W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repository.spotify.com stable InRelease: The following signatures were invalid: KEYEXPIRED 1532522191
W: Failed to fetch http://repository.spotify.com/dists/stable/InRelease The following signatures were invalid: KEYEXPIRED 1532522191
gpg: requesting key 341D9410 from hkp server keyserver.ubuntu.com gpg: key 341D9410: "Spotify Public Repository Signing Key <firstname.lastname@example.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
What should I do about this? Remove the repo and add it again?
As "Peetee" mentioned, Spotify admins has to issue new GPG key and sign all packages in their repositories by this new GPG key as same as put this new GPG key to their web repository PUB section and send to the ubuntu keyserver. Until that you can't do anything if you want to be responsible and thinking except remove(comment out) this repository.
Do we have some general contact to SOC(Server/Security Operations Center) in Spotify Ltd. to let them know about this issue?
# 1. Add the Spotify repository signing keys to be able to verify downloaded packages
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90
# 2. Add the Spotify repository
echo deb http://repository.spotify.com stable non-free | sudo tee /etc/apt/sources.list.d/spotify.list
# 3. Update list of available packages
sudo apt-get update
# 4. Install Spotify
sudo apt-get install spotify-client
A signed package means it's coming from signer. Doesn't mean it's safe. If you can't verify package signature, you are still downlading package from this server, with link provided in the same web page of the key.
The ways to comprimise that package are crack the server that hosts the package, DNS you are using or one of the routers that lets you reach that server.
Because Ubuntu keyserver doesn't use any verification, a signed or unsigned package doesn't matter if a really powerful hacker group bothers to hack into Linux hobbyists desktop/laptop system.
I said hobbyist because I assume a sysadmin who uses Linux on his personal computer can't have ridicolously superficial knowledge about digital signatures.
decafbad, I understand that there is no such thing as a safe download from a web server. However, the instructions are to switch of ANY kind of security that keys offer and to accept insecure programs. This isn't context-specific to Spotify, hence my response. A hobbyist wouldn't understand the global implications of "turning down" the security.
Hey, me and a few other users noticed a GPG key change with the recent debian package updates. I am packaging spotify-stable on the Archlinux User Repository (AUR).
In order to provide a secure package for me and everyone else it is crucial, to only download trustworthy sources from spotify. That is why they are signed with GPG. However if the key randomly changes, without any upstream notification from spotify, we have to assume the servers were a) possibly compromised or b) spotify changed its key, but did not notify us users.
Now the question is: Where can I find any official information/statement that the key has changed and we can trust the new one.
The old key was: 0DF731E45CE24F27EEEB1450EFDC8610341D9410
If we assume a) is true, we have to not trust any content on the spotify servers. That means the .deb files (with new key signatures) and the content (install instructions) as well. The only way for spotify to make us trust the new key is to sign the new key with the old one. That is a common practise. And the old one then must be revoked, if possible.
This means **spotify must take some action before I can update any package.** Otherwise users might be in danger. Although it is very unlikely that spotify got hacked, we still have to treat this issue with care. Similar incidents happened with Linux Mint or Handbrake.
Tl;Dr: Spotify, please sign the new gpg key with the old one. Community, please make spotify notice this post by upvoting the whole topic, this post or leaving a comment.