PSA: bunsen-keyring package refreshes

twoion · 2020-11-21 16:48:53

An update to the bunsen-keyring package has been released for the current BunsenLabs Lithium release, as well as all older releases, Helium and Hydrogen. The update contains a routine extension of the key expiration date until the year 2030. In order to ensure that your install can verify the signature on our package repositories after 2021-01-18, which is the current key expiration date, please make sure that you update your BunsenLabs system until then:

sudo apt-get update
sudo apt-get install bunsen-keyring
sudo apt-get update

The final apt-get update call should go through without any validation errors against the BunsenLabs repositories.

If you miss the update window till January 18, 2021, you can no longer receive the update using APT without intervention as APT will fail to verify our repository signatures using the expired key. In order to get the new key after the expiration date, download the following packages and install them manually:

Lithium: https://eu.pkg.bunsenlabs.org/debian/po … -1_all.deb
Helium: https://eu.pkg.bunsenlabs.org/debian/po … -1_all.deb
Hydrogen: https://eu.pkg.bunsenlabs.org/debian/po … -2_all.deb

Install the packages using the terminal by executing

sudo dpkg -i /path/to/the/package.deb

or by double-clicking on them using gdebi.

hhh · 2020-11-21 22:45:32

Thanks for the update! I assume, if you miss the window, that you only need to install the one package relative to your BL OS version (just the lithium package if you run Lithium, for example.)

rbh · 2020-11-22 01:14:10

The new keyring should be installed whith normal update.

In terminal:

apt update
apt upgrade

Or in synaptic, Press button "Mark all upgrades" and "Execute"

grubernd · 2020-11-23 11:17:07

rbh wrote:

The new keyring should be installed whith normal update.

I was wondering the same .. shouldn't that package be a part of the system install?

I did as instructed and from the apt logs it looks like it actually had to install the package.

Edit: Will test on other machines later.

Last edited by grubernd (2020-11-23 11:18:54)

dbvolvox · 2020-11-23 11:59:31

rbh wrote:

The new keyring should be installed with normal update.

Confirming it was included in my normal update done today.

DeepDayze · 2020-11-23 14:00:40

grubernd wrote:

rbh wrote:
The new keyring should be installed whith normal update.
I was wondering the same .. shouldn't that package be a part of the system install?
I did as instructed and from the apt logs it looks like it actually had to install the package.
Edit: Will test on other machines later.

The bunsen-keyring package is in the ISO, but if you do an install with a Bunsen ISO after January 18th (when the current certificate expires), you will then need to grab the updated keyring package and install manually as noted above as when you try to update a new install after the 18th of January it will fail unless you update the keyring.

Think this has bitten some people in the past.

twoion · 2020-11-23 14:49:26

DeepDayze wrote:

grubernd wrote:
rbh wrote:
The new keyring should be installed whith normal update.
I was wondering the same .. shouldn't that package be a part of the system install?
I did as instructed and from the apt logs it looks like it actually had to install the package.
Edit: Will test on other machines later.
The bunsen-keyring package is in the ISO, but if you do an install with a Bunsen ISO after January 18th (when the current certificate expires), you will then need to grab the updated keyring package and install manually as noted above as when you try to update a new install after the 18th of January it will fail unless you update the keyring.
Think this has bitten some people in the past.

The ISO images are about to be refreshed with updated packages. This problem will not occur if the user downloads the latest ISO images for the install.

DeepDayze · 2020-11-23 15:39:15

twoion wrote:

DeepDayze wrote:
grubernd wrote:
I was wondering the same .. shouldn't that package be a part of the system install?
I did as instructed and from the apt logs it looks like it actually had to install the package.
Edit: Will test on other machines later.
The bunsen-keyring package is in the ISO, but if you do an install with a Bunsen ISO after January 18th (when the current certificate expires), you will then need to grab the updated keyring package and install manually as noted above as when you try to update a new install after the 18th of January it will fail unless you update the keyring.
Think this has bitten some people in the past.
The ISO images are about to be refreshed with updated packages. This problem will not occur if the user downloads the latest ISO images for the install.

That's great to know. Thanks for that.

grubernd · 2021-01-19 21:11:49

I just used an install image from last year and had to update the key package by hand - as expected.

Have the official install images (download/torrent) been updated with the new key?

rbh · 2021-01-19 21:42:31

grubernd wrote:

I just used an install image from last year and had to update the key package by hand - as expected.
Have the official install images (download/torrent) been updated with the new key?

The last keyring bunsen-keyring_2020.10.10+bl9-1_all.deb , is from nov 2020.
The only Litium iso is from July 2020...

Instead of installing the keyring, I prefer importing the apt key and then update/upgrade all.

As root:

# wget https://ddl.bunsenlabs.org/ddl/BunsenLabs-RELEASE.asc -O- | apt-key add -

grubernd · 2021-01-19 22:00:31

rbh wrote:

The only Litium iso is from July 2020...
Instead of installing the keyring, I prefer importing the apt key and then update/upgrade all.

The missing key makes bl-welcome fail.

