Announcements
The Spotify Stars Program: Celebrating Values Week!

Help Wizard

Step 1

NEXT STEP

.deb package signing key at ubuntu keyserver expired.

.deb package signing key at ubuntu keyserver expired.

that's all.

Reply
19 Replies

Is this why I'm getting:

 

W: GPG error: http://repository.spotify.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EFDC8610341D9410
E: The repository 'http://repository.spotify.com stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

 

 

I'm just trying to run "apt update" after following instructions from the website. Can't even install it

This should work:

 

apt-get install -oAcquire::AllowInsecureRepositories=true update

apt-get -y install -oAcquire::AllowInsecureRepositories=true install spotify-client

Yeah, no thanks

indeed there no way to install spotify deb package securely so no spotify...

pls update you key!

I am having the same issue in Ubuntu. Not being able to install the Spotify client. Please update the .deb signing keys. Thanking you.

Hey there,

 

Had the same problem, today but it just looks like the GPG key has changed, and the documentation for Ubuntu is not up-to-date with the good one.

 

Just try this key retrieval command instead:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EFDC8610341D9410

You will see the legit GPG be fetched from repository:

Executing: /tmp/apt-key-gpghome.AFmyKQEN5f/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys EFDC8610341D9410
gpg: key EFDC8610341D9410: public key "Spotify Public Repository Signing Key <tux@spotify.com>" imported
gpg: Total number processed: 1
gpg: imported: 1

Then Spotify would be installable with the normal commands:

sudo apt-get update
sudo apt-get install spotify-client

 

Hope this helps!

I just tried what you suggested but apt still complains

 

Err:9 http://repository.spotify.com stable InRelease                          
  The following signatures were invalid: KEYEXPIRED 1532522191
....
Reading package lists... Done                      
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repository.spotify.com stable InRelease: The following signatures were invalid: KEYEXPIRED 1532522191
W: Failed to fetch http://repository.spotify.com/dists/stable/InRelease  The following signatures were invalid: KEYEXPIRED 1532522191
W: Some index files failed to download. They have been ignored, or old ones used instead.

I tried redownloading the key, however it seems the "new" key expired today.

 

I removed the old key and updating gives me this:

Err:12 http://repository.spotify.com stable InRelease                                                
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EFDC8610341D9410

I then tried getting the new key with

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EFDC8610341D9410
Executing: /tmp/tmp.UF3PpeJZvk/gpg.1.sh --keyserver
keyserver.ubuntu.com
--recv-keys
EFDC8610341D9410
gpg: requesting key 341D9410 from hkp server keyserver.ubuntu.com
gpg: key 341D9410: public key "Spotify Public Repository Signing Key <tux@spotify.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

Updating with the new key gives me this error

sudo apt update
Err:7 http://repository.spotify.com stable InRelease 
 The following signatures were invalid: KEYEXPIRED 1532522191

And finally checking the expired keys I see this

sudo apt-key list | grep expired
pub   4096R/341D9410 2017-07-25 [expired: 2018-07-25]

 

 

 

Still getting an error when trying to solve this:

W: Erro GPG: http://repository.spotify.com stable InRelease: As seguintes assinaturas eram inválidas: KEYEXPIRED 1532522191
W: The repository 'http://repository.spotify.com stable InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.


When I run `sudo apt-key list` it shows both of the keys:

 

 

pub   4096R/48BF1C90 2018-05-23 [expira: 2019-08-16]
uid                  Spotify Public Repository Signing Key <tux@spotify.com>

pub   4096R/341D9410 2017-07-25 [expirado: 2018-07-25]
uid                  Spotify Public Repository Signing Key <tux@spotify.com>

If I remove the expired key and then run `sudo apt-get update` the console says NO_PUBKEY 341D9410, it doesn't use the "good" key.

 

 

Any idea?

P.S.: Apologies for my rusty English, I'm actually from Brasil.

The new key does not seem to work, now that the old key expired today (July 25):

The following signatures were invalid: EXPKEYSIG EFDC8610341D9410 Spotify Public Repository Signing Key <tux@spotify.com>

same @hear , expired key

 

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repository.spotify.com stable InRelease: The following signatures were invalid: KEYEXPIRED 1532522191
W: Failed to fetch http://repository.spotify.com/dists/stable/InRelease  The following signatures were invalid: KEYEXPIRED 1532522191

hope this gets fixed soon 🙂

This is the worst advice you can give someone. Given that this is only throwing an error temporarily, the correct solution is to ignore the error until Spotify issue a new key. 

