Devuan Project Forgot to Renew the Key That Signs System Updates

Devuan Forgot to Renew the Key That Signs System Updates

Due to an invalid key, Devuan users have been unable to update their systems today. Fortunately, the problem has now been fixed.

Devuan emerged in 2014 due to Debian’s transition to systemd following a long technical and widely publicized dispute. Like Debian, Devuan strives to be a general-purpose Linux distribution with desktop and server capabilities.

The distro, aimed at power users and proponents of systemd-free Linux systems, has gained popularity among GNU enthusiasts.

But the Devuan Project found itself in a slightly delicate situation today. Due to forgetting to renew the key with which all software updates are signed, they could not be applied.

Users first reported the issue on the official Devuan forum who were puzzled by an error message they received when attempting to update their systems. The exact case may be seen in the screenshot below.

APT update failed

The issue was quickly identified as caused by an expired key, which Devuan Project uses to sign all software updates. A simple check reveals that the five-year validity period expires on September 3, 2022.

gpg --list-keys BB23C00C61FC752C
pub   rsa4096 2017-09-04 [SC] [expired: 2022-09-03]
      E032601B7CA10BC3EA53FA81BB23C00C61FC752C
uid   [ expired] Devuan Repository (Amprolla3 on Nemesis) <[email protected]>

Fortunately, the Devuan developers acted immediately, and the software key was renewed a few hours later. However, the conventional method of using the “apt update” command to apply the new key cannot be utilized.

Below are two alternative ways for downloading and installing the new key on your Devuan GNU/Linux system so that software updates can resume normally.

The first step is to use wget to obtain the software package with the updated key, then install it locally using the dpkg command.

wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb
dpkg -i devuan-keyring_2022.09.04_all.deb
Installing the new Devuan software repo signing key

Then, using the APT command, you may effortlessly update your Devuan system.

APT successfully updated

The second approach is considerably more straightforward, as it takes advantage of the APT’s ability to use “insecure” software repositories and unsigned keys.

sudo apt update --allow-insecure-repositories
sudo apt install devuan-keyring --allow-unauthenticated

Whichever method you pick, our tests have proven that it is entirely effective and results in the resumption of applying software updates from the Devuan repos.

In conclusion, we can only hope and believe that those in charge of the Devuan Project have taken all necessary precautions to avoid such an awkward situation in the future. And, of course, admirations for the lightning reaction in resolving the issue.

One comment

Leave a Reply

Your email address will not be published.