Discusssion Thread: Changing the openHAB Linux Repo Public key

Hi all,

This thread can be used to discuss any issues, comments or suggestions for the recent APT/YUM Repository Public Key change. For more information see the announcement thread:

Just post here and we’ll try to help!

Cheers,
Ben

It’s this something worth putting in announcements or pinned as a banner? It’s going to trip a lot of people up I suspect.

Yes, absolutely! It’s my fault, I had started writing a post in this board but moved to announcements to finish it. I guess the forum remembered where I first created the draft and kept it here. Sorry!

Is it best to create a new announcement and link here?

Also: looking to get this sorted automatically for openHABian users ahead of time. Preparing https://github.com/openhab/openhabian/pull/1796

I think you can edit the post (click the pencil next to the title) and move it to Announcements. I’m not sure though if it will generate the “new post” alert on a move or not. Maybe creating a new post would be better just to make sure it ends up in people’s feeds.

In this case, to avoid confusion, I’d just create a whole new post and we can pretend this one never existed.

Why not distribute it in a .Deb that gets pulled in as a dependency of the main oh package? This way people will get it automatically when updating.

After trying to upgrade to OH4 as described here openHABian testing - #47 by stefan.hoehn I failed to install JDK 17 which brought me to this thread. Even though with the directions given in the announcement I still have the wrong public keys.

Updating openhabian via openhabian-config doesn’t help.
Even the manual command provided didn’t fix my problem, so my openHAB installation is currently broken:

wget -qO- https://openhab.jfrog.io/artifactory/api/gpg/key/public | gpg --dearmor | sudo tee /usr/share/keyrings/openhab.gpg >/dev/null

sudo apt-get update
Hit:1 http://phoscon.de/apt/deconz buster InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian buster InRelease
Get:3 http://davesteele.github.io/comitup/repo comitup InRelease [4,659 B]
Hit:4 http://archive.raspberrypi.org/debian bullseye InRelease
Hit:5 http://archive.raspberrypi.org/debian buster InRelease
Hit:6 https://deb.nodesource.com/node_16.x buster InRelease
Get:7 https://repos.influxdata.com/debian buster InRelease [7,038 B]
Get:8 https://packages.grafana.com/oss/deb stable InRelease [5,984 B]
Hit:9 https://openhab.jfrog.io/artifactory/openhab-linuxpkg testing InRelease
Hit:10 https://adoptopenjdk.jfrog.io/adoptopenjdk/deb bullseye InRelease
Err:3 http://davesteele.github.io/comitup/repo comitup InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0959C4A3DCF89FBF
Err:7 https://repos.influxdata.com/debian buster InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D8FF8E1F7DF8B07E
Err:8 https://packages.grafana.com/oss/deb stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9E439B102CF3C0C6
Fetched 7,038 B in 6s (1,230 B/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://davesteele.github.io/comitup/repo comitup InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0959C4A3DCF89FBF
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repos.influxdata.com/debian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D8FF8E1F7DF8B07E
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.grafana.com/oss/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9E439B102CF3C0C6
W: Failed to fetch http://davesteele.github.io/comitup/repo/dists/comitup/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0959C4A3DCF89FBF
W: Failed to fetch https://packages.grafana.com/oss/deb/dists/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9E439B102CF3C0C6
W: Failed to fetch https://repos.influxdata.com/debian/dists/buster/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D8FF8E1F7DF8B07E
W: Some index files failed to download. They have been ignored, or old ones used instead.

Can you advice?

I ran into something similar on another repository (nothing to do with openhab). Maybe all the public keys expire on July 23?. Any my friendly bing chat suggested (see below), but you might want to google the message and see if it gives similar advice. caveat emptor
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9E439B102CF3C0C6

Thanks Bob , based on your idea I asked the same question for the above and it also refers to the --keyserver keyserver.ubuntu.com . As I have no clue what I am doing here, can some linux genie jump in if that makes sense before I do something that shouldn’t be done and may be eloborate why this is happening at all?

Hi @stefan.hoehn,

I’m not sure what has caused that to happen on your machine but the repos the errors are for are for non-openHAB sources (openHABian likely installed these, but either the repository that owns the service has changed its key or for some reason these keys are now missing). Those services (and instructions for adding these keys) are:

comitup: Installing Comitup · davesteele/comitup Wiki · GitHub
influxDB: https://repos.influxdata.com/
Graphana: https://packages.grafana.com/

In the case of influxDB and Graphana, openHABian installs keys to /usr/share/keyrings rather than /etc/apt/trusted.gpg.d/ or /etc/apt/keyrings respectively.

The apt-key method will work too - but is deprecated.

Hi @peterhoeg,

I completely agree and this is how I would like it to be done in future - we just need to make sure it doesn’t clash with ways openHABian handles the key and the sources file.

Looked like a good start but

1. during comitup:

sudo apt-get install comitup comitup-watch

I get

libc6-dev : Breaks: libgcc-8-dev (< 8.4.0-2~) but 8.3.0-6+rpi1 is to be installed
(I seem to be ahead of time already)

2. Influx worked

wget -q https://repos.influxdata.com/influxdata-archive_compat.key
  echo '393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c influxdata-archive_compat.key' | sha256sum -c && cat influxdata-archive_compat.key | gpg --dearmor | sudo tee /usr/share/keyrings/influxdata-archive_compat.gpg > /dev/null
  echo 'deb [signed-by=/usr/share/keyrings/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list

3. Grafana fails as well with

/usr/share/keyrings/grafana.gpg: Permission denied
Even if I add sudo before the gpg command

wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor > /usr/share/keyrings/grafana.gpg
echo "deb [signed-by=/usr/share/keyrings/grafana.gpg] https://apt.grafana.com stable main" | tee /etc/apt/sources.list.d/grafana.list

I am on Fedora 38, using dnf as package manager.

