#23217 closed enhancement (invalid)
APT signing key has been deprecated and makes error
| Reported by: | anonymous | Owned by: | team |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Ubuntu package | Version: | |
| Keywords: | apt signing key deprecated debian deb error | Cc: |
Description
Dear JOSM devs, when issuing the following command in a debian based system as per your guide (https://josm.openstreetmap.de/wiki/Download);
wget -q https://josm.openstreetmap.de/josm-apt.key -O- | sudo apt-key add -
I get the following error:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). gpg: no valid OpenPGP data found. zsh: exit 1 wget -q https://josm.openstreetmap.de/josm-apt.key -O- | zsh: exit 2 sudo apt-key add -
As you can see there is an error with the key. When executing the update and issue commands;
sudo apt-get update ; sudo apt-get install josm
I get the following error:
Get:6 https://josm.openstreetmap.de/apt alldist InRelease [5606 B] Hit:7 <CENSORED> Err:6 https://josm.openstreetmap.de/apt alldist InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 130A439C78FC0F87 Hit:8 <CENSORED> Reading package lists... Done W: GPG error: https://josm.openstreetmap.de/apt alldist InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 130A439C78FC0F87 E: The repository 'https://josm.openstreetmap.de/apt alldist InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. zsh: exit 100 sudo apt-get update
Please issue a new up to date key, or otherwise try fixing the issue. I appreciate all your hard work, thank you.
Attachments (0)
Change History (5)
comment:1 by , 19 months ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
comment:2 by , 19 months ago
| Resolution: | duplicate → invalid |
|---|
No, that's another issue...
reading the man page as given in the error message:
If your existing use of apt-key add looks like this:
wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add -
Then you can directly replace this with (though note the recommendation below):
wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc
So use wget -q https://josm.openstreetmap.de/josm-apt.key -O- | sudo tee /etc/apt/trusted.gpg.d/josm.asc as suggested.
comment:3 by , 19 months ago
Dear JOSM devs, when issuing the following command in a debian based system as per your guide (https://josm.openstreetmap.de/wiki/Download);
wget -q https://josm.openstreetmap.de/josm-apt.key -O- | sudo apt-key add -
@anonymous: Those GPG instructions are outdated. I don't know when you last looked at the wiki:Download page, but those instructions you have are outdated. We changed the instructions on 2022-06-27 to
# Create the directory for manually downloaded keys if it was not already created sudo mkdir -p /usr/local/share/keyrings # Download the key wget -q https://josm.openstreetmap.de/josm-apt.key -O- | sudo gpg --dearmor -o /usr/local/share/keyrings/josm-apt.gpg
@stoecker: This is not the code signing key for #23107. This is the package signing key, and I don't think we've ever rotated it.
comment:5 by , 19 months ago
You and I both. I had already written the bit I crossed out when I saw that you had made another post. I went ahead and left it in (I assumed you knew the first part, but I had done some investigation on the last part -- specifically, it looks like the gpg signing key was created on 2011-12-08 using rsa2048).
GPG FAQ: RSA2048 should be safe until 2030, according to the NIST (2012).
Closed as duplicate of #23107.
Takes a bit longer than expected.