Issue T100: Error ...signatures were invalid: KEYEXPIRED 1421449064

Support
1

[b]Issue T100: KEYEXPIRED Error upon apt-get update from Whonix Repository

Posted by @WhonixQubes

January 17, 2015

https://phabricator.whonix.org/T100[/b]

KEYEXPIRED error upon apt-get update from Whonix repository reported and confirmed as happening in Qubes + Whonix.

W: GPG error: http://sourceforge.net wheezy Release: The following signatures were invalid: KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659 KEYEXPIRED 1421449659 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659

Wonder if this is happening on other Whonix platforms, such as VirtualBox?

[hr]

Hi,

I just tried to update the experimental whonix templates but ran into this:

[font=andale mono]user@whonix-gateway-experimental:~$ sudo apt-get update
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 560 0 560 0 0 50337 0 --:–:-- --:–:-- --:–:-- 56000
Hit http://security.debian.org wheezy/updates Release.gpg
Hit http://deb.qubes-os.org wheezy Release.gpg
Hit http://deb.torproject.org wheezy Release.gpg
Get:1 http://ftp.us.debian.org wheezy-backports Release.gpg [836 B]
Hit http://security.debian.org wheezy/updates Release
Hit http://deb.qubes-os.org wheezy Release
Hit http://deb.torproject.org wheezy Release
Hit http://ftp.us.debian.org wheezy Release.gpg
Hit http://security.debian.org wheezy/updates/main amd64 Packages
Hit http://deb.qubes-os.org wheezy/main Sources
Hit http://deb.torproject.org wheezy/main amd64 Packages
Get:2 http://ftp.us.debian.org wheezy-backports Release [147 kB]
Hit http://security.debian.org wheezy/updates/contrib amd64 Packages
Hit http://deb.qubes-os.org wheezy/main amd64 Packages
Hit http://security.debian.org wheezy/updates/non-free amd64 Packages
Hit http://security.debian.org wheezy/updates/contrib Translation-en
Hit http://ftp.us.debian.org wheezy Release
Get:3 http://sourceforge.net wheezy Release.gpg [931 B]
Hit http://security.debian.org wheezy/updates/main Translation-en
Hit http://ftp.us.debian.org wheezy-backports/main amd64 Packages/DiffIndex
Hit http://security.debian.org wheezy/updates/non-free Translation-en
Hit http://ftp.us.debian.org wheezy-backports/main Translation-en/DiffIndex
Hit http://ftp.us.debian.org wheezy/main amd64 Packages
Hit http://ftp.us.debian.org wheezy/contrib amd64 Packages
Hit http://ftp.us.debian.org wheezy/non-free amd64 Packages
Get:4 http://sourceforge.net wheezy Release [12.2 kB]
Err http://sourceforge.net wheezy Release

Ign http://deb.qubes-os.org wheezy/main Translation-en_US
Hit http://ftp.us.debian.org wheezy/contrib Translation-en
Ign http://deb.torproject.org wheezy/main Translation-en_US
Ign http://deb.qubes-os.org wheezy/main Translation-en
Hit http://ftp.us.debian.org wheezy/main Translation-en
Ign http://deb.torproject.org wheezy/main Translation-en
Hit http://ftp.us.debian.org wheezy/non-free Translation-en
Fetched 149 kB in 14s (9,940 B/s)
Reading package lists… Done
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://sourceforge.net wheezy Release: The following signatures were invalid: KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659 KEYEXPIRED 1421449659 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659

W: Failed to fetch Whonix Developer Meta Files - Browse Files at SourceForge.net

W: Some index files failed to download. They have been ignored, or old ones used instead.[/font]

It stops there. :frowning:

2

I have confirmed this key expiration error on my end. I got the same error.

It is present with the Whonix binary update repository, hosted on sourceforge.net.

I will file a bug report on the Whonix issue tracker.

[hr]

I wonder if this same bug is occurring for Whonix on VirtualBox?

[hr]

This type of error is also mentioned in the Whonix docs here:

4. signature verification warnings

There should be none at the moment. If there was such a warning, it would look like this.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

In that case, you should be careful. Even though, apt-get will automatically ignore repositories with expired keys or signatures, you will not receive upgrades from that repository. Unless the issue is already known/documented, it should be reported so it can be further investigated

There are two possible reasons why this could happen. Either there is an issue with repository that the maintainers of that repository have to fix or you are victim of a man-in-the-middle attack. [1] The latter would not be a big issue [2] and might go away after a while automatically [3] or try to change your Tor circuit.

In past The Tor Project’s apt repository key was expired. If you want to see how the documentation looked at that point, please click on expand on te right.

The Tor Project’s apt repository key was expired. You saw the following warning.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release

W: Some index files failed to download. They have been ignored, or old ones used instead.

It had already been reported. No danger at that moment. You could ignore it. Just make sure you never install unsigned packages as explained above.

If you were to see other signature verification errors, those should be reported, but it shouldn’t happen at this time.

3

Ticket has been filed here:

[b]Login

Maybe it is simply an expired Whonix key that needs replacement on the repo?

Let’s hope that it is something simple like that.

4

Confirmed. Happens on all platforms. No immediate risk. Working on a fix.

