Oopsy daisy, the mobian repo's gpg key has expired and nobody noticed. Well until it was too late. If you get error messages about expired keys, you might want to add the new one manually
curl -s https://repo.mobian.org/mobian.gpg.key | sudo tee /var/lib/extrepo/keys/mobian.asc
The above command might be working for you. We will think how to get new keys in a safe way onto your device in the future.
Seems to be the same for the new and old key; the expiry date was updated:
D569 936C 7E32 F193 CBAA EC48 393F 924A 855F B27D
Alternatives for people without the 'extrepo' package (from irc):
curl -s https://repo.mobian.org/mobian.gpg | sudo tee /etc/apt/trusted.gpg.d/mobian.gpg
OR as (@mobian tooted)
curl -s https://repo.mobian.org/mobian.gpg &&
sudo apt-key --keyring=mobian.gpg
You can use a command such as 'apt-key list' before and after getting the new key.
Fair point - I didn't directly pipe downloaded files myself.
@boud Indeed, in your post, it's wasn't piped. But I've seen "curl … | …" so often that I don't agree with the "It's meant for technical people so they should know" argument. Just look at how many devs use "curl | bash" as way to avoid writing half-decent install, sign their packages, provide keys fingerprint or go through to process to have their packages published and signed-by distro maintainers. That's @FreePietje @mobian - 1/4
Users will follow advices from those who are supposed to know better => devs. So devs should not encourage users to do things the wrong way. Unfortunately, that's exactly what most devs are doing by writing shitty oneliner docs that don't include any kind of crypto @boud @FreePietje @mobian - 2/4
verification mechanism… Most third party packages aren't even cryptographically signed, and when they are, pub keys fingerprints aren't often published. Doing things properly is an exception, rather than the rule.
However, my point applies to both "curl | sonething (bash, apt or whatever)" and "curl && do_stuff (add keys, install pakages…)“. The only acceptable oneliners (in some cases/when possible) are the ones with @boud @FreePietje @mobian - 3/4
I didn't realise that it was for common for some groups of devs to output the result of 'curl' (or 'wget') directly to a file without checking. Using '&&' on its own is not a check on the file validity.
#Mobian aims to be as close to #Debian as possible, including Debian security practices - I interpret this particular case as a one-off hack. I'm sure your comments are seen as constructive feedback. :)
Le réseau social de l'avenir : pas de publicité, pas de surveillance institutionnelle, conception éthique et décentralisation ! Gardez le contrôle de vos données avec Mastodon !