The announcement states:

YUM/DNF Users.

There should be nothing to do here if you followed openHAB Documentation: Linux Installation: yum-or-dnf-based-systems . RPM will download the new public key when necessary, if for some reason you get a GPG error, you can clean the cache with:

dnf clean all
## or ##
yum clean all

However, cleaing the cache did not solve my GPG error, I had to delete the key so dnf can dowload the new one, using these commands

# List repo keys
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
# Delete openHAB repo key
sudo rpm -e gpg-pubkey-xxxxxxxx # Use the id of the openHAB repo key here

Ah, thanks @florian-h05 - I’ll update the announcement just in-case.

Hi all,
I’m getting al these errors. Are those related to the thread here or am I really missing someting?

openhabian@openhabian:~ $ sudo apt-get update
Hit:1 http://archive.raspberrypi.org/debian buster InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian buster InRelease
Hit:3 http://davesteele.github.io/comitup/repo comitup InRelease
Get:4 https://repos.influxdata.com/debian buster InRelease [7,038 B]
Get:5 https://deb.nodesource.com/node_12.x buster InRelease [4,584 B]
Get:6 https://packages.grafana.com/oss/deb stable InRelease [5,983 B]
Get:7 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable InRelease [12.8 kB]
Err:4 https://repos.influxdata.com/debian buster InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D8FF8E1F7DF8B07E
Err:6 https://packages.grafana.com/oss/deb stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 963FA27710458545
Err:7 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 075721F6A224060A
Fetched 30.4 kB in 2s (13.4 kB/s)
Reading package lists... Done
N: Ignoring file 'openhab.liste' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repos.influxdata.com/debian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D8FF8E1F7DF8B07E
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.grafana.com/oss/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 963FA27710458545
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 075721F6A224060A
W: Failed to fetch https://packages.grafana.com/oss/deb/dists/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 963FA27710458545
W: Failed to fetch https://repos.influxdata.com/debian/dists/buster/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D8FF8E1F7DF8B07E
W: Failed to fetch https://openhab.jfrog.io/artifactory/openhab-linuxpkg/dists/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 075721F6A224060A
W: Some index files failed to download. They have been ignored, or old ones used instead.

Yes. openhab.jfrog.io is related to this thread. grafana, influxdata same root cause but other key required.
Message about openhab.liste is a different one. That file can be deleted as it is not used and there is a different file ( openhab.list ).

Thanks again Wolfgang for your reply.
I decided to start allover again and build from scratch. As my home automation is not that complex I was thinking this would be a good idea

I have a OpenHABian 3.4.4 installed and tried first just by updating through openhabian-config which didn’t solve the problem.

Then I tried the APT based method for non-openHABian users which also ran without problems. But when I try to update I get the following error and don’t know how to get this solved:

Get:5 https://openhab.jfrog.io/artifactory/openhab-linuxpkg testing InRelease [12.5 kB]
Err:5 https://openhab.jfrog.io/artifactory/openhab-linuxpkg testing InRelease
  The following signatures were invalid: EXPKEYSIG 075721F6A224060A openHAB Bintray Repositories <owner@openhab.org>
Fetched 9,243 B in 2s (5,543 B/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://openhab.jfrog.io/artifactory/openhab-linuxpkg testing InRelease: The following signatures were invalid: EXPKEYSIG 075721F6A224060A openHAB Bintray Repositories <owner@openhab.org>
W: Failed to fetch https://openhab.jfrog.io/artifactory/openhab-linuxpkg/dists/testing/InRelease  The following signatures were invalid: EXPKEYSIG 075721F6A224060A openHAB Bintray Repositories <owner@openhab.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.

Any help is greatly appreciated because my home automation setup is extremly complex with gpio ports extra apache webserver, relay, etc. It would take me days to restore everything.

And I especially don’t understand what’s going in apt-get here so that I could figure out what I did wrong. Especially why did openhabian-config not update the key correctly…

1. You are aware of doing the upgrade will upgrade to 4.X ? You are aware of the prerequisites ?
2. the signature key is outdated and was replaced with a new one. The public key of that needs to be replace
3. on the download page are short instructions that describe what you need to do

• Add the repository key

curl -fsSL "https://openhab.jfrog.io/artifactory/api/gpg/key/public" | gpg --dearmor > openhab.gpg
sudo mkdir /usr/share/keyrings
sudo mv openhab.gpg /usr/share/keyrings
sudo chmod u=rw,g=r,o=r /usr/share/keyrings/openhab.gpg

• Add the HTTPS transport for APT

sudo apt-get install apt-transport-https

• Add the repository

echo 'deb [signed-by=/usr/share/keyrings/openhab.gpg] https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable main' | sudo tee /etc/apt/sources.list.d/openhab.list

4. is your openhabian-config up to date to the latest release. It will warn you about doing an upgrade from 3.X to 4.X in case of missing java and in case of wrong OS.