Due to an invalid key, Devuan users have been unable to update their systems today. Fortunately, the problem has now been fixed.
Devuan emerged in 2014 due to Debian’s transition to systemd following a long technical and widely publicized dispute. Like Debian, Devuan strives to be a general-purpose Linux distribution with desktop and server capabilities.
The distro, aimed at power users and proponents of systemd-free Linux systems, has gained popularity among GNU enthusiasts.
But the Devuan Project found itself in a slightly delicate situation today. Due to forgetting to renew the key with which all software updates are signed, they could not be applied.
Users first reported the issue on the official Devuan forum who were puzzled by an error message they received when attempting to update their systems. The exact case may be seen in the screenshot below.
The issue was quickly identified as caused by an expired key, which Devuan Project uses to sign all software updates. A simple check reveals that the five-year validity period expires on September 3, 2022.
gpg --list-keys BB23C00C61FC752C
pub rsa4096 2017-09-04 [SC] [expired: 2022-09-03] E032601B7CA10BC3EA53FA81BB23C00C61FC752C uid [ expired] Devuan Repository (Amprolla3 on Nemesis) <[email protected]>
Fortunately, the Devuan developers acted immediately, and the software key was renewed a few hours later. However, the conventional method of using the “
apt update” command to apply the new key cannot be utilized.
Below are two alternative ways for downloading and installing the new key on your Devuan GNU/Linux system so that software updates can resume normally.
The first step is to use wget to obtain the software package with the updated key, then install it locally using the
wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb dpkg -i devuan-keyring_2022.09.04_all.deb
Then, using the APT command, you may effortlessly update your Devuan system.
The second approach is considerably more straightforward, as it takes advantage of the APT’s ability to use “insecure” software repositories and unsigned keys.
sudo apt update --allow-insecure-repositories sudo apt install devuan-keyring --allow-unauthenticated
Whichever method you pick, our tests have proven that it is entirely effective and results in the resumption of applying software updates from the Devuan repos.
In conclusion, we can only hope and believe that those in charge of the Devuan Project have taken all necessary precautions to avoid such an awkward situation in the future. And, of course, admirations for the lightning reaction in resolving the issue.
Only the wget-method worked for me on a devuan chimaera-system.