[FIX AVAILABLE] Temporary GPG release key issue

johnraff · 2025-07-17 23:33:04

The BunsenLabs package repository GPG signing key expired yesterday (7/17) and apt updates will show an error.
Unfortunately the need to update the certificate was overlooked, and due to scheduling issues it cannot be updated till next Monday (21st July JST).

Apologies to our users for this temporary inconvenience.

Last edited by johnraff (2025-07-23 00:48:21)

johnraff · 2025-07-21 12:04:52

OK, bunsen-archive-keyring has been upgraded, the BL repository has been re-signed and the extended keys have been uploaded to the BL website and the netinstall script.

Unfortunately users need to import the new key into their system.

wget https://ddl.bunsenlabs.org/ddl/bunsen-release.asc
sudo cp bunsen-release.asc /etc/apt/trusted.gpg.d
sudo apt update

You can check that the key you've installed has the correct fingerprint with:

john@boron:~$ gpg --show-keys --with-fingerprint /etc/apt/trusted.gpg.d/bunsen-release.asc
pub   rsa4096 2022-07-18 [SC] [expires: 2028-07-20]
      0F54 A732 2439 0760 EB5D  9A04 6979 6250 0AFF 9B75
uid                      BunsenLabs Release Key <bunsen-release@bunsenlabs.org>
sub   rsa4096 2022-07-18 [E] [expires: 2028-07-20]
sub   rsa4096 2022-07-18 [S] [expires: 2028-07-20]

The fingerprint should show as 0F54 A732 2439 0760 EB5D 9A04 6979 6250 0AFF 9B75
(and you can see that the expiry date is now 2028-07-20).

You should check the sha256 checksum too:

john@boron:~$ sha256sum /etc/apt/trusted.gpg.d/bunsen-release.asc
c040fce70b82148500eb9a7a3311b3f3c9645b47426a59111c5c679e05d79103  /etc/apt/trusted.gpg.d/bunsen-release.asc

If any of that is different, something is wrong!

NOTE: the previously posted method using apt's --allow-unauthenticated option will not work, unless you already have an up-to-date apt database, a Catch-22 situation!

Last edited by johnraff (2025-07-25 03:53:15)

WolfeN · 2025-07-21 23:16:49

Works great - thanks!

eightysixed · 2025-07-23 00:25:08

Oof. It's the 22nd.

Are all BL workstations going to require a manual fix? I thought I read somewhere the issue would resolve itself on the 21st.

Last edited by eightysixed (2025-07-23 00:25:53)

johnraff · 2025-07-23 00:43:44

^please read my post above.

Unfortunately users need to import the new key into their system.

eightysixed · 2025-07-23 04:16:29

Yeahp, and the fix does work! thanks

e: also completely missed there's a simple apt command. definitely going to pass that on. They were able to figure out the rpi GPG deprecation issue, this is identical

Last edited by eightysixed (2025-07-23 05:30:44)

citizen · 2025-07-23 12:50:26

Everything Fixed!!! Thanks!!!

WizardofCOR · 2025-07-24 05:43:14

Worked like a champ, Johnraff - much thanks!

JasonMehmel · 2025-07-24 23:19:35

Option 1 of the keyring update worked fine!

The thing was, I tried option 2 first.

sudo apt install --allow-unauthenticated bunsen-archive-keyring

came back with:

 Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
bunsen-archive-keyring is already the newest version (2023.01.14+bl12-1).
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

(There were some other programs ready for updating, hence the '2 not upgraded' note)

johnraff · 2025-07-25 02:32:31

JasonMehmel wrote:

I tried option 2 first.

sudo apt install --allow-unauthenticated bunsen-archive-keyring

came back with:

 Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
bunsen-archive-keyring is already the newest version (2023.01.14+bl12-1).
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

Thanks for catching that!
The apt database has to be updated first so it knows about the new version of bunsen-archive-keyring.
You have to do a 'sudo apt update' before then installing bunsen-archive-keyring (ignoring the error message).
I've updated the post above.
This is wrong. It's not possible to update the apt database without having an up-to-date key installed. I will delete option 2.

