Oopsy daisy, the mobian repo's gpg key has expired and nobody noticed. Well until it was too late. If you get error messages about expired keys, you might want to add the new one manually
curl -s https://repo.mobian.org/mobian.gpg.key | sudo tee /var/lib/extrepo/keys/mobian.asc
The above command might be working for you. We will think how to get new keys in a safe way onto your device in the future.
Seems to be the same for the new and old key; the expiry date was updated:
D569 936C 7E32 F193 CBAA EC48 393F 924A 855F B27D
Alternatives for people without the 'extrepo' package (from irc):
curl -s https://repo.mobian.org/mobian.gpg | sudo tee /etc/apt/trusted.gpg.d/mobian.gpg
OR as (@mobian tooted)
curl -s https://repo.mobian.org/mobian.gpg &&
sudo apt-key --keyring=mobian.gpg
You can use a command such as 'apt-key list' before and after getting the new key.
@boud People really need to stop with stupid oneliners with no verification when et comes to package installations and adding GPG keys, and learn how to do things properly… It's not a race…
Dont pipe curl to anything… EVER!
1. Download the key (or package, if it's some package install)
2. Check the damn key fingerprint (or package signature)
3. Only IF the fingerprint is the good one (or signature is valid), add the key (or install package)
@boud Indeed, in your post, it's wasn't piped. But I've seen "curl … | …" so often that I don't agree with the "It's meant for technical people so they should know" argument. Just look at how many devs use "curl | bash" as way to avoid writing half-decent install, sign their packages, provide keys fingerprint or go through to process to have their packages published and signed-by distro maintainers. That's @FreePietje @mobian - 1/4
Users will follow advices from those who are supposed to know better => devs. So devs should not encourage users to do things the wrong way. Unfortunately, that's exactly what most devs are doing by writing shitty oneliner docs that don't include any kind of crypto @boud @FreePietje @mobian - 2/4
verification mechanism… Most third party packages aren't even cryptographically signed, and when they are, pub keys fingerprints aren't often published. Doing things properly is an exception, rather than the rule.
However, my point applies to both "curl | sonething (bash, apt or whatever)" and "curl && do_stuff (add keys, install pakages…)“. The only acceptable oneliners (in some cases/when possible) are the ones with @boud @FreePietje @mobian - 3/4
I didn't realise that it was for common for some groups of devs to output the result of 'curl' (or 'wget') directly to a file without checking. Using '&&' on its own is not a check on the file validity.
#Mobian aims to be as close to #Debian as possible, including Debian security practices - I interpret this particular case as a one-off hack. I'm sure your comments are seen as constructive feedback. :)
Mamot.fr est un serveur Mastodon francophone, géré par La Quadrature du Net.