UCS 4.x apt key expired, no package installation,update, app installation is possible

Please check the article for updates, an overview can be found below.

2021-06-28 15:00 CEST original article
2021-06-28 19:00 CEST fix for UCS versions >= 4.4-4 errata 605, manual workaround for older systems required, see below.

2021-06-28 15:00 The apt key shipped with UCS 4 has expired.

On UCS 4.x no package installations and updates are currently possible, as well as UCS Release updates and App installations.

On an affected UCS system the problem can be seen when e.g. updating the apt package cache:

$ apt-get update
...
W: GPG error: http://updates.software-univention.de/4.4/maintained/component 4.4-8-errata/all/ Release: The following signatures were invalid: EXPKEYSIG 36602BA86B8BFD3C Univention Corporate Server 4.x <packages@univention.de>
E: The repository 'http://updates.software-univention.de/4.4/maintained/component 4.4-8-errata/all/ Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
...

Starting from 2021-06-28, the following error will be shown, because the package repository has been signed with a key unknown to apt for UCS versions < 4.4-4 errata605:

...
Err:180 http://updates.knut.univention.de/4.4/maintained/component 4.4-4-errata/amd64/ Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D293E501A055F562
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://updates.knut.univention.de/4.4/maintained/component 4.4-4-errata/amd64/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D293E501A055F562
W: Failed to fetch http://updates.knut.univention.de/4.4/maintained/component/4.4-4-errata/amd64/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D293E501A055F562
...

2021-06-28 19:00 CEST fix for UCS versions >= 4.4-4 errata 605, manual workaround for older systems required.

We have updated the UCS repository server signatures by signing them with the UCS 5 key. This fixes the issue on UCS Systems which are at least on version UCS 4.4-4 errata605. This erratum was released on 2020-05-20.

The following actions should be working again:

  • UCS package installation and updates
  • UCS release version updates
  • UCS App Center installation and updates
  • Customer mirror access

On UCS systems that are still running an older version, manual steps are required to fix the issue. Administrators have to manually install the UCS 5 apt signing key on every UCS server by following these steps:

$ wget https://updates.software-univention.de/univention-archive-key-ucs-5x.gpg -O /etc/apt/trusted.gpg.d/univention-archive-key-ucs-5x.gpg
$ wget https://updates.software-univention.de/univention-archive-key-ucs-5x.gpg.sha512 -O ./univention-archive-key-ucs-5x.gpg.sha512

$ cat ./univention-archive-key-ucs-5x.gpg.sha512
50215f265eb9e2f3b0b5b1f5c8e29bc891e422ed13a505dec062fc3defba942eb05ce0acb52f29209678eabe995ecd6ce4496c994890b8bc8afa384be3da2794  /etc/apt/trusted.gpg.d/univention-archive-key-ucs-5x.gpg

$ sha512sum -c ./univention-archive-key-ucs-5x.gpg.sha512
/etc/apt/trusted.gpg.d/univention-archive-key-ucs-5x.gpg: OK

If the checksum for the file /etc/apt/trusted.gpg.d/univention-archive-key-ucs-5x.gpg is not verified or the checksum in the file ./univention-archive-key-ucs-5x.sha512 is not the same as shown above, an error occured, and the key should be removed - rm /etc/apt/trusted.gpg.d/univention-archive-key-ucs-5x.gpg

Workaround

In case a temporary and quick workaround is required, the apt signature checks can be deactivated by executing

$ ucr set update/secure_apt='no'; apt-get update

:warning: This is not secure and should be reverted as soon as possible via ucr unset update/secure_apt

9 Likes