APT key expiry blocking Yunohost upgrades — automated fix?

Discuss
, , ,
1

Discuss

Yunohost version: 12.1.39
Debian: bookworm

From time to time my upgrades break with GPG signature errors from third-party repositories.

Specifically I’ve hit this with the Sury PHP repo and Yarn.

The root cause is that these repos distribute their signing keys as static files rather than as a managed -archive-keyring package.

When keys expire or rotate there’s no automated mechanism to update them, so apt rejects them, and then yunohost upgrade fails.

To fix this I have to curl the new keys

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/yarn.gpg
curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg

I am thinking of automating this, (which has security issues).

Anyone else getting this frustration? Could we have a more permanent solution, maybe not use Sury?

2

For the time being there’s no automated fix (feel free to propose one!).

I feel like blindly downloading updated keys is a wrong approach - one has to understand if and why the key changed, and only then download a new key, preferrably verifying against a trusted announcement if that’s the right key to use.

3 Likes
3

I found I had this issue with the Yarn key but only after looking for YNH updates via Cockpit. I managed to follow a fix (I tried three and the final one worked) on here but as an amateur was a bit lost until I saw others had the same problem. I realy think that in the YNH spirit of simplicity and encouraging amateurs to self host that an automated fix is indeed warranted. Off topic, I now wonder if the Yarn issue was at the bottom of my being unable to update Nextcloud. Unfortunately it took me so long to roll that back to an earlier backup that I am too scared to attempt the update. Back on topic, I would love to propose an automated solution if only I had the experience and smarts to come up with one. :unamused_face: