Oopsy daisy, the mobian repo's gpg key has expired and nobody noticed. Well until it was too late. If you get error messages about expired keys, you might want to add the new one manually

curl -s repo.mobian.org/mobian.gpg.key | sudo tee /var/lib/extrepo/keys/mobian.asc

The above command might be working for you. We will think how to get new keys in a safe way onto your device in the future.

Providing a fingerprint of the new key seems like a good start ...

@FreePietje @mobian

Seems to be the same for the new and old key; the expiry date was updated:

D569 936C 7E32 F193 CBAA EC48 393F 924A 855F B27D

Alternatives for people without the 'extrepo' package (from irc):

curl -s repo.mobian.org/mobian.gpg | sudo tee /etc/apt/trusted.gpg.d/mobian.gpg

OR as (@mobian tooted)

curl -s repo.mobian.org/mobian.gpg &&
sudo apt-key --keyring=mobian.gpg

You can use a command such as 'apt-key list' before and after getting the new key.


@boud People really need to stop with stupid oneliners with no verification when et comes to package installations and adding GPG keys, and learn how to do things properlyā€¦ It's not a raceā€¦

Dont pipe curl to anythingā€¦ EVER!
1. Download the key (or package, if it's some package install)
2. Check the damn key fingerprint (or package signature)
3. Only IF the fingerprint is the good one (or signature is valid), add the key (or install package)

@FreePietje @mobian


Fair point - I didn't directly pipe downloaded files myself.

However, people using any OS on the #PinePhone, including #Mobian, are expected to be reasonably experienced in GNU/Linux and to know how to check advice carefully before implementing it.

You're welcome to join the Mobian communication channels (#Matrix #IRC #Telegram) [1], and help contribute to Fediverse announcements by the tiny handful of main developers (not me!).

[1] wiki.mobian.org

@FreePietje @mobian

@boud Indeed, in your post, it's wasn't piped. But I've seen "curl ā€¦ | ā€¦" so often that I don't agree with the "It's meant for technical people so they should know" argument. Just look at how many devs use "curl | bash" as way to avoid writing half-decent install, sign their packages, provide keys fingerprint or go through to process to have their packages published and signed-by distro maintainers. That's @FreePietje @mobian - 1/4

true especially for web/javascript folks, but not onlyā€¦. Most "modern" devs don't care about security. They just want to do things the fastest wayā€¦

Users will follow advices from those who are supposed to know better => devs. So devs should not encourage users to do things the wrong way. Unfortunately, that's exactly what most devs are doing by writing shitty oneliner docs that don't include any kind of crypto @boud @FreePietje @mobian - 2/4

verification mechanismā€¦ Most third party packages aren't even cryptographically signed, and when they are, pub keys fingerprints aren't often published. Doing things properly is an exception, rather than the rule.

However, my point applies to both "curl | sonething (bash, apt or whatever)" and "curl && do_stuff (add keys, install pakagesā€¦)ā€œ. The only acceptable oneliners (in some cases/when possible) are the ones with @boud @FreePietje @mobian - 3/4


something like "if (insert some crypto verificationĀ¹ code here); then do_stuff; else display_error_msg; fi".

1. Fingerprint comparisons, package's signature checksā€¦ depending on whatever one wants to achieve.

@FreePietje @mobian @boud - 4/4

Ā· Ā· Mastalab Ā· 1 Ā· 0 Ā· 0


I didn't realise that it was for common for some groups of devs to output the result of 'curl' (or 'wget') directly to a file without checking. Using '&&' on its own is not a check on the file validity.

#Mobian aims to be as close to #Debian as possible, including Debian security practices - I interpret this particular case as a one-off hack. I'm sure your comments are seen as constructive feedback. :)

@FreePietje @mobian

Sign in to participate in the conversation
La Quadrature du Net - Mastodon - Media FƩdƩrƩ

Mamot.fr est un serveur Mastodon francophone, gƩrƩ par La Quadrature du Net.