SIPWISE CE - NEWS

back to all Sipwise CE - News

Update of a Sipwise public GPG key

An OLD Sipwise GPG key that is used to sign repositories with NGCP and Debian packages expires on March 3rd, 2020.
Here is a short Q&A about what’s going on and how to update it:


Q: What does it affect?
A: No services are affected but ‘apt update‘ and ‘apt upgrade‘ commands would not work with the error:

Err:3 https://debian.sipwise.com/debian-security stretch-security InRelease The following signatures were invalid: EXPKEYSIG 773236EFF411A836 Sipwise GmbH (Sipwise Repository Key) support@sipwise.com


Q: What to do?
A: All releases starting from mr4.2.* have got hotfixes of all required packages:

  • mr7.5.1+
    • ngcp-archive-keyring
    • ngcp-deployment-scripts
  • mr6.2.1 – mr7.4.2
    • ngcp-keyring
    • ngcp-deployment-scripts
  • mr4.2.1 – mr6.1.2
    • ngcp-keyring
    • ngcp-netscript

But after March 3 (when the key is already expired), you can’t install anything as you get the mentioned error. In this case, you need to manually download the new key.


Q: Where can I download a new key and be sure that it’s the correct one?
A: The links are:


Q: Where to place the new GPG file?
A: Copy it to the /etc/apt/trusted.gpg.d/ directory.


Q: That’s it?
A: You will also need to delete all entries of the old key.
Get the list of the installed keys:

apt-key list

Check which file contains the key A836 with [expired: 2020-03-03].
Move all such files to a backup directory like ‘/ngcp-data/backup’.


Q: How to check that everything is ok?
A: Run ‘apt update‘ it should work now.
If it does not, then recheck whether any files with the old key are still in the output of ‘apt-key list‘. Also check that there is the following key is listed:

pub rsa4096 2015-03-05 [SC] [expires: 2029-10-12]
68A7 02B1 FD8E 422A AAA1 ADA3 7732 36EF F411 A836
uid [ unknown] Sipwise GmbH (Sipwise Repository Key) support@sipwise.com
sub rsa4096 2015-03-05 [E] [expires: 2029-10-12]


The final step – it’s highly recommended to install mentioned hotfixes:

  • mr7.5.1+
    • ngcp-archive-keyring
    • ngcp-deployment-scripts
  • mr6.2.1 – mr7.4.2
    • ngcp-keyring
    • ngcp-deployment-scripts
  • mr4.2.1 – mr6.1.2
    • ngcp-keyring
    • ngcp-netscript

It will fix the broken ‘debsums‘ check.