topic Re: GPG Key should be stored in extra keyring in Desktop (Linux)

GPG Key should be stored in extra keyring

xendon — Thu, 02 Jan 2025 09:05:25 GMT

Operating System

Ubuntu 22.xx

My Question or Issue

Hi, the instructions to install the spotify client via APT are outdated.
Nowadays the GPG Key should be stored in a extra keyring.

curl -sS https://download.spotify.com/debian/pubkey_C85668DF69375001.gpg | sudo apt-key add - echo "deb http://repository.spotify.com stable non-free" | sudo tee /etc/apt/sources.list.d/spotify.list

should be

curl -fsSL https://download.spotify.com/debian/pubkey_C85668DF69375001.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/spotify.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/spotify.gpg] http://repository.spotify.com stable non-free" | sudo tee /etc/apt/sources.list.d/spotify.list

if not ... Ubuntu (apt) will throw an deprecation warning.

UPDATED: The instruction take care about the new signing key now.
UPDATED: Updated instructions for new key "6224F9941A8AA6D1"

UPDATED: Updated instructions for new key "C85668DF69375001"

Re: GPG Key should be stored in extra keyring

jooon — Wed, 18 Jan 2023 10:45:54 GMT

The download page now uses the gpg command directly instead of apt-key. https://www.spotify.com/download/linux/

Using signed-by is also a very good idea. A ticket has been added internally to fix this. There is unfortunately some more work internally to be done before we can use that solution.

Re: GPG Key should be stored in extra keyring

IBreakCellPhones — Thu, 19 Jan 2023 21:07:59 GMT

I'm having issues getting updates lately:

$ sudo apt update [...] Get:16 http://repository.spotify.com stable InRelease [3,316 B] Err:16 http://repository.spotify.com stable InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F Fetched 4,873 B in 3s (1,415 B/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repository.spotify.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F W: Failed to fetch http://repository.spotify.com/dists/stable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F W: Some index files failed to download. They have been ignored, or old ones used instead. $ cat /etc/apt/sources.list.d/spotify.list deb [signed-by=/etc/apt/trusted.gpg.d/spotify.gpg] http://repository.spotify.com stable non-free $ gpg --show-keys /etc/apt/trusted.gpg.d/spotify.gpg pub rsa4096 2021-10-27 [SC] [expires: 2023-01-20] F9A211976ED662F00E59361E5E3C45D7B312C643 uid Spotify Public Repository Signing Key <**bleep**> $

Do I need to grab a new public key? I believe this is the right one based on the current instructions.

Re: GPG Key should be stored in extra keyring

dorothyMolloy — Fri, 20 Jan 2023 10:16:59 GMT

This seems to be a recurring problem. Try looking at the Spotify download instructions here: https://www.spotify.com/uk/download/linux/

This fixed my problem

Re: GPG Key should be stored in extra keyring

IBreakCellPhones — Fri, 20 Jan 2023 17:24:59 GMT

That refers to

pubkey_7A3A762FAFD4A51F.gpg

which:

Expires today
Is the key that I'm using--see the NO_PUBKEY issues above.

Re: GPG Key should be stored in extra keyring

Alternize — Mon, 23 Jan 2023 15:11:44 GMT

key is now expired and causes apt to fail

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repository.spotify.com testing InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F
W: Failed to fetch http://repository.spotify.com/dists/testing/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F
W: Some index files failed to download. They have been ignored, or old ones used instead.

Re: GPG Key should be stored in extra keyring

giparra — Tue, 24 Jan 2023 16:37:33 GMT

Hello everybody,

You have to use the new GPG cert:

https://download.spotify.com/debian/pubkey_7A3A762FAFD4A51F.gpg

It will expire 2024-02-07

Best regards,

Giorgiogiulio

Re: GPG Key should be stored in extra keyring

IBreakCellPhones — Tue, 24 Jan 2023 17:07:48 GMT

Looks like it's working now!

Re: GPG Key should be stored in extra keyring

xendon — Tue, 24 Jan 2023 18:21:45 GMT

Hi @all I've upgraded the instructions 🙂

Re: GPG Key should be stored in extra keyring

IBreakCellPhones — Tue, 24 Jan 2023 18:39:31 GMT

Looks like the second line of the instructions to install the key needs to change from:

echo "deb http://repository.spotify.com stable non-free" | sudo tee /etc/apt/sources.list.d/spotify.list

echo "deb [signed-by=/etc/apt/trusted.gpg.d/spotify.gpg] http://repository.spotify.com stable non-free" | sudo tee /etc/apt/sources.list.d/spotify.list

This will tell apt to use the downloaded key to check the signature.

Re: GPG Key should be stored in extra keyring

charlesmelara — Fri, 10 Feb 2023 22:45:45 GMT

Hi, I'm using extrepo to manage extra repositories and they rely on the gpg key available in public server (such as pgp.surf.nl). Currently the availabe key is the expired one.