Last edited by johnraff (2025-07-25 03:49:46)

JasonMehmel · 2025-07-25 02:43:37

johnraff wrote:

Thanks for catching that!
The apt database has to be updated first so it knows about the new version of bunsen-archive-keyring.
You have to do a 'sudo apt update' before then installing bunsen-archive-keyring (ignoring the error message).
I've updated the post above.

I was thinking I needed to do that update, but wasn't sure about how to ignore the error message!

johnraff · 2025-07-25 03:58:01

^Unfortunately you can't ignore the error message!
See my edited posts above^

dude · 2025-08-04 15:59:21

Not sure how I could have failed to notice this until today but I am super thankful to have found the fix so easily. Your effort is much appreciated!

jimjamz · 2025-08-18 05:59:49

Would it be useful to re-add the key fingerprint back to the Bunsenlabs repository page for those who are manually checking? The fingerprint has not been displayed on that page since the release of Boron.

johnraff · 2025-08-18 08:51:00

^I forget right now why the manual instructions for the signing key and fingerprint check were dropped.
The website will need editing when carbon is released, so I'll put it on the todo list.

jimjamz · 2025-08-23 14:38:01

I noticed that the checksums for the new bunsen boron keyring on the Repositories page, don't match those of the actual key. Although the date is correct (21/07/2025), the checksums that can be copied to the clipboard are incorrect:
SHA1: 62f2ccac9fd60326c07a326b364e29d9f62d627e
SHA256: 0a1b165f2a868eb74cbf98e6b5f374bee8352fe1811629aaa1d25ec6ebd0b8bd

johnraff · 2025-08-26 07:01:24

^Thank you for catching that!
Yes, the checksum changed when the key's expiry date was extended, and the webpage needs fixing.

johnraff · 2025-08-26 08:09:07

It turned out to be a slightly trickier issue - the keyring package's name is now bunsen-archive-keyring, and bunsen-keyring is a dummy depending on bunsen-archive-keyring that will be dropped soon. Now the repo index reference goes to bunsen-archive-keyring and the checksums match.

OK now?

truelinux · 2025-09-03 20:04:21

Sept 3 2025 - Worked for me - thanks.

#1 2025-07-17 23:33:04

[FIX AVAILABLE] Temporary GPG release key issue

#2 2025-07-21 12:04:52

Re: [FIX AVAILABLE] Temporary GPG release key issue

#3 2025-07-21 23:16:49

Re: [FIX AVAILABLE] Temporary GPG release key issue

#4 2025-07-23 00:25:08

Re: [FIX AVAILABLE] Temporary GPG release key issue

#5 2025-07-23 00:43:44

Re: [FIX AVAILABLE] Temporary GPG release key issue

#6 2025-07-23 04:16:29

Re: [FIX AVAILABLE] Temporary GPG release key issue

#7 2025-07-23 12:50:26

Re: [FIX AVAILABLE] Temporary GPG release key issue

#8 2025-07-24 05:43:14

Re: [FIX AVAILABLE] Temporary GPG release key issue

#9 2025-07-24 23:19:35

Re: [FIX AVAILABLE] Temporary GPG release key issue

#10 2025-07-25 02:32:31

Re: [FIX AVAILABLE] Temporary GPG release key issue

#11 2025-07-25 02:43:37

Re: [FIX AVAILABLE] Temporary GPG release key issue

#12 2025-07-25 03:58:01

Re: [FIX AVAILABLE] Temporary GPG release key issue

#13 2025-08-04 15:59:21

Re: [FIX AVAILABLE] Temporary GPG release key issue

#14 2025-08-18 05:59:49

Re: [FIX AVAILABLE] Temporary GPG release key issue

#15 2025-08-18 08:51:00

Re: [FIX AVAILABLE] Temporary GPG release key issue

#16 2025-08-23 14:38:01

Re: [FIX AVAILABLE] Temporary GPG release key issue

#17 2025-08-26 07:01:24

Re: [FIX AVAILABLE] Temporary GPG release key issue

#18 2025-08-26 08:09:07

Re: [FIX AVAILABLE] Temporary GPG release key issue

#19 2025-09-03 20:04:21

Re: [FIX AVAILABLE] Temporary GPG release key issue

Board footer