Similar to this:
opened 08:34PM - 17 Apr 21 UTC
closed 01:04AM - 08 Jan 22 UTC
T: bug
C: builder
C: Whonix
P: default
diagnosed
**Qubes OS version**
R4.0
**Affected component(s) or functionality**
… - qubes-builder
- qubes-template-whonix
**Brief summary**
When running `get-sources`, it errors out when retrieving `template-whonix` sources:
```
-> Updating sources for template-whonix...
--> Fetching from https://github.com/Whonix/qubes-template-whonix.git master...
--> Verifying tags...
---> No valid signed tag found!
---> One invalid tag: 33fa2dd246526151a38af4dd7b4c8245066c8a68
make: *** [Makefile:217: template-whonix.get-sources] Error 1
```
**How Reproducible**
100%
**To Reproduce**
Steps to reproduce the behavior:
1. Follow the steps in the [doc](https://www.qubes-os.org/doc/qubes-iso-building/)
2. Make sure `template-whonix` is selected
3. Run `make get-sources`
4. Notice the error
**Expected behavior**
It should retrieve the sources without errors
**Actual behavior**
It errors out when retrieving sources
**Screenshots**
N/A
**Additional context**
I've checked https://github.com/QubesOS/qubes-template-whonix/tags and it seems the last commit doesn't have a signed tag, which triggers the fail. Also @adrelanos key that comes with `qubes-builder` is expired, triggering another fail if first one is resolved.
**Solutions you've tried**
1. Run `gpg --homedir=./keyrings/git/template-whonix/ --refresh-key 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA` on `qubes-builder` dir
2. unset `GIT_CLONE_FAST` & set `COMMIT_template_whonix` to the last commit that has a signed tag (in this case `e9b46e5b957ab771288913f5cd712bafd770ba04`)
3. Apply the following patch:
```diff
diff --git a/Makefile b/Makefile
index 831e6d1..b3aef00 100644
--- a/Makefile
+++ b/Makefile
@@ -12,6 +12,7 @@ BUILDERCONF ?= builder.conf
# Set defaults
BRANCH ?= master
+COMMIT ?=
GIT_BASEURL ?= https://github.com
GIT_SUFFIX ?= .git
DIST_DOM0 ?= fc20
diff --git a/scripts/get-sources b/scripts/get-sources
index deeb694..23d19ff 100755
--- a/scripts/get-sources
+++ b/scripts/get-sources
@@ -6,6 +6,7 @@
# - GIT_SUFFIX - git component dir suffix (default .git)
# - COMPONENT - component to clone
# - BRANCH - git branch
+# - COMMIT - git commit
# - CLEAN=1 - remove previous sources (use git up vs git clone)
# - FETCH_ONLY=1 - fetch sources but do not merge
# - IGNORE_MISSING=1 - exit with code 0 if remote branch doesn't exists
@@ -62,11 +63,16 @@ fi
[ -n "${GIT_REMOTE=}" ] && GIT_URL=$GIT_REMOTE
branch_var="BRANCH_${COMPONENT//-/_}"
+commit_var="COMMIT_${COMPONENT//-/_}"
if [ -n "${!branch_var-}" ]; then
BRANCH="${!branch_var}"
fi
+if [ -n "${!commit_var-}" ]; then
+ COMMIT="${!commit_var}"
+fi
+
: "${IGNORE_MISSING=0}"
: "${GIT_CLONE_FAST=0}"
@@ -115,6 +121,9 @@ elif elementIn "$COMPONENT" $LESS_SECURE_SIGNED_COMMITS_SUFFICIENT; then
fi
VERIFY_REF=$(git -C "$REPO" rev-parse -q --verify "$VERIFY_REF") || exit
+if [ ! -z "$COMMIT" ]; then
+ VERIFY_REF="$COMMIT"
+fi
if [ "$verify" = 'false' ]; then
echo -e '\033[1;31m--> NOT verifying tags\033[0;0m'
```
4. run `make get-sources`
**Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted**
- https://www.qubes-os.org/doc/qubes-iso-building/
- https://github.com/Qubes-Community/Contents/blob/master/docs/building/building-whonix-template.md
- https://github.com/QubesOS/qubes-builder
- https://github.com/QubesOS/qubes-template-whonix
**Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues**
If you have a Debian-10 TemplateVM that you use for a backup Tor Browser instances (as per our wiki instructions), you get this when trying to do Template updates (in the last day or so):
The following signatures were invalid: EXPKEYSIG CB8D50BB77BB3C48 Patrick Schleizer adrelanos@riseup.net
I see that is a sub fingerprint that according to the Whonix Signing Key page doesn’t expire until 2026.
1 Like
I guess it’s similar to this:
Both
and
are based on:
Re-running these instructions will update the signing key.
I guess the bug fix request here is fixing that for users who won’t re-run these instructions or to somehow automatically fix this? This is not possible. Since signing key is now expired, there is no way even in theory I could push an upgrade to fix this.
In case of:
To improve this situation in the future in case of A), the only thing that could be suggested is installing package repository-dist. Could be suggested as optional in this wiki template at the bottom Template:W-APT-Repository-Key - Whonix ? What do you think?
Does this answer your post?