That’s it.

5

The quick and easy fix is to fetch my key from keyservers, to check it, and then adding it to apt-key. Please test!

fpr="916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA"
gpg --recv-keys "$fpr"
gpg --fingerprint "$fpr" 
gpg --export "$fpr" | sudo apt-key add -

You should know my fingerprint from the download verification instructions already. (Download Whonix ™ (FREE))

[hr]

Whonix News (Download Whonix ™ (FREE)) and blog post coming later.

Updated stable packages coming later.

Likely changelog:

9.5
- tb-updater: added new TBB tbb-team.asc signing key - https://phabricator.whonix.org/T41
- whonix-repository: updated repository signing key - https://phabricator.whonix.org/T100
- whonixcheck: updated Whonix news signing key - https://phabricator.whonix.org/T100
6

Key fingerprint unchanged. You can verify that by running “sudo apt-key finger” beforehand.

[hr]

Packages in wheezy repository have been updated:

[hr]

Another interesting alternative way to fix this.

Should be safe at least for 1 week. (After that, we might be ignoring the valid-until field for too long.)

sudo faketime 2015-01-15 apt-get update
sudo apt-get dist-upgrade

This will trick gpg into believing the key is still valid.

Then do a normal upgrade.

sudo faketime apt-get update
sudo apt-get dist-upgrade
7

[b]Is it posible that this problem will be fixed in the future automatically by runing an update/dist-upgrade ? Or I should to fix it now so I can do update/dist-upgrade again .

Thank you bro[/b]

8

It won’t fix itself. Please apply either one solution:

9

Okk thank you bro , Worked for me . good luck guys

10

[b]Whonix Qubes solution for this error is documented here:

11

Please update the documentation, since this is not the first time this happens there is already a paragraph about it, but it is missing the current event.

This is happening too often - the last EXPIRED event was half a year ago. The key-management seems to have major problems. If you create a key make an appointment with yourself ahead of time of the expiration date, or set a realistic expiration date. This is especially annoying because the guest additions are discouraged, which leaves you either typing the long fingerprint by hand or fiddling with links on a command prompt on the gateway.

12

Updated documentation.

VirtualBox Guest Additions are no longer discouraged and will be installed by default in Whonix 10, full story:

Last time it was The Tor Project’s signing key that expired. This time Whonix’s one.

13

[quote=“Patrick, post:5, topic:810”]The quick and easy fix is to fetch my key from keyservers, to check it, and then adding it to apt-key. Please test!

fpr="916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA" gpg --recv-keys "$fpr" gpg --fingerprint "$fpr" gpg --export "$fpr" | sudo apt-key add - [/quote]

Are the keys available on your website anywhere? The key server is timing out for me.

14

[quote=“nrgaway, post:13, topic:810”][quote author=Patrick link=topic=892.msg6582#msg6582 date=1421512573]
The quick and easy fix is to fetch my key from keyservers, to check it, and then adding it to apt-key. Please test!

fpr="916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA"
gpg --recv-keys "$fpr"
gpg --fingerprint "$fpr" 
gpg --export "$fpr" | sudo apt-key add -

[/quote]

Are the keys available on your website anywhere? The key server is timing out for me.[/quote]
Same key as this one:

15
  1. How do we check this is the correct key and has not been man in the middle attacked or changed?
  2. Since there is no browser on the gateway, what is the advised way to get it so we can enter it in the terminal there.
  3. What are the risks if we run the updates anyway? Will we be getting that warning every time until fixed?
16
1. How do we check this is the correct key and has not been man in the middle attacked or changed?
See: - https://www.whonix.org/wiki/Whonix_Signing_Key - https://www.whonix.org/wiki/Whonix_Signing_Key#Web_of_Trust - https://www.whonix.org/wiki/Trust
2. Since there is no browser on the gateway, what is the advised way to get it so we can enter it in the terminal there.
Download from key servers or using a command line download tool such as curl.
3. What are the risks if we run the updates anyway?
You will not receive any updates from that repository.
Will we be getting that warning every time until fixed?
Yes. (It will never fix itself.)
17

Thank you, that was very helpful!

About 2. I was curious if there is easy way to get this code on the gateway to copy and paste or we should just write it by hand by looking in the workstation

fpr="916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA"
gpg --recv-keys "$fpr"
gpg --fingerprint "$fpr"
gpg --export “$fpr” | sudo apt-key add -

Might sound stupid to ask about that but writing it by hand is prone to mistakes a lot, especially with such strings as fpr one

18

I don’t think there is a great way for that. Either writing it by hand or using copy and paste. (The latter using guest additions https://www.whonix.org/wiki/VirtualBox_Guest_Additions) Both comes with its own issues. (Typing by hand is uncomfortable.) (Installing guest additions, enabling copy and paste in VirtualBox settings, disabling it afterwards or not copying something (non-)anonymous and vice versa.)

19

I can confirm now this works perfect.
By the way, this problem never appeared in the Workstation. Only in the gateway.

20

[quote=“Dani, post:19, topic:810”]I can confirm now this works perfect.
By the way, this problem never appeared in the Workstation. Only in the gateway.[/quote]
Perhaps you didn’t have Whonix’s apt repository enabled there.