Re: [gentoo-user] All Gentoo signing key expired and no way to fix it - gentoo-user

From:	gevisz <gevisz@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] All Gentoo signing key expired and no way to fix it
Date:	Tue, 03 Jul 2018 10:41:17
Message-Id:	`CA+t6X7ecrFZhoLpppk2K5XOX94yLNS4KGMRVv3S11ocD4tYe2Q@mail.gmail.com`
In Reply to:	Re: [gentoo-user] All Gentoo signing key expired and no way to fix it by Mick

1

2018-07-03 11:10 GMT+03:00 Mick <michaelkintzios@×××××.com>:

2

> On Tuesday, 3 July 2018 08:48:02 BST gevisz wrote:

3

>> Just today I have tried emerge-webrsync and got

4

>> to the following endless circle:

5

>>

6

>> Fetching most recent snapshot ...

7

>> Trying to retrieve 20180702 snapshot from http://mirror.netcologne.de/gentoo

8

>> ... Fetching file portage-20180702.tar.xz.md5sum ...

9

>> Fetching file portage-20180702.tar.xz.gpgsig ...

10

>> Fetching file portage-20180702.tar.xz ...

11

>> Checking digest ...

12

>> Checking signature ...

13

>> gpg: Signature made Tue Jul  3 03:51:21 2018 EEST

14

>> gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250

15

>> gpg: Good signature from "Gentoo Portage Snapshot Signing Key

16

>> (Automated Signing Key)" [expired]

17

>> gpg: Note: This key has expired!

18

>> Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D

19

>>      Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250

20

>> Fetching file portage-20180702.tar.bz2.md5sum ...

21

>> Fetching file portage-20180702.tar.bz2.gpgsig ...

22

>> Fetching file portage-20180702.tar.bz2 ...

23

>> Checking digest ...

24

>> Checking signature ...

25

>> gpg: Signature made Tue Jul  3 03:51:20 2018 EEST

26

>> gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250

27

>> gpg: Good signature from "Gentoo Portage Snapshot Signing Key

28

>> (Automated Signing Key)" [expired]

29

>> gpg: Note: This key has expired!

30

>> Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D

31

>>      Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250

32

>> Fetching file portage-20180702.tar.gz.md5sum ...

33

>>

34

>> The following command showed that all Gentoo signing keys in my system

35

>> expired:

36

>>

37

>> # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release

38

>> --with-fingerprint --list-keys

39

>> /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg

40

>> ---------------------------------------------------------

41

>> pub   rsa4096 2014-10-03 [C] [expired: 2017-09-17]

42

>>       D2DE 1DBB A0F4 3EBA 341B  97D8 8255 33CB F6CD 6C97

43

>> uid           [ expired] Gentoo-keys Team <gkeys@g.o>

44

>>

45

>> pub   dsa1024 2004-07-20 [SC] [expired: 2018-07-01]

46

>>       D99E AC73 79A8 50BC E47D  A5F2 9E64 38C8 1707 2058

47

>> uid           [ expired] Gentoo Linux Release Engineering (Gentoo

48

>> Linux Release Signing Key) <releng@g.o>

49

>>

50

>> pub   rsa4096 2011-11-25 [C] [expired: 2018-07-01]

51

>>       DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D

52

>> uid           [ expired] Gentoo Portage Snapshot Signing Key

53

>> (Automated Signing Key)

54

>>

55

>> pub   rsa4096 2009-08-25 [SC] [expired: 2017-08-25]

56

>>       13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910

57

>> uid           [ expired] Gentoo Linux Release Engineering (Automated

58

>> Weekly Release Key) <releng@g.o>

59

>>

60

>>

61

>> Trying to renew them manually with the following commands does not help:

62

>>

63

>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys

64

>> 0x825533CBF6CD6C97 gpg: key 825533CBF6CD6C97: 2 signatures not checked due

65

>> to missing keys gpg: key 825533CBF6CD6C97: public key "Gentoo-keys Team

66

>> <gkeys@g.o>" imported

67

>> gpg: no ultimately trusted keys found

68

>> gpg: Total number processed: 1

69

>> gpg:               imported: 1

70

>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys

71

>> 0xDB6B8C1F96D8BF6D gpg: key DB6B8C1F96D8BF6D: 14 signatures not checked due

72

>> to missing keys gpg: key DB6B8C1F96D8BF6D: public key "Gentoo Portage

73

>> Snapshot Signing Key (Automated Signing Key)" imported

74

>> gpg: no ultimately trusted keys found

75

>> gpg: Total number processed: 1

76

>> gpg:               imported: 1

77

>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys

78

>> 0x9E6438C817072058 gpg: key 9E6438C817072058: 83 signatures not checked due

79

>> to missing keys gpg: key 9E6438C817072058: public key "Gentoo Linux Release

80

>> Engineering (Gentoo Linux Release Signing Key) <releng@g.o>"

