the version changed by doing a git pull on that branch every time, and just seeing if the version string changed in the file its defined. using bash script to do the checking.

To do the build step, the instructions to build this package are here:
https://github.com/ungoogled-software/ungoogled-chromium-debian#building-a-binary-package

It says ,fr but i am actually from the UK. its a free DDNS name, i got with YunoHost.

Resources to do with this which might also help:
Cron Arch Wiki
Building packages for debian
GNU Bash Scripting Manual

If you find the Archwiki Cron file format confusing,
Its worth noting i think you can generate a cron file through some GUI front ends like these as well which might be useful for newcomers:
Selfhosted Web UI
Standalone GUI client
Website to make a crontab file

As for bash scripting, there are good videos on that, but i am also happy to help out if you get stuck.

[VA1DER]

Hi sorry for late reply, welcome to the GNU/Linux Community @azzydoesgit. Regarding your question, Yes you can, you can setup a build server or just a cronjob on your local system(set commands/programs which runs at a set schedule) which runs a bash script to check, build and install it.

The days of where the end user needs to use cron jobs to fetch and build updates are (or should be) long past. I'm all about self reliance, but this is not something we should be expecting from end users.

Is there any movement on getting the signing key updated? If deb packages can be built with cron jobs, then perhaps we can get this on the OpenSuse build system to create packages.

[ghost]

No longer relevant.

[fir3-1ce]

I'm confused about something. If I build the binary from source how do I update it in the future? I'm still kind of new to Linux myself, and it appears that this GPG issue still persists on the repository

[iskunk]

I'm confused about something. If I build the binary from source how do I update it in the future? I'm still kind of new to Linux myself, and it appears that this GPG issue still persists on the repository

To update to a new version, you have to build the new version. There isn't any good way I'm aware of to perform an incremental build, if that's what you're getting at...

[eyalroz]

While not exactly the same issue, I've started getting:

Err:4 http://download.opensuse.org/repositories/home:/ungoogled_chromium/Debian_Sid  InRelease                                               
  The following signatures were invalid: EXPKEYSIG 02456C79B2FD48BF home:ungoogled_chromium OBS Project <home:ungoogled_chromium@build.opensuse.org>

recently.

[iskunk]

While not exactly the same issue, I've started getting:

[...]

recently.

Aaaand another one bites the dust :->

I don't yet know the specifics of how APT repository keys are created/destroyed/updated in OBS, but once current versions start getting pushed there again (see #349), we'll need to make sure people can actually download them without these kinds of errors.

[succeedmr123]

No longer relevant.

totally relevant. keeping an expired build for nothing with an expired key shows gross ignorance for the reason that users are not really here to type 40 commands just to attempt to do a workaround around an automated mirror and build system.

If the argument of mine is wroing, I do apologise - it is frustrating issue, really, maybe all the users should get a build server on our own just to do things on linux where we ended while evading windows?

If someone is to challenge this logic without any kind of nonsense heated arguement, fine.

(It is annoying that things in foos are totally unresolved like a child-disease type of time-wasating what in production world OSes arealmost never an issue)
Have a graet day.

[iskunk]

Hello @succeedmr123,

I understand your frustration. The Debian build of ungoogled-chromium has been neglected for a long time, but there is work in progress to address the situation; please see #343 and #349. At this point, the implementation is (mostly) complete, and is awaiting completion of its review by the u-c project principals.