But since the script can not update itself, it can not fix the missing key or inform the user how to fix that himself. I know, BL is not meant for helpless people, but still.

johnraff · 2021-01-20 01:22:19

^See the top post for instructions.
https://forums.bunsenlabs.org/viewtopic … 30#p108430

twoion wrote:

If you miss the update window till January 18, 2021, you can no longer receive the update using APT without intervention as APT will fail to verify our repository signatures using the expired key. In order to get the new key after the expiration date...

ovum · 2021-01-20 06:26:01

when i try to run the commands in the first post, i get the following errors:

sudo apt-get update
Hit:2 https://deb.debian.org/debian buster InRelease
Hit:3 https://deb.debian.org/debian-security buster/updates InRelease
Get:1 http://eu.pkg.bunsenlabs.org/debian lithium InRelease [6,362 B]
Hit:4 https://deb.debian.org/debian buster-updates InRelease
Err:1 http://eu.pkg.bunsenlabs.org/debian lithium InRelease
The following signatures were invalid: EXPKEYSIG A0673F72FE62D9C5 Jens John (BunsenLabs Repository Signing Key) <dev@2ion.de>
Get:5 https://mega.nz/linux/MEGAsync/Debian_10.0 ./ InRelease [2,461 B]
Fetched 8,823 B in 4s (2,149 B/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://eu.pkg.bunsenlabs.org/debian lithium InRelease: The following signatures were invalid: EXPKEYSIG A0673F72FE62D9C5 Jens John (BunsenLabs Repository Signing Key) <dev@2ion.de>
W: Failed to fetch http://pkg.bunsenlabs.org/debian/dists/ … /InRelease The following signatures were invalid: EXPKEYSIG A0673F72FE62D9C5 Jens John (BunsenLabs Repository Signing Key) <dev@2ion.de>
W: Some index files failed to download. They have been ignored, or old ones used instead.

please advise

johnraff · 2021-01-20 06:43:08

Did you follow this?

twoion wrote:

If you miss the update window till January 18, 2021, you can no longer receive the update using APT without intervention as APT will fail to verify our repository signatures using the expired key. In order to get the new key after the expiration date, download the following packages and install them manually:
Lithium: https://eu.pkg.bunsenlabs.org/debian/po … -1_all.deb
Helium: https://eu.pkg.bunsenlabs.org/debian/po … -1_all.deb
Hydrogen: https://eu.pkg.bunsenlabs.org/debian/po … -2_all.deb
Install the packages using the terminal by executing
sudo dpkg -i /path/to/the/package.deb
or by double-clicking on them using gdebi.

ovum · 2021-01-20 06:52:50

d'oh! Looks that was helpful in getting these commands to go through. You are such a wonderful person to help me!

DeepDayze · 2021-01-21 04:38:16

Another idea is to grab the key packages to keep handy if installing from old ISOs and unable to grab the new ones.

grubernd · 2021-01-28 13:40:26

DeepDayze wrote:

Another idea is to grab the key packages to keep handy if installing from old ISOs and unable to grab the new ones.

Which gives me an idea .. would it be possible to copy the new key onto a USB stick that has the installer image written to it?

I have a bunch of machines I will have to install and re-install a couple of times for testing purposes in the weeks to come, so this would be really handy.

(Currently on the road and can not poke around.)

DeepDayze · 2021-01-28 14:05:23

grubernd wrote:

DeepDayze wrote:
Another idea is to grab the key packages to keep handy if installing from old ISOs and unable to grab the new ones.
Which gives me an idea .. would it be possible to copy the new key onto a USB stick that has the installer image written to it?
I have a bunch of machines I will have to install and re-install a couple of times for testing purposes in the weeks to come, so this would be really handy.
(Currently on the road and can not poke around.)

I am sure you can put the keyring package(s) onto a USB drive then if necessary install the one appropriate to the release you are installing. Only install if apt complains about the key being expired or invalid.

rbh · 2021-01-28 14:55:11

DeepDayze wrote:

grubernd wrote:
DeepDayze wrote:
Another idea is to grab the key packages to keep handy if installing from old ISOs and unable to grab the new ones.
Which gives me an idea .. would it be possible to copy the new key onto a USB stick that has the installer image written to it?
I have a bunch of machines I will have to install and re-install a couple of times for testing purposes in the weeks to come, so this would be really handy.
(Currently on the road and can not poke around.)
I am sure you can put the keyring package(s) onto a USB drive then if necessary install the one appropriate to the release you are installing. Only install if apt complains about the key being expired or invalid.

Yes, you can copy the keyring to an usb. But it is more difficult to copy it to the usb with BL-iso on it.

Best is to take it from the net, if it is available. Else from removable media.

But, in a couple of months new BL version with new iso is ready

DeepDayze · 2021-01-28 17:05:35

You can plug the USB with the packages into another port (if running BL live session) and install the package needed from that USB.

However if the machine has connection to the internet yes it can then be downloaded directly and then installed right from the live session.

johnraff · 2021-01-29 02:23:48

grubernd wrote:

I have a bunch of machines I will have to install and re-install a couple of times for testing purposes in the weeks to come...