81

>> imported

82

>> gpg: no ultimately trusted keys found

83

>> gpg: Total number processed: 1

84

>> gpg:               imported: 1

85

>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys

86

>> 0xBB572E0E2D182910 gpg: key BB572E0E2D182910: 10 signatures not checked due

87

>> to missing keys gpg: key BB572E0E2D182910: 1 bad signature

88

>> gpg: key BB572E0E2D182910: public key "Gentoo Linux Release

89

>> Engineering (Automated Weekly Release Key) <releng@g.o>"

90

>> imported

91

>> gpg: no ultimately trusted keys found

92

>> gpg: Total number processed: 1

93

>> gpg:               imported: 1

94

>>

95

>> Here

96

>> https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Fetching_files

97

>> has been said the following:

98

>>

99

>> If any of the keys installed from app-crypt/gentoo-keys should expire,

100

>> run gkeys from app-crypt/gkeys to refresh them from the key server:

101

>> root #emerge --ask app-crypt/gkeys

102

>> root #gkeys refresh-key -C gentoo

103

>>

104

>> but gkeys are not stable in my architeture as it follows from the following:

105

>>

106

>> $ eix gkeys

107

>> * app-crypt/gkeys

108

>>      Available versions:  ~0.2 **9999 {PYTHON_TARGETS="python2_7

109

>> python3_4 python3_5 python3_6"}

110

>>      Homepage:            https://wiki.gentoo.org/wiki/Project:Gentoo-keys

111

>>      Description:         An OpenPGP/GPG key management tool and python libs

112

>>

113

>> * app-crypt/gkeys-gen

114

>>      Available versions:  ~0.2 **9999 {PYTHON_TARGETS="python2_7

115

>> python3_4 python3_5 python3_6"}

116

>>      Homepage:            https://wiki.gentoo.org/wiki/Project:Gentoo-keys

117

>>      Description:         Tool for generating OpenPGP/GPG keys using a

118

>> specifications file

119

>

120

> This package update came up yesterday:

121

>

122

> app-crypt/openpgp-keys-gentoo-release-20180702

123

>

124

125

Too late: Gentoo signing keys expired on 1 July 2018.

