воскресенье, 9 апреля 2023 г.

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05

Периодически сталкиваюсь с устареванием GPG ключа которым подписывается APT репозитарий google-cloud-sdk. Ошибка выглядит так:

Err:9 https://packages.cloud.google.com/apt cloud-sdk InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05
Fetched 6,361 B in 1s (4,349 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
27 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.cloud.google.com/apt cloud-sdk InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05
W: Failed to fetch https://packages.cloud.google.com/apt/dists/cloud-sdk/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05
W: Some index files failed to download. They have been ignored, or old ones used instead.

Судя по выводу GPG старый ключ (7F92E05B31093BEF5A3C2D38FEEA9169307EA071) истёк еще в начале марта

$ gpg /usr/share/keyrings/cloud.google.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2021-03-01 [SC] [expired: 2023-03-02]
      7F92E05B31093BEF5A3C2D38FEEA9169307EA071
uid           Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub)
sub   rsa2048 2021-03-01 [E] [expired: never     ]
pub   rsa2048 2020-12-04 [SC] [expired: 2022-12-04]
      59FE0256827269DC81578F928B57C5C2836F4BEB
uid           gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>
sub   rsa2048 2020-12-04 [E] [expired: never     ]

Решение простое - скачать новый ключ и запустить apt update снова (установка google-cloud-sdk описана тут)

$ curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -

Проверяю какой срок действия у нового ключа

$ gpg /usr/share/keyrings/cloud.google.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2021-03-01 [SC] [expired: 2023-03-02]
      7F92E05B31093BEF5A3C2D38FEEA9169307EA071
uid           Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub)
sub   rsa2048 2021-03-01 [E] [expired: never     ]
pub   rsa2048 2020-12-04 [SC] [expired: 2022-12-04]
      59FE0256827269DC81578F928B57C5C2836F4BEB
uid           gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>
sub   rsa2048 2020-12-04 [E] [expired: never     ]
pub   rsa2048 2022-05-21 [SC]
      A362B822F6DEDC652817EA46B53DC80D13EDEF05
uid           Rapture Automatic Signing Key (cloud-rapture-signing-key-2022-03-07-08_01_01.pub)
sub   rsa2048 2022-05-21 [E]

Похоже что в этот раз Google решили не задавать expiration для нового ключа (A362B822F6DEDC652817EA46B53DC80D13EDEF05). На всякий случай проверю есть ли "keyring" пакет, который будет автоматически обновлять этот ключ

$ aptitude -F '%p' search 'keyring ?origin(cloud-sdk)'

Поиск ничего не дал и это значит что Google не предоставляет "keyring" пакет для автоматической ротации. Для сравнения как это выглядит если искать в debian

$ aptitude -F '%p' search 'keyring ?origin(debian)'
archlinux-keyring
debian-archive-keyring
debian-keyring
debian-ports-archive-keyring
elbe-archive-keyring
fasttrack-archive-keyring
gnome-keyring
gnome-keyring-pkcs11
keyringer
leap-archive-keyring
libpam-gnome-keyring
mercurial-keyring
neurodebian-archive-keyring
pidgin-gnome-keyring
python3-keyring
python3-keyrings.alt
sq-keyring-linter

Комментариев нет:

Отправить комментарий