Announcements

GPG Key should be stored in extra keyring

GPG Key should be stored in extra keyring

Avatar of xendon
Casual Listener
3 weeks ago

Operating System

Ubuntu 22.xx

 

My Question or Issue

Hi, the instructions to install the spotify client via APT are outdated.
Nowadays the GPG Key should be stored in a extra keyring.

 

 

curl -sS https://download.spotify.com/debian/pubkey_5E3C45D7B312C643.gpg | sudo apt-key add - 
echo "deb http://repository.spotify.com stable non-free" | sudo tee /etc/apt/sources.list.d/spotify.list

 

 

should be

 

 

curl -fsSL https://download.spotify.com/debian/pubkey_7A3A762FAFD4A51F.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/spotify.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/spotify.gpg] http://repository.spotify.com stable non-free" | sudo tee /etc/apt/sources.list.d/spotify.list

 

 

if not ... Ubuntu (apt) will throw an deprecation warning.

UPDATED: The instruction take care about the new signing key now.


Reply
9 Replies

Avatar of jooon
Spotify
Spotify
a week ago

The download page now uses the gpg command directly instead of apt-key. https://www.spotify.com/download/linux/

 

Using signed-by is also a very good idea. A ticket has been added internally to fix this. There is unfortunately some more work internally to be done before we can use that solution.

0 Likes

Avatar of IBreakCellPhones
Casual Listener
a week ago

I'm having issues getting updates lately:

$ sudo apt update
[...]
Get:16 http://repository.spotify.com stable InRelease [3,316 B]
Err:16 http://repository.spotify.com stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F
Fetched 4,873 B in 3s (1,415 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repository.spotify.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F
W: Failed to fetch http://repository.spotify.com/dists/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F
W: Some index files failed to download. They have been ignored, or old ones used instead.
$ cat /etc/apt/sources.list.d/spotify.list
deb [signed-by=/etc/apt/trusted.gpg.d/spotify.gpg] http://repository.spotify.com stable non-free
$ gpg --show-keys /etc/apt/trusted.gpg.d/spotify.gpg
pub   rsa4096 2021-10-27 [SC] [expires: 2023-01-20]
      F9A211976ED662F00E59361E5E3C45D7B312C643
uid                      Spotify Public Repository Signing Key <**bleep**>

$

Do I need to grab a new public key? I believe this is the right one based on the current instructions. 

0 Likes

Avatar of dorothyMolloy
Newbie
a week ago

This seems to be a recurring problem.  Try looking at the Spotify download instructions here: https://www.spotify.com/uk/download/linux/

This fixed my problem

0 Likes

Avatar of IBreakCellPhones
Casual Listener
a week ago

That refers to 

pubkey_7A3A762FAFD4A51F.gpg

which: 

  1. Expires today
  2. Is the key that I'm using--see the NO_PUBKEY issues above.

Avatar of Alternize
Newbie
Monday

key is now expired and causes apt to fail

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repository.spotify.com testing InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F
W: Failed to fetch http://repository.spotify.com/dists/testing/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7A3A762FAFD4A51F
W: Some index files failed to download. They have been ignored, or old ones used instead.

Avatar of giparra
Casual Listener
Tuesday

Hello everybody,

 

You have to use the new GPG cert: 

https://download.spotify.com/debian/pubkey_7A3A762FAFD4A51F.gpg

It will expire 2024-02-07

 

Best regards,

Giorgiogiulio

Avatar of IBreakCellPhones
Casual Listener
Tuesday

Looks like it's working now! 

0 Likes

Avatar of xendon
Casual Listener
Tuesday

Hi @all I've upgraded the instructions 🙂

0 Likes

Avatar of IBreakCellPhones
Casual Listener
Tuesday

Looks like the second line of the instructions to install the key needs to change from: 

echo "deb http://repository.spotify.com stable non-free" | sudo tee /etc/apt/sources.list.d/spotify.list

to

echo "deb [signed-by=/etc/apt/trusted.gpg.d/spotify.gpg] http://repository.spotify.com stable non-free" | sudo tee /etc/apt/sources.list.d/spotify.list

This will tell apt to use the downloaded key to check the signature.

0 Likes

Suggested posts

Let's introduce ourselves!

Hey there you,   Yeah, you! 😁   Welcome - we're glad you joined the Spotify Community!   While you here, let's have a fun game…

Staff
ModeratorStaff / Moderator/ 1 year ago in Social & Random
Read more