126

So, no way to update portage tree on 2 July 2018. :(

Gentoo Archives: gentoo-user

Replies

1	2018-07-03 11:10 GMT+03:00 Mick <michaelkintzios@×××××.com>:
2	> On Tuesday, 3 July 2018 08:48:02 BST gevisz wrote:
3	>> Just today I have tried emerge-webrsync and got
4	>> to the following endless circle:
5	>>
6	>> Fetching most recent snapshot ...
7	>> Trying to retrieve 20180702 snapshot from http://mirror.netcologne.de/gentoo
8	>> ... Fetching file portage-20180702.tar.xz.md5sum ...
9	>> Fetching file portage-20180702.tar.xz.gpgsig ...
10	>> Fetching file portage-20180702.tar.xz ...
11	>> Checking digest ...
12	>> Checking signature ...
13	>> gpg: Signature made Tue Jul 3 03:51:21 2018 EEST
14	>> gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
15	>> gpg: Good signature from "Gentoo Portage Snapshot Signing Key
16	>> (Automated Signing Key)" [expired]
17	>> gpg: Note: This key has expired!
18	>> Primary key fingerprint: DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
19	>> Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F DF1C EC59 0EEA C918 9250
20	>> Fetching file portage-20180702.tar.bz2.md5sum ...
21	>> Fetching file portage-20180702.tar.bz2.gpgsig ...
22	>> Fetching file portage-20180702.tar.bz2 ...
23	>> Checking digest ...
24	>> Checking signature ...
25	>> gpg: Signature made Tue Jul 3 03:51:20 2018 EEST
26	>> gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
27	>> gpg: Good signature from "Gentoo Portage Snapshot Signing Key
28	>> (Automated Signing Key)" [expired]
29	>> gpg: Note: This key has expired!
30	>> Primary key fingerprint: DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
31	>> Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F DF1C EC59 0EEA C918 9250
32	>> Fetching file portage-20180702.tar.gz.md5sum ...
33	>>
34	>> The following command showed that all Gentoo signing keys in my system
35	>> expired:
36	>>
37	>> # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release
38	>> --with-fingerprint --list-keys
39	>> /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
40	>> ---------------------------------------------------------
41	>> pub rsa4096 2014-10-03 [C] [expired: 2017-09-17]
42	>> D2DE 1DBB A0F4 3EBA 341B 97D8 8255 33CB F6CD 6C97
43	>> uid [ expired] Gentoo-keys Team <gkeys@g.o>
44	>>
45	>> pub dsa1024 2004-07-20 [SC] [expired: 2018-07-01]
46	>> D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058
47	>> uid [ expired] Gentoo Linux Release Engineering (Gentoo
48	>> Linux Release Signing Key) <releng@g.o>
49	>>
50	>> pub rsa4096 2011-11-25 [C] [expired: 2018-07-01]
51	>> DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
52	>> uid [ expired] Gentoo Portage Snapshot Signing Key
53	>> (Automated Signing Key)
54	>>
55	>> pub rsa4096 2009-08-25 [SC] [expired: 2017-08-25]
56	>> 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
57	>> uid [ expired] Gentoo Linux Release Engineering (Automated
58	>> Weekly Release Key) <releng@g.o>
59	>>
60	>>
61	>> Trying to renew them manually with the following commands does not help:
62	>>
63	>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys
64	>> 0x825533CBF6CD6C97 gpg: key 825533CBF6CD6C97: 2 signatures not checked due
65	>> to missing keys gpg: key 825533CBF6CD6C97: public key "Gentoo-keys Team
66	>> <gkeys@g.o>" imported
67	>> gpg: no ultimately trusted keys found
68	>> gpg: Total number processed: 1
69	>> gpg: imported: 1
70	>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys
71	>> 0xDB6B8C1F96D8BF6D gpg: key DB6B8C1F96D8BF6D: 14 signatures not checked due
72	>> to missing keys gpg: key DB6B8C1F96D8BF6D: public key "Gentoo Portage
73	>> Snapshot Signing Key (Automated Signing Key)" imported
74	>> gpg: no ultimately trusted keys found
75	>> gpg: Total number processed: 1
76	>> gpg: imported: 1
77	>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys
78	>> 0x9E6438C817072058 gpg: key 9E6438C817072058: 83 signatures not checked due
79	>> to missing keys gpg: key 9E6438C817072058: public key "Gentoo Linux Release
80	>> Engineering (Gentoo Linux Release Signing Key) <releng@g.o>"
81	>> imported
82	>> gpg: no ultimately trusted keys found
83	>> gpg: Total number processed: 1
84	>> gpg: imported: 1
85	>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys
86	>> 0xBB572E0E2D182910 gpg: key BB572E0E2D182910: 10 signatures not checked due
87	>> to missing keys gpg: key BB572E0E2D182910: 1 bad signature
88	>> gpg: key BB572E0E2D182910: public key "Gentoo Linux Release
89	>> Engineering (Automated Weekly Release Key) <releng@g.o>"
90	>> imported
91	>> gpg: no ultimately trusted keys found
92	>> gpg: Total number processed: 1
93	>> gpg: imported: 1
94	>>
95	>> Here
96	>> https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Fetching_files
97	>> has been said the following:
98	>>
99	>> If any of the keys installed from app-crypt/gentoo-keys should expire,
100	>> run gkeys from app-crypt/gkeys to refresh them from the key server:
101	>> root #emerge --ask app-crypt/gkeys
102	>> root #gkeys refresh-key -C gentoo
103	>>
104	>> but gkeys are not stable in my architeture as it follows from the following:
105	>>
106	>> $ eix gkeys
107	>> * app-crypt/gkeys
108	>> Available versions: ~0.2 **9999 {PYTHON_TARGETS="python2_7
109	>> python3_4 python3_5 python3_6"}
110	>> Homepage: https://wiki.gentoo.org/wiki/Project:Gentoo-keys
111	>> Description: An OpenPGP/GPG key management tool and python libs
112	>>
113	>> * app-crypt/gkeys-gen
114	>> Available versions: ~0.2 **9999 {PYTHON_TARGETS="python2_7
115	>> python3_4 python3_5 python3_6"}
116	>> Homepage: https://wiki.gentoo.org/wiki/Project:Gentoo-keys
117	>> Description: Tool for generating OpenPGP/GPG keys using a
118	>> specifications file
119	>
120	> This package update came up yesterday:
121	>
122	> app-crypt/openpgp-keys-gentoo-release-20180702
123	>
124
125	Too late: Gentoo signing keys expired on 1 July 2018.
126	So, no way to update portage tree on 2 July 2018. :(