Package: complete x2go repo version: none
sudo apt update The following signatures could not be verified because their public key is not available: NO_PUBKEY E1F958385BFE2B6E W: GPG error: http://packages.x2go.org/debian buster InRelease: The following signatures could not be verified because their public key is not available: NO_PUBKEY E1F958385BFE2B6E E: The depot "http://packages.x2go.org/debian buster InRelease" is not signed. N: An update from such a repository cannot be done in a secure way, so it is disabled by default. N: See the apt-secure(8) manual page for more details on package vault creation and user configuration.
sudo apt-key adv --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E Executing: /tmp/apt-key-gpghome.4WhtJFIi3f/gpg.1.sh --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E gpg: Received from key server failed: The waiting time for the connection has expired.
x2go-keyring package is not available for debian buster => would solve this issue!
Control: reassign -1 packages.x2go.org
N: An update from such a repository cannot be done in a secure way, so it is disabled by default.
The x2go-keyring package is available for Debian buster, includes the required key file and should work just fine.
However, newer apt versions will disallow downloading from an untrusted repository.
In order to actually install the keyring package, try running something like: sudo apt-get --allow-unauthenticated install x2go-keyring
Afterwards, sudo apt update should not return an error again. Do not use the --allow-unauthenticated flag without understanding its implications.
sudo apt-key adv --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E Executing: /tmp/apt-key-gpghome.4WhtJFIi3f/gpg.1.sh --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E gpg: Received from key server failed: The waiting time for the connection has expired.
The public key is also available on keyservers. Most keyservers are still stoned, however, from the attacks that have been carried out a few months ago and a year ago. For more information, and why this problem is unlike to be fixed in the first place, refer to https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f for instance. I cannot fix public keyservers for you.
Like the message said: there was a timeout while fetching the key. It did not say that such a key does not exist.
Mihai
Control: reassign wiki.x2go.org Control: retitle -1 Update GPG key bootstrapping instructions for Debian Control: close -1
- On 8/24/19 7:06 PM, Mihai Moldovan wrote:
Control: reassign -1 packages.x2go.org
N: An update from such a repository cannot be done in a secure way, so it is disabled by default.
The x2go-keyring package is available for Debian buster, includes the required key file and should work just fine.
However, newer apt versions will disallow downloading from an untrusted repository.
In order to actually install the keyring package, try running something like: sudo apt-get --allow-unauthenticated install x2go-keyring
Afterwards, sudo apt update should not return an error again. Do not use the --allow-unauthenticated flag without understanding its implications.
That wasn't correct - at least not completely. --allow-unauthenticated should work for package installations, but not for downloading repository metadata.
To allow apt to work with unauthenticated repository metadata, users would need to use something like: apt-get update --allow-insecure-repositories
This said: this is totally risky, now and later. Installing packages from an unauthenticated repository doesn't give apt any chance to check the origin. A successful Man-in-the-Middle attack is very likely in such a scenario. Worse, even after the initial bootstrap, all subsequent operations and packages from such a repository could still be malicious.
I've updated https://wiki.x2go.org/doku.php/wiki:repositories:debian et al with this information, big fat warning signs and explanations.
**Users should always bootstrap with the currently valid GPG key and then install the x2go-keyring package from the validated X2Go repository location!**
Closing up here.
Mihai
Processing control commands:
reassign -1 packages.x2go.org Bug #1401 [complete x2go repo] PGP-Key is not available on keyservers for debian buster Warning: Unknown package 'complete' Warning: Unknown package 'x2go' Warning: Unknown package 'repo' Bug reassigned from package 'complete x2go repo' to 'packages.x2go.org'. No longer marked as found in versions none. Ignoring request to alter fixed versions of bug #1401 to the same values previously set
-- 1401: bugs.x2go.org/cgi-bin/bugreport.cgi?bug=1401 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems
Processing control commands:
reassign wiki.x2go.org Unknown command or malformed arguments to command.
retitle -1 Update GPG key bootstrapping instructions for Debian Bug #1401 [packages.x2go.org] PGP-Key is not available on keyservers for debian buster Changed Bug title to 'Update GPG key bootstrapping instructions for Debian' from 'PGP-Key is not available on keyservers for debian buster'. close -1 Bug #1401 [packages.x2go.org] Update GPG key bootstrapping instructions for Debian Marked Bug as done
-- 1401: bugs.x2go.org/cgi-bin/bugreport.cgi?bug=1401 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems
-
Daniel Ullrich -
Mihai Moldovan -
X2Go Bug Tracking System