Solved Invalid key for repo vivaldi stable
-
@jumpsq independent of the signature scheme (Certify+Sign primary, Certify primary + Sign subkey) the same challenge is still shipping the new/updated key material in a non-breaking way.
Splitting Ceritfy and Sign keys would allow for a better key security model (access to Certify-PrivKey only needed for Sign-key replace/renewal). But not even Debian seems to apply this approach for
coreall repos.
Update: Theautomatic
keyrings use the signature subkey, so they likely do apply the split-key approach there!The repo signature is still checked without
signed-by
. But every (3rd party) key stored in/etc/apt/trusted.gpg.d
is an accepted signer.As long as APT package security is not tightened on directory access (repo/policy/key config) every packet install or cron script can run free (yay, Vivaldi
) so there is little benefit in using
[signed-by=
for security purposes. Bad actors have easier ways than dropping a rogue key and infiltrateVivaldi
infrastructure. -
@becm said in Invalid key for repo vivaldi stable:
The filenames differ, so vivaldi-archive.list (…/archive/deb) stays untouched by package magic
Indeed, good point. So after first install it should work because a second copy of the repo would be setup and it would not have the signed-by part and work.
So I am back to being confused as to how this is failing for people. 🤔
-
Oh no wait I get it. Updates will work because of the post install configured copy of the repo. The Notices, Warnings and Errors are only on the manually setup one. So the bug is largely visual, AFAICT updates would not be prevented.
-
@ruarí little bonus point, the
[signed-by=
also prevents the sources lineREPOCONFIGREGEX
match, so even with identical file names the content would not get modified under certain conditions.
But very likely a pristine version is written due torepo_add_once="true"
in also newly created/etc/default/vivaldi
. -
Ok, the package signatures for both stable and snapshot should now match the repositories. Plus now all Linux users can check if they actually get updates.
https://vivaldi.com/blog/desktop/minor-update-seven-5-0/ (Version: 5.0.2497.51)
https://vivaldi.com/blog/desktop/reading-list-vivaldi-browser-snapshot-2566-3/ (Version: 5.1.2566.3) -
@jumpsq Thanks a lot. Finally a working solution.
-
From today again
Error: https://repo.vivaldi.com/stable/deb stable Release.gpg
The following signatures were invalid: BADSIG FEB6023DC27AA466 Vivaldi Package Composer KEY07 [email protected] -
@ambroz09 Which Vivaldi version had you before?
How had you installed Vivaldi before?
How had you added the repo?
With which program was the update started? By shell with apt?
Which Linux?
My vivaldi.list:
[email protected]:/etc/apt/sources.list.d$ cat vivaldi.list ### THIS FILE IS AUTOMATICALLY CONFIGURED ### # You may comment out this entry, but any other modifications may be lost. deb [arch=amd64] https://repo.vivaldi.com/stable/deb/ stable main
vivaldi-stable 5.3.2679.70-1 → 5.5.2805.38-1 works nice for me on Debian 11.5, Ubuntu 22 LTS and Mint 21.
Please show list of Vivaldi's keys with
apt-key list|grep vivaldi
$ apt-key list|grep vivaldi Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). /etc/apt/trusted.gpg.d/vivaldi-4218647E.gpg uid [ unbekannt ] Vivaldi Package Composer KEY08 <[email protected]> /etc/apt/trusted.gpg.d/vivaldi-C27AA466.gpg uid [ unbekannt ] Vivaldi Package Composer KEY07 <[email protected]>
-
@ambroz09 said in Invalid key for repo vivaldi stable:
From today again
Error: https://repo.vivaldi.com/stable/deb stable Release.gpg
The following signatures were invalid: BADSIG FEB6023DC27AA466 Vivaldi Package Composer KEY07 [email protected]I have the same situation. Error when updating from yesterday.
@DoctorG said in Invalid key for repo vivaldi stable:
Please show list of Vivaldi's keys with apt-key list|grep vivaldi
My list of Vivaldi's keys with apt-key list|grep vivaldi:
$ apt-key list|grep vivaldi
Warning: apt-key output should not be parsed (stdout is not a terminal)
/etc/apt/trusted.gpg.d/vivaldi-4218647E.gpg
uid [unknown] Vivaldi Package Composer KEY08 [email protected]
/etc/apt/trusted.gpg.d/vivaldi-C27AA466.gpg
uid [unknown] Vivaldi Package Composer KEY07 [email protected]My list with apt update:
The following signatures were invalid: BADSIG FEB6023DC27AA466 Vivaldi Package Composer KEY07 [email protected]An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repo.vivaldi.com/stable/deb stable Release: The following signatures were invalid: BADSIG FEB6023DC27AA466 Vivaldi Package Composer KEY07 [email protected]
Failed to download https://repo.vivaldi.com/stable/deb/dists/stable/Release.gpg The following signatures were invalid: BADSIG FEB6023DC27AA466 Vivaldi Package Composer KEY07 [email protected]
-
@trumpeti100 Which Linux?
-
Can you try again?
sudo apt clean sudo apt update sudo apt install vivaldi-stable
-
@DoctorG said in Invalid key for repo vivaldi stable:
Which Linux?
Zorin OS 16.1 Lite
But...
My situation corrected itself (I didn't apply anything).
Update process without errors!Thank you!
-
@trumpeti100 One of Vivaldi server admins cleared cache of download servers. Seems it helped.
-
@DoctorG said in Invalid key for repo vivaldi stable:
One of Vivaldi server admins cleared cache of download servers. Seems it helped.
Thank you again!
Vivaldi has been updated to the latest version! -
@DoctorG I apologize for answering late. I'm running Ubuntu 22.04.1, Vivaldi installed before with gdebi -i [original_from_vivaldi_site].deb. Updated with apt.
As @trumpeti100 reports, I confirm that the issue has been resolved.
Thank you for your quick help, much obliged.
-
@ambroz09 Thanks for your positive feedback.
As i am a internal tester, i can always contact the team in case of such issue.
@trumpeti100 An other Thanks for your positive feedback.