.deb package signing key at ubuntu keyserver expired.

Reply
Highlighted

Re: .deb package signing key at ubuntu keyserver expired.

Quevvy
Newbie

The new key does not seem to work, now that the old key expired today (July 25):

The following signatures were invalid: EXPKEYSIG EFDC8610341D9410 Spotify Public Repository Signing Key <tux@spotify.com>
Highlighted

Re: .deb package signing key at ubuntu keyserver expired.

vinnywright
Newbie

same @hear , expired key

 

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repository.spotify.com stable InRelease: The following signatures were invalid: KEYEXPIRED 1532522191
W: Failed to fetch http://repository.spotify.com/dists/stable/InRelease  The following signatures were invalid: KEYEXPIRED 1532522191

hope this gets fixed soon 🙂

Highlighted

Re: .deb package signing key at ubuntu keyserver expired.

Peetee
Casual Listener

This is the worst advice you can give someone. Given that this is only throwing an error temporarily, the correct solution is to ignore the error until Spotify issue a new key. 

 

If the person is an experienced *nix user, they will already know exactly why the issue has come up - judging by the brevity of the post which was delivered as an FYI, this is likely.

 

If the person is not experienced, you are suggesting they open their system up to being exploited. 

 

Come on, be responsible.

Highlighted

Re: .deb package signing key at ubuntu keyserver expired.

bobkubista
Newbie

I keep getting:

 

gpg: requesting key 341D9410 from hkp server keyserver.ubuntu.com
gpg: key 341D9410: "Spotify Public Repository Signing Key <tux@spotify.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

 

What should I do about this? Remove the repo and add it again?

Highlighted

Re: .deb package signing key at ubuntu keyserver expired.

Josef_S
Newbie

As " Peetee" mentioned, Spotify admins has to issue new GPG key and sign all packages in their repositories by this new GPG key as same as put this new GPG key to their web repository PUB section and send to the ubuntu keyserver. Until that you can't do anything if you want to be responsible and thinking except remove(comment out) this repository.

Do we have some general contact to SOC(Server/Security Operations Center) in Spotify Ltd. to let them know about this issue?

Highlighted

Re: .deb package signing key at ubuntu keyserver expired.

lephoenix73
Casual Listener

+1000, don't lower your security.

 

BTW, I don't have problems with keys anymore.

And to be sure, I replay Spotify instructions

 

# 1. Add the Spotify repository signing keys to be able to verify downloaded packages
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90

# 2. Add the Spotify repository
echo deb http://repository.spotify.com stable non-free | sudo tee /etc/apt/sources.list.d/spotify.list

# 3. Update list of available packages
sudo apt-get update

# 4. Install Spotify
sudo apt-get install spotify-client
Highlighted

Re: .deb package signing key at ubuntu keyserver expired.

decafbad
Casual Listener

A signed package means it's coming from signer. Doesn't mean it's safe. If you can't verify package signature, you are still downlading package from this server, with link provided in the same web page of the key. 

The ways to comprimise that package are crack the server that hosts the package, DNS you are using or one of the routers that lets you reach that server. 

Because Ubuntu keyserver doesn't use any verification, a signed or unsigned package doesn't matter if a really powerful hacker group bothers to hack into Linux hobbyists desktop/laptop system. 

I said hobbyist because I assume a sysadmin who uses Linux on his personal computer can't have ridicolously superficial knowledge about digital signatures. 

Highlighted

Re: .deb package signing key at ubuntu keyserver expired.

Peetee
Casual Listener

decafbad, I understand that there is no such thing as a safe download from a web server. However, the instructions are to switch of ANY kind of security that keys offer and to accept insecure programs. This isn't context-specific to Spotify, hence my response. A hobbyist wouldn't understand the global implications of "turning down" the security.

Highlighted

Re: .deb package signing key at ubuntu keyserver expired.

NicoHood
Music Fan

Hey,
me and a few other users noticed a GPG key change with the recent debian package updates. I am packaging spotify-stable on the Archlinux User Repository (AUR).

In order to provide a secure package for me and everyone else it is crucial, to only download trustworthy sources from spotify. That is why they are signed with GPG. However if the key randomly changes, without any upstream notification from spotify, we have to assume the servers were a) possibly compromised or b) spotify changed its key, but did not notify us users.

Now the question is: Where can I find any official information/statement that the key has changed and we can trust the new one.

The old key was:
0DF731E45CE24F27EEEB1450EFDC8610341D9410

The new key is:
931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90
http://pool.sks-keyservers.net/pks/lookup?search=0x931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90&op=vinde...

The new key is also mentioned here:
https://www.spotify.com/de/download/linux/

If we assume a) is true, we have to not trust any content on the spotify servers. That means the .deb files (with new key signatures) and the content (install instructions) as well. The only way for spotify to make us trust the new key is to sign the new key with the old one. That is a common practise. And the old one then must be revoked, if possible.

This means **spotify must take some action before I can update any package.** Otherwise users might be in danger. Although it is very unlikely that spotify got hacked, we still have to treat this issue with care. Similar incidents happened with Linux Mint or Handbrake.

Tl;Dr: Spotify, please sign the new gpg key with the old one. Community, please make spotify notice this post by upvoting the whole topic, this post or leaving a comment.

I will post this comment to the following threads:
https://community.spotify.com/t5/Desktop-Linux/Redistribute-Spotify-on-Linux-Distributions/td-p/1695...
https://community.spotify.com/t5/Desktop-Linux/deb-package-signing-key-at-ubuntu-keyserver-expired/t...

Highlighted

Re: .deb package signing key at ubuntu keyserver expired.

NicoHood
Music Fan

Hi,

I try to answer, but spotify keeps flagging my posts are **bleep**/abuse. I reported this issue and hope the post will come back. In the meantime, please read it here:

 

https://gist.github.com/NicoHood/252b6b01543ad0aa29ce66a18f4fef24

 

This is sa bad in all means....

SUGGESTED POSTS