We're planning to release a refreshed Lithium iso very soon (probably within a week) with the new signing keys and some upgraded packages, so if you can wait a few days that would probably save you some work.

grubernd · 2021-01-29 08:29:47

johnraff wrote:

We're planning to release a refreshed Lithium iso very soon (probably within a week) with the new signing keys and some upgraded packages, so if you can wait a few days that would probably save you some work.

Sir, thank you very much for the heads up!

Did an install yesterday .. once you have the URL memorized it is not as bad as it seems.

smile

But either way, the new ISO will make live easier for everyone.

Very much appreciated.

1bvl1012 · Yesterday 12:50:45

I hope I'm at the right place here. Till recently bunsenlabs never did give me any problems.

I have

5@lenovo-b1:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	BunsenLabs
Description:	BunsenLabs GNU/Linux 9.9 (Helium)
Release:	9.9
Codename:	helium

So I did a

lenovo-b1:~$ sudo dpkg -i bunsen-keyring_2020.10.10+bl9-1_all.deb 
(Lese Datenbank ... 129332 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von bunsen-keyring_2020.10.10+bl9-1_all.deb ...
Entpacken von bunsen-keyring (2020.10.10+bl9-1) über (2020.10.10+bl9-1) ...
bunsen-keyring (2020.10.10+bl9-1) wird eingerichtet ...

However I still get (abbreviated)

@lenovo-b1:~$ sudo apt-get update 
...
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://eu.pkg.bunsenlabs.org/debian helium InRelease: Die folgenden Signaturen waren ungültig: EXPKEYSIG A0673F72FE62D9C5 Jens John (BunsenLabs Repository Signing Key) <dev@2ion.de>
W: Fehlschlag beim Holen von https://pkg.bunsenlabs.org/debian/dists/helium/InRelease  Die folgenden Signaturen waren ungültig: EXPKEYSIG A0673F72FE62D9C5 Jens John (BunsenLabs Repository Signing Key) <dev@2ion.de>
W: Einige Indexdateien konnten nicht heruntergeladen werden. Sie wurden ignoriert oder alte an ihrer Stelle benutzt.

Any ideas, what I should do would be appreciated.

dolly · Yesterday 15:03:47

Probably because the current BunsenLabs release is "Lithium". Helium is the previous, however you should consider to do an upgrade. The best thing to do in my opinion is to backup important data, and do a reinstall.

1bvl1012 · Yesterday 15:26:29

dolly wrote:

Probably because the current BunsenLabs release is "Lithium".

Thanks for your comment.

I was under the impression it should still work with Helium, as it is mentioned above.

In principle I'm pro update, but I'd like to first tray an upgrade of the existing system, as it is considerably tweaked to my special demands, so apart from my data I would have to install a lot of stuff and configure it. My data gets saved regularly anyway. Is it even possible to try an upgrade and how should I proceed?

#1 2020-11-21 16:48:53

PSA: bunsen-keyring package refreshes

#2 2020-11-21 22:45:32

Re: PSA: bunsen-keyring package refreshes

#3 2020-11-22 01:14:10

Re: PSA: bunsen-keyring package refreshes

#4 2020-11-23 11:17:07

Re: PSA: bunsen-keyring package refreshes

#5 2020-11-23 11:59:31

Re: PSA: bunsen-keyring package refreshes

#6 2020-11-23 14:00:40

Re: PSA: bunsen-keyring package refreshes

#7 2020-11-23 14:49:26

Re: PSA: bunsen-keyring package refreshes

#8 2020-11-23 15:39:15

Re: PSA: bunsen-keyring package refreshes

#9 2021-01-19 21:11:49

Re: PSA: bunsen-keyring package refreshes

#10 2021-01-19 21:42:31

Re: PSA: bunsen-keyring package refreshes

#11 2021-01-19 22:00:31

Re: PSA: bunsen-keyring package refreshes

#12 2021-01-20 01:22:19

Re: PSA: bunsen-keyring package refreshes

#13 2021-01-20 06:26:01

Re: PSA: bunsen-keyring package refreshes

#14 2021-01-20 06:43:08

Re: PSA: bunsen-keyring package refreshes

#15 2021-01-20 06:52:50

Re: PSA: bunsen-keyring package refreshes

#16 2021-01-21 04:38:16

Re: PSA: bunsen-keyring package refreshes

#17 2021-01-28 13:40:26

Re: PSA: bunsen-keyring package refreshes

#18 2021-01-28 14:05:23

Re: PSA: bunsen-keyring package refreshes

#19 2021-01-28 14:55:11

Re: PSA: bunsen-keyring package refreshes

#20 2021-01-28 17:05:35

Re: PSA: bunsen-keyring package refreshes

#21 2021-01-29 02:23:48

Re: PSA: bunsen-keyring package refreshes

#22 2021-01-29 08:29:47

Re: PSA: bunsen-keyring package refreshes

#23 Yesterday 12:50:45

Re: PSA: bunsen-keyring package refreshes

#24 Yesterday 15:03:47

Re: PSA: bunsen-keyring package refreshes

#25 Yesterday 15:26:29

Re: PSA: bunsen-keyring package refreshes

Board footer