Solved Invalid key for repo vivaldi stable

becm

@jumpsq independent of the signature scheme (Certify+Sign primary, Certify primary + Sign subkey) the same challenge is still shipping the new/updated key material in a non-breaking way.

Splitting Ceritfy and Sign keys would allow for a better key security model (access to Certify-PrivKey only needed for Sign-key replace/renewal). But not even Debian seems to apply this approach for core all repos.
Update: The automatic keyrings use the signature subkey, so they likely do apply the split-key approach there!

The repo signature is still checked without signed-by. But every (3rd party) key stored in /etc/apt/trusted.gpg.d is an accepted signer.

As long as APT package security is not tightened on directory access (repo/policy/key config) every packet install or cron script can run free (yay, Vivaldi ) so there is little benefit in using [signed-by= for security purposes. Bad actors have easier ways than dropping a rogue key and infiltrate Vivaldi infrastructure.

Ruarí

@becm said in Invalid key for repo vivaldi stable:

The filenames differ, so vivaldi-archive.list (…/archive/deb) stays untouched by package magic

Indeed, good point. So after first install it should work because a second copy of the repo would be setup and it would not have the signed-by part and work.

So I am back to being confused as to how this is failing for people. 🤔

Ruarí

Oh no wait I get it. Updates will work because of the post install configured copy of the repo. The Notices, Warnings and Errors are only on the manually setup one. So the bug is largely visual, AFAICT updates would not be prevented.

becm

@ruarí little bonus point, the [signed-by= also prevents the sources line REPOCONFIGREGEX match, so even with identical file names the content would not get modified under certain conditions.
But very likely a pristine version is written due to repo_add_once="true" in also newly created /etc/default/vivaldi.

Ruarí

Ok, the package signatures for both stable and snapshot should now match the repositories. Plus now all Linux users can check if they actually get updates.

https://vivaldi.com/blog/desktop/minor-update-seven-5-0/ (Version: 5.0.2497.51)
https://vivaldi.com/blog/desktop/reading-list-vivaldi-browser-snapshot-2566-3/ (Version: 5.1.2566.3)

slxls

@jumpsq Thanks a lot. Finally a working solution.

ambroz09

From today again
Error: https://repo.vivaldi.com/stable/deb stable Release.gpg
The following signatures were invalid: BADSIG FEB6023DC27AA466 Vivaldi Package Composer KEY07 [email protected]

DoctorG

@ambroz09 Which Vivaldi version had you before?
How had you installed Vivaldi before?
How had you added the repo?
With which program was the update started? By shell with apt?
Which Linux?

---

My vivaldi.list:

[email protected]:/etc/apt/sources.list.d$ cat vivaldi.list 
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64] https://repo.vivaldi.com/stable/deb/ stable main

---

vivaldi-stable 5.3.2679.70-1 → 5.5.2805.38-1 works nice for me on Debian 11.5, Ubuntu 22 LTS and Mint 21.

Please show list of Vivaldi's keys with apt-key list|grep vivaldi

$ apt-key list|grep vivaldi
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg.d/vivaldi-4218647E.gpg
uid        [ unbekannt ] Vivaldi Package Composer KEY08 <[email protected]>
/etc/apt/trusted.gpg.d/vivaldi-C27AA466.gpg
uid        [ unbekannt ] Vivaldi Package Composer KEY07 <[email protected]>

trumpeti100

@ambroz09 said in Invalid key for repo vivaldi stable:

From today again
Error: https://repo.vivaldi.com/stable/deb stable Release.gpg
The following signatures were invalid: BADSIG FEB6023DC27AA466 Vivaldi Package Composer KEY07 [email protected]

I have the same situation. Error when updating from yesterday.

@DoctorG said in Invalid key for repo vivaldi stable:

Please show list of Vivaldi's keys with apt-key list|grep vivaldi

My list of Vivaldi's keys with apt-key list|grep vivaldi:
$ apt-key list|grep vivaldi
Warning: apt-key output should not be parsed (stdout is not a terminal)
/etc/apt/trusted.gpg.d/vivaldi-4218647E.gpg
uid [unknown] Vivaldi Package Composer KEY08 [email protected]
/etc/apt/trusted.gpg.d/vivaldi-C27AA466.gpg
uid [unknown] Vivaldi Package Composer KEY07 [email protected]

My list with apt update:
The following signatures were invalid: BADSIG FEB6023DC27AA466 Vivaldi Package Composer KEY07 [email protected]

An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repo.vivaldi.com/stable/deb stable Release: The following signatures were invalid: BADSIG FEB6023DC27AA466 Vivaldi Package Composer KEY07 [email protected]

Failed to download https://repo.vivaldi.com/stable/deb/dists/stable/Release.gpg The following signatures were invalid: BADSIG FEB6023DC27AA466 Vivaldi Package Composer KEY07 [email protected]

DoctorG

@trumpeti100 Which Linux?

DoctorG

Can you try again?

sudo apt clean
sudo apt update
sudo apt install vivaldi-stable

trumpeti100

@DoctorG said in Invalid key for repo vivaldi stable:

Which Linux?

Zorin OS 16.1 Lite

But...
My situation corrected itself (I didn't apply anything).
Update process without errors!

Thank you!

DoctorG

@trumpeti100 One of Vivaldi server admins cleared cache of download servers. Seems it helped.

trumpeti100

@DoctorG said in Invalid key for repo vivaldi stable:

One of Vivaldi server admins cleared cache of download servers. Seems it helped.

Thank you again!
Vivaldi has been updated to the latest version!

ambroz09

@DoctorG I apologize for answering late. I'm running Ubuntu 22.04.1, Vivaldi installed before with gdebi -i [original_from_vivaldi_site].deb. Updated with apt.

As @trumpeti100 reports, I confirm that the issue has been resolved.

Thank you for your quick help, much obliged.

DoctorG

@ambroz09 Thanks for your positive feedback.

As i am a internal tester, i can always contact the team in case of such issue.

@trumpeti100 An other Thanks for your positive feedback.