Update of a Sipwise public GPG key
An OLD Sipwise GPG key that is used to sign repositories with NGCP and Debian packages expires on March 3rd, 2020.
Here is a short Q&A about what’s going on and how to update it:
Q: What does it affect?
A: No services are affected but ‘apt update‘ and ‘apt upgrade‘ commands would not work with the error:
Err:3 https://debian.sipwise.com/debian-security stretch-security InRelease The following signatures were invalid: EXPKEYSIG 773236EFF411A836 Sipwise GmbH (Sipwise Repository Key) support@sipwise.com
Q: What to do?
A: All releases starting from mr4.2.* have got hotfixes of all required packages:
- mr7.5.1+
- ngcp-archive-keyring
- ngcp-deployment-scripts
- mr6.2.1 – mr7.4.2
- ngcp-keyring
- ngcp-deployment-scripts
- mr4.2.1 – mr6.1.2
- ngcp-keyring
- ngcp-netscript
But after March 3 (when the key is already expired), you can’t install anything as you get the mentioned error. In this case, you need to manually download the new key.
Q: Where can I download a new key and be sure that it’s the correct one?
A: The links are:
- For all MODERN releases (mr3.8+) use link
https://deb.sipwise.com/spce/keyring/sipwise-keyring-bootstrap.gpg
Checksum file https://deb.sipwise.com/spce/keyring/sipwise-keyring-bootstrap.gpg.sha256
The sha256 checksum is: c7f5dc91d1ae23bb0b437481a7aceedccdef6f9e36f8c4fdf3e202d513f7292c
- For OLD releases from 2.8 to mr3.7 use link:
https://deb.sipwise.com/spce/sipwise.gpg
The sha256 checksum is: d503e1793044ef4f112b0eb8cacb9e3bfb008cadfe771434d8cc9a33a40b09f1
Q: Where to place the new GPG file?
A: Copy it to the /etc/apt/trusted.gpg.d/
directory.
Q: That’s it?
A: You will also need to delete all entries of the old key.
Get the list of the installed keys:
apt-key list
Check which file contains the key A836 with [expired: 2020-03-03].
Move all such files to a backup directory like ‘/ngcp-data/backup’.
Q: How to check that everything is ok?
A: Run ‘apt update‘ it should work now.
If it does not, then recheck whether any files with the old key are still in the output of ‘apt-key list
‘. Also check that there is the following key is listed:
pub rsa4096 2015-03-05 [SC] [expires: 2029-10-12]
68A7 02B1 FD8E 422A AAA1 ADA3 7732 36EF F411 A836
uid [ unknown] Sipwise GmbH (Sipwise Repository Key) support@sipwise.com
sub rsa4096 2015-03-05 [E] [expires: 2029-10-12]
The final step – it’s highly recommended to install mentioned hotfixes:
- mr7.5.1+
- ngcp-archive-keyring
- ngcp-deployment-scripts
- mr6.2.1 – mr7.4.2
- ngcp-keyring
- ngcp-deployment-scripts
- mr4.2.1 – mr6.1.2
- ngcp-keyring
- ngcp-netscript
It will fix the broken ‘debsums
‘ check.