 

If the person is an experienced *nix user, they will already know exactly why the issue has come up - judging by the brevity of the post which was delivered as an FYI, this is likely.

 

If the person is not experienced, you are suggesting they open their system up to being exploited. 

 

Come on, be responsible.

I keep getting:

 

gpg: requesting key 341D9410 from hkp server keyserver.ubuntu.com
gpg: key 341D9410: "Spotify Public Repository Signing Key <tux@spotify.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

 

What should I do about this? Remove the repo and add it again?

As " Peetee" mentioned, Spotify admins has to issue new GPG key and sign all packages in their repositories by this new GPG key as same as put this new GPG key to their web repository PUB section and send to the ubuntu keyserver. Until that you can't do anything if you want to be responsible and thinking except remove(comment out) this repository.

Do we have some general contact to SOC(Server/Security Operations Center) in Spotify Ltd. to let them know about this issue?

+1000, don't lower your security.

 

BTW, I don't have problems with keys anymore.

And to be sure, I replay Spotify instructions

 

# 1. Add the Spotify repository signing keys to be able to verify downloaded packages
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90

# 2. Add the Spotify repository
echo deb http://repository.spotify.com stable non-free | sudo tee /etc/apt/sources.list.d/spotify.list

# 3. Update list of available packages
sudo apt-get update

# 4. Install Spotify
sudo apt-get install spotify-client

A signed package means it's coming from signer. Doesn't mean it's safe. If you can't verify package signature, you are still downlading package from this server, with link provided in the same web page of the key. 

The ways to comprimise that package are crack the server that hosts the package, DNS you are using or one of the routers that lets you reach that server. 

Because Ubuntu keyserver doesn't use any verification, a signed or unsigned package doesn't matter if a really powerful hacker group bothers to hack into Linux hobbyists desktop/laptop system. 

I said hobbyist because I assume a sysadmin who uses Linux on his personal computer can't have ridicolously superficial knowledge about digital signatures. 

decafbad, I understand that there is no such thing as a safe download from a web server. However, the instructions are to switch of ANY kind of security that keys offer and to accept insecure programs. This isn't context-specific to Spotify, hence my response. A hobbyist wouldn't understand the global implications of "turning down" the security.

Hey,
me and a few other users noticed a GPG key change with the recent debian package updates. I am packaging spotify-stable on the Archlinux User Repository (AUR).

In order to provide a secure package for me and everyone else it is crucial, to only download trustworthy sources from spotify. That is why they are signed with GPG. However if the key randomly changes, without any upstream notification from spotify, we have to assume the servers were a) possibly compromised or b) spotify changed its key, but did not notify us users.

Now the question is: Where can I find any official information/statement that the key has changed and we can trust the new one.

The old key was:
0DF731E45CE24F27EEEB1450EFDC8610341D9410

The new key is:
931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90
http://pool.sks-keyservers.net/pks/lookup?search=0x931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90&op=vinde...

The new key is also mentioned here:
https://www.spotify.com/de/download/linux/

If we assume a) is true, we have to not trust any content on the spotify servers. That means the .deb files (with new key signatures) and the content (install instructions) as well. The only way for spotify to make us trust the new key is to sign the new key with the old one. That is a common practise. And the old one then must be revoked, if possible.

This means **spotify must take some action before I can update any package.** Otherwise users might be in danger. Although it is very unlikely that spotify got hacked, we still have to treat this issue with care. Similar incidents happened with Linux Mint or Handbrake.

Tl;Dr: Spotify, please sign the new gpg key with the old one. Community, please make spotify notice this post by upvoting the whole topic, this post or leaving a comment.

I will post this comment to the following threads:
https://community.spotify.com/t5/Desktop-Linux/Redistribute-Spotify-on-Linux-Distributions/td-p/1695...
https://community.spotify.com/t5/Desktop-Linux/deb-package-signing-key-at-ubuntu-keyserver-expired/t...

Hi,

I try to answer, but spotify keeps flagging my posts are **bleep**/abuse. I reported this issue and hope the post will come back. In the meantime, please read it here:

 

https://gist.github.com/NicoHood/252b6b01543ad0aa29ce66a18f4fef24

 

This is sa bad in all means....

Suggested posts