Page MenuHomePhabricator

signatures were invalid: EXPKEYSIG 90E9F83F22250DD7 MediaWiki releases repository <wikitech-l@lists.wikimedia.org>
Closed, ResolvedPublic

Description

Hi,
looks like the actual signing key expired today:
(1) MediaWiki releases repository <wikitech-l@lists.wikimedia.org>

	  4096 bit RSA key 90E9F83F22250DD7, created: 2016-07-27, expires: 2019-06-12 (expired)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 12 2019, 9:58 AM

Hi @Tkshamburg, thanks for taking the time to report this and welcome to Wikimedia Phabricator!

Where to find that key, and where to find the "MediaWiki releases repository"? URL welcome. :)

Hi @Aklapper, thanks for instant reply!

Problem occurs today while doing "apt update" on my Ubuntu 18.04.2:

Err:11 https://releases.wikimedia.org/debian jessie-mediawiki InRelease
  The following signatures were invalid: EXPKEYSIG 90E9F83F22250DD7 MediaWiki releases repository <wikitech-l@lists.wikimedia.org>
Fetched 163 kB in 2s (100 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://releases.wikimedia.org/debian jessie-mediawiki InRelease: The following signatures were invalid: EXPKEYSIG 90E9F83F22250DD7 MediaWiki releases repository <wikitech-l@lists.wikimedia.org>
W: Failed to fetch https://releases.wikimedia.org/debian/dists/jessie-mediawiki/InRelease  The following signatures were invalid: EXPKEYSIG 90E9F83F22250DD7 MediaWiki releases repository <wikitech-l@lists.wikimedia.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.

And a gpg --search-keys "MediaWiki releases" shows me:

gpg: data source: https://51.38.91.189:443
(1)	MediaWiki releases repository <wikitech-l@lists.wikimedia.org>
	  4096 bit RSA key 90E9F83F22250DD7, created: 2016-07-27, expires: 2019-06-12 (expired)
(2)	MediaWiki releases repository <wikitech-l@lists.wikimedia.org>
	  2048 bit RSA key 7A322AC6E84AFDD2, created: 2014-07-22, expires: 2016-07-21 (expired)

Hope this helps :-)

Added projects as done in T141400

https://wikitech.wikimedia.org/wiki/Releases.wikimedia.org#GPG_operations has the instructions to regenerate the key. Based on what happened last time the key expired, I believe someone from the Operations team will need to take care of that.

And tagging Parsoid since they're the only ones that use the repository.

ArielGlenn triaged this task as High priority.Jun 13 2019, 7:21 AM
fgiunchedi added a subscriber: fgiunchedi.

I'll be looking into renewing this key

Change 516752 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] releases: update expired gpg key

https://gerrit.wikimedia.org/r/516752

Change 516752 merged by Filippo Giunchedi:
[operations/puppet@production] releases: update expired gpg key

https://gerrit.wikimedia.org/r/516752

Ok this should be done now, the new key is published on the key servers and the releases repo has been signed with the new key:

pub   2048R/36A03444 2019-06-13 [expires: 2029-04-23]
      Key fingerprint = 3B49 0828 8358 8699 E29B  866B AF38 0A30 36A0 3444
uid                  MediaWiki releases repository <wikitech-l@lists.wikimedia.org>

Instructions at https://wikitech.wikimedia.org/wiki/Releases.wikimedia.org updated with the new key id, namely sudo apt-key advanced --keyserver keys.gnupg.net --recv-keys AF380A3036A03444. @Tkshamburg could you try again with the new key?

Once confirmed all works as expected I'll mail wikitech-l@ as well

Hi @fgiunchedi ,

thanks for creating the new key (now 10 years validity), but actually the repository was not updated:

https://releases.wikimedia.org/debian/dists/jessie-mediawiki/Release.gpg --> Release.gpg 2018-12-05 23:25 833

Maybe I have to wait for synchronization of the new file and will test it again in a few hours.

Hi @fgiunchedi ,
thanks for creating the new key (now 10 years validity), but actually the repository was not updated:
https://releases.wikimedia.org/debian/dists/jessie-mediawiki/Release.gpg --> Release.gpg 2018-12-05 23:25 833
Maybe I have to wait for synchronization of the new file and will test it again in a few hours.

You are quite right, the old file was still in our frontend caching infra. I've purged the file now:

$ wget https://releases.wikimedia.org/debian/dists/jessie-mediawiki/Release
$ wget https://releases.wikimedia.org/debian/dists/jessie-mediawiki/Release.gpg
$ gpg --verify Release.gpg Release
gpg: Signature made Thu 13 Jun 2019 11:40:21 AM CEST
gpg:                using RSA key 3B49082883588699E29B866BAF380A3036A03444
gpg: Good signature from "MediaWiki releases repository <wikitech-l@lists.wikimedia.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B49 0828 8358 8699 E29B  866B AF38 0A30 36A0 3444

Everything is fine now, "apt update" shows no errors now.

Thanks for fixing!

fgiunchedi closed this task as Resolved.Jun 13 2019, 1:18 PM

No problem @Tkshamburg ! Thanks for your report.