Page MenuHomePhabricator

debian signing keyid E84AFDD2 has expired
Closed, ResolvedPublic

Description

When running apt-get update:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://releases.wikimedia.org/debian jessie-mediawiki InRelease: The following signatures were invalid: KEYEXPIRED 1469117939  KEYEXPIRED 1469117939  KEYEXPIRED 1469117939
W: Failed to fetch https://releases.wikimedia.org/debian/dists/jessie-mediawiki/InRelease  The following signatures were invalid: KEYEXPIRED 1469117939  KEYEXPIRED 1469117939  KEYEXPIRED 1469117939

Our wiki says sudo apt-key advanced --keyserver pgp.mit.edu --recv-keys 664C383A3566A3481B942F007A322AC6E84AFDD2 which fetches keyid E84AFDD2 which hasn't been updated recently and expired July 21:

$ sudo apt-key advanced --list-sigs E84AFDD2
pub   2048R/E84AFDD2 2014-07-22 [expired: 2016-07-21]
uid                  MediaWiki releases repository <wikitech-l@lists.wikimedia.org>
 sig 3        E84AFDD2 2014-07-22  MediaWiki releases repository <wikitech-l@lists.wikimedia.org>

There have been complains from users: https://www.mediawiki.org/w/index.php?title=Parsoid%2FSetup&type=revision&diff=2156342&oldid=2154514

Setting a key expiry time is good security practice. It just requires access to the private key to update. See https://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/

And then the updated key needs to be re-uploaded to pgp.mit.edu.

Event Timeline

cscott created this task.Jul 26 2016, 10:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 26 2016, 10:16 PM

Adding Filippo because it looks like he created it:

Date: Tue Jul 22 16:22:56 2014 +0000
From: git@palladium.eqiad.wmnet
Subject: [Ops] [puppet-private] (eb244a4) filippo: add releases debian repository keyring

initial key (could be changed before general availability)

pub   2048R/E84AFDD2 2014-07-22 [expires: 2016-07-21]
      Key fingerprint = 664C 383A 3566 A348 1B94  2F00 7A32 2AC6 E84A FDD2
uid                  MediaWiki releases repository <wikitech-l@lists.wikimedia.org>
sub   2048R/C91579E3 2014-07-22 [expires: 2016-07-21]


A       files/releases/secring.gpg
greg added a comment.Jul 26 2016, 10:54 PM

We should probably update https://wikitech.wikimedia.org/wiki/Releases.wikimedia.org (or add a new page and link to it from [[Releases.wikimedia.org]]) after we figure out who knows what/should do what when this happens again :)

Dzahn triaged this task as High priority.Jul 27 2016, 2:33 AM
Krinkle removed a subscriber: Krinkle.Jul 27 2016, 5:52 AM

sigh, thanks for letting us know! Looks like a good occasion to switch to 4k pgp key too, I'm going to generate a new one and post the details + instructions

Change 301346 had a related patch set uploaded (by Filippo Giunchedi):
releases: update public keyring

https://gerrit.wikimedia.org/r/301346

Change 301346 merged by Filippo Giunchedi:
releases: update public keyring

https://gerrit.wikimedia.org/r/301346

the new key is this:

pub   4096R/22250DD7 2016-07-27 [expires: 2019-06-12]
      Key fingerprint = A6FD 76E2 A61C 5566 D196  D2C0 90E9 F83F 2225 0DD7
uid                  MediaWiki releases repository <wikitech-l@lists.wikimedia.org>

I've also updated the instructions on wikitech/parsoid and added a reminder to ops calendar, do you know where else the key might need to be updated?

fgiunchedi closed this task as Resolved.Aug 1 2016, 2:18 PM
fgiunchedi claimed this task.

resolving, key updated on wikitech/mediawiki.org/etc