Type in your question below and we'll check to see what answers we can find...
Loading article...
Submitting...
If you couldn't find any answers in the previous step then we need to post your question in the community and wait for someone to respond. You'll be notified when that happens.
Simply add some detail to your question and refine the title if needed, choose the relevant category, then post.
Before we can post your question we need you to quickly make an account (or sign in if you already have one).
Don't worry - it's quick and painless! Just click below, and once you're logged in we'll bring you right back here and post your question. We'll remember what you've already typed in so you won't have to do it again.
Please see below the most popular frequently asked questions.
Loading article...
Loading faqs...
Please see below the current ongoing issues which are under investigation.
Loading issue...
Loading ongoing issues...
that's all.
Is this why I'm getting:
W: GPG error: http://repository.spotify.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EFDC8610341D9410
E: The repository 'http://repository.spotify.com stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
I'm just trying to run "apt update" after following instructions from the website. Can't even install it
This should work:
apt-get install -oAcquire::AllowInsecureRepositories=true update
apt-get -y install -oAcquire::AllowInsecureRepositories=true install spotify-client
Yeah, no thanks
indeed there no way to install spotify deb package securely so no spotify...
pls update you key!
I am having the same issue in Ubuntu. Not being able to install the Spotify client. Please update the .deb signing keys. Thanking you.
Hey there,
Had the same problem, today but it just looks like the GPG key has changed, and the documentation for Ubuntu is not up-to-date with the good one.
Just try this key retrieval command instead:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EFDC8610341D9410
You will see the legit GPG be fetched from repository:
Executing: /tmp/apt-key-gpghome.AFmyKQEN5f/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys EFDC8610341D9410 gpg: key EFDC8610341D9410: public key "Spotify Public Repository Signing Key <tux@spotify.com>" imported gpg: Total number processed: 1 gpg: imported: 1
Then Spotify would be installable with the normal commands:
sudo apt-get update sudo apt-get install spotify-client
Hope this helps!
I just tried what you suggested but apt still complains
Err:9 http://repository.spotify.com stable InRelease The following signatures were invalid: KEYEXPIRED 1532522191 .... Reading package lists... Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repository.spotify.com stable InRelease: The following signatures were invalid: KEYEXPIRED 1532522191 W: Failed to fetch http://repository.spotify.com/dists/stable/InRelease The following signatures were invalid: KEYEXPIRED 1532522191 W: Some index files failed to download. They have been ignored, or old ones used instead.
I tried redownloading the key, however it seems the "new" key expired today.
I removed the old key and updating gives me this:
Err:12 http://repository.spotify.com stable InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EFDC8610341D9410
I then tried getting the new key with
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EFDC8610341D9410 Executing: /tmp/tmp.UF3PpeJZvk/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys EFDC8610341D9410 gpg: requesting key 341D9410 from hkp server keyserver.ubuntu.com gpg: key 341D9410: public key "Spotify Public Repository Signing Key <tux@spotify.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Updating with the new key gives me this error
sudo apt update Err:7 http://repository.spotify.com stable InRelease The following signatures were invalid: KEYEXPIRED 1532522191
And finally checking the expired keys I see this
sudo apt-key list | grep expired pub 4096R/341D9410 2017-07-25 [expired: 2018-07-25]
Still getting an error when trying to solve this:
W: Erro GPG: http://repository.spotify.com stable InRelease: As seguintes assinaturas eram inválidas: KEYEXPIRED 1532522191 W: The repository 'http://repository.spotify.com stable InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details.
When I run `sudo apt-key list` it shows both of the keys:
pub 4096R/48BF1C90 2018-05-23 [expira: 2019-08-16] uid Spotify Public Repository Signing Key <tux@spotify.com> pub 4096R/341D9410 2017-07-25 [expirado: 2018-07-25] uid Spotify Public Repository Signing Key <tux@spotify.com>
If I remove the expired key and then run `sudo apt-get update` the console says NO_PUBKEY 341D9410, it doesn't use the "good" key.
Any idea?
P.S.: Apologies for my rusty English, I'm actually from Brasil.
The new key does not seem to work, now that the old key expired today (July 25):
The following signatures were invalid: EXPKEYSIG EFDC8610341D9410 Spotify Public Repository Signing Key <tux@spotify.com>
same @hear , expired key
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repository.spotify.com stable InRelease: The following signatures were invalid: KEYEXPIRED 1532522191 W: Failed to fetch http://repository.spotify.com/dists/stable/InRelease The following signatures were invalid: KEYEXPIRED 1532522191
hope this gets fixed soon 🙂
This is the worst advice you can give someone. Given that this is only throwing an error temporarily, the correct solution is to ignore the error until Spotify issue a new key.
If the person is an experienced *nix user, they will already know exactly why the issue has come up - judging by the brevity of the post which was delivered as an FYI, this is likely.
If the person is not experienced, you are suggesting they open their system up to being exploited.
Come on, be responsible.
I keep getting:
gpg: requesting key 341D9410 from hkp server keyserver.ubuntu.com
gpg: key 341D9410: "Spotify Public Repository Signing Key <tux@spotify.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
What should I do about this? Remove the repo and add it again?
As " Peetee" mentioned, Spotify admins has to issue new GPG key and sign all packages in their repositories by this new GPG key as same as put this new GPG key to their web repository PUB section and send to the ubuntu keyserver. Until that you can't do anything if you want to be responsible and thinking except remove(comment out) this repository.
Do we have some general contact to SOC(Server/Security Operations Center) in Spotify Ltd. to let them know about this issue?
+1000, don't lower your security.
BTW, I don't have problems with keys anymore.
And to be sure, I replay Spotify instructions
# 1. Add the Spotify repository signing keys to be able to verify downloaded packages sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90 # 2. Add the Spotify repository echo deb http://repository.spotify.com stable non-free | sudo tee /etc/apt/sources.list.d/spotify.list # 3. Update list of available packages sudo apt-get update # 4. Install Spotify sudo apt-get install spotify-client
A signed package means it's coming from signer. Doesn't mean it's safe. If you can't verify package signature, you are still downlading package from this server, with link provided in the same web page of the key.
The ways to comprimise that package are crack the server that hosts the package, DNS you are using or one of the routers that lets you reach that server.
Because Ubuntu keyserver doesn't use any verification, a signed or unsigned package doesn't matter if a really powerful hacker group bothers to hack into Linux hobbyists desktop/laptop system.
I said hobbyist because I assume a sysadmin who uses Linux on his personal computer can't have ridicolously superficial knowledge about digital signatures.
decafbad, I understand that there is no such thing as a safe download from a web server. However, the instructions are to switch of ANY kind of security that keys offer and to accept insecure programs. This isn't context-specific to Spotify, hence my response. A hobbyist wouldn't understand the global implications of "turning down" the security.
Hey,
me and a few other users noticed a GPG key change with the recent debian package updates. I am packaging spotify-stable on the Archlinux User Repository (AUR).
In order to provide a secure package for me and everyone else it is crucial, to only download trustworthy sources from spotify. That is why they are signed with GPG. However if the key randomly changes, without any upstream notification from spotify, we have to assume the servers were a) possibly compromised or b) spotify changed its key, but did not notify us users.
Now the question is: Where can I find any official information/statement that the key has changed and we can trust the new one.
The old key was:
0DF731E45CE24F27EEEB1450EFDC8610341D9410
The new key is:
931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90
http://pool.sks-keyservers.net/pks/lookup?search=0x931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90&op=vinde...
The new key is also mentioned here:
https://www.spotify.com/de/download/linux/
If we assume a) is true, we have to not trust any content on the spotify servers. That means the .deb files (with new key signatures) and the content (install instructions) as well. The only way for spotify to make us trust the new key is to sign the new key with the old one. That is a common practise. And the old one then must be revoked, if possible.
This means **spotify must take some action before I can update any package.** Otherwise users might be in danger. Although it is very unlikely that spotify got hacked, we still have to treat this issue with care. Similar incidents happened with Linux Mint or Handbrake.
Tl;Dr: Spotify, please sign the new gpg key with the old one. Community, please make spotify notice this post by upvoting the whole topic, this post or leaving a comment.
I will post this comment to the following threads:
https://community.spotify.com/t5/Desktop-Linux/Redistribute-Spotify-on-Linux-Distributions/td-p/1695...
https://community.spotify.com/t5/Desktop-Linux/deb-package-signing-key-at-ubuntu-keyserver-expired/t...
Hi,
I try to answer, but spotify keeps flagging my posts are **bleep**/abuse. I reported this issue and hope the post will come back. In the meantime, please read it here:
https://gist.github.com/NicoHood/252b6b01543ad0aa29ce66a18f4fef24
This is sa bad in all means....
Hey there you, Yeah, you! 😁 Welcome - we're glad you joined the Spotify Community! While you here, let's have a fun game and get…