Could you please push the renewed key to public pgp servers?

Thanks.

Re: GPG Key should be stored in extra keyring

thequux — Sun, 07 Apr 2024 19:27:01 GMT

Hi, the new instructions work better than the previous version, but still leave users' systems in an insecure configuration. Specifically, keys in /etc/apt/trusted.gpg.d are trusted to sign *any* apt repository, whereas I (and most users) should only trust Spotify to sign their own repository.

There are two ways that this could be fixed:

1. Store the key in /usr/share/keyrings and refer to it with [signed-by=/usr/share/keyrings/spotify-1.gpg,/usr/share/keyrings/spotify-2.gpg]

2. Use deb-822 format, and include the keys inline in the .sources file, like so:

thequux@baarle <~>
[0]$ cat /etc/apt/sources.list.d/spotify.sources
Types: deb
URIs: http://repository.spotify.com
Suites: stable
Components: non-free
Signed-by:
-----BEGIN PGP PUBLIC KEY BLOCK-----
.
mQINBGVWABgBEACmyHqClhrPEupgMG5n14x1nKSSbqed9IDu5+m4vKve5gUlGLmg
GqmlKjaIWaxKNsd0NrZ5b4tDE9/o2DLyI95f77zLavfmUqBHun3ksGnQcOTcnHLy
bKuxxCMGOz4uPMdfZuilI9KoT5m/O49fCP23eYMlBiqtQ1zMgwM1dnwcrp8OLYDT
e92AzE8Ghf1PMtkpXwOugMa1HimxSZ4mfoxf7TgkWtpHd3MvehJYXdO4FNE841rI
zn/mSR57M9B22s6TEHFET7sajZsO3adtSZVeadYQAbHEQx+BxpWZ9Rd9ynQXvCbQ
GMSLB6kR7H3rOSQzHENaR2esDJVoMMaV3ny26aQZLi4GtSR58zu6Tlbv9cSnEa19
nXLJNfxB4u2ZlOpkHg1NjXXCcLLdkIUSvdXFEgBpAfUE1LSa+q6geQ/YJk18YRQz
Uq0eL+avBlcze+z/vabvWaHGP3NTelUaksk3BxyRpOupn5xJHOyNZBwB2lEnBEwP
xClJaVzN8seFh9Wq0zQmRFoYR8keVgKsC4KUT8ULHX+/rU8JptnM9X5SSGd1mv8i
nT3BMu3KFdXtZHNYb6i9gvpvK2jRyqrZ3RvBKHXlA8Lk4PzHe8bC5qGmsjpd6Xgb
kZKMoemHZe3vJ5dy5g3JQuzrKaks/wlWR65Vm8nDE/bd1dECqxxVprD74wARAQAB
tDdTcG90aWZ5IFB1YmxpYyBSZXBvc2l0b3J5IFNpZ25pbmcgS2V5IDx0dXhAc3Bv
dGlmeS5jb20+iQJUBBMBCgA+FiEEY8vuyQBmAgiPmxkyYiT5lBqKptEFAmVWABgC
GwMFCQJRQwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQYiT5lBqKptGIsw//
cgeO0BVuOeAXyGdwoQaGnog8fyoNx/VkiX63BYB/J6HSIAnun0F4bImXa7kgScyX
bPjPusTn7y4PEenqWl4Olaos9+B6U3vs1f0RHOCbbxtQUJOtVAFdfsRMWoxCviic
0boW/5bFaDitBtuai8olbpb1YiA94uC+wGRXMWC3QOAwNPu9YWdon6IwJ4AFnEsS
NpU3Vlyqrz4ZEwYm6FhW8cvoBHfOwJo3WQ1nKSXFBMSod58o97Lhr308wvIuev7X
IgGeIZ1+zN39N7BLTaem9ynB8Fk0Mj9WGR+tztuQMcnZeL18rZNkMuzHx7UFY+ir
GgusbpenRPRaqXpUGES2zPwxpUWIMV3fzoI045ktVNDHVqxcQ67DfQX+bgiUPcY5
WaeEBSbpiqhqbqUjLtdTZtqyp1wMNHWxnQ4Bd9M2OipeKLThZ3sorFFZqVLmQ0Qs
CNJ9fgHpCW2LFs4U3fMxyNxbgfTZ0fog5PlEw67bTDloFh6EuFS8gmr6quSaYhor
1IjbJ8iex7lINqNUgZ4PDUYNnciLhYYgmvj8dKq1pZMPkZwTsGjtFnNJtlIE26qN
sbbV1qADvxhOCZ9QjeQfT20FjaUYeBryh4KqRu2kTg8FTYdOXSINlunLgLk3qW5F
IQkRR4+KWNraaGRySYGAGIIWc0Zzd8b6mIfJHcooAlc=
=F5Ek
-----END PGP PUBLIC KEY BLOCK-----