Bad GPG signature
https://www.reddit.com/r/nextdns/comments/12rdvc4/psst_nextdns_your_package_signing_key_expired/
Already reported on Reddit, but I thought I'd post here for awareness.
-
We are working on a fix
-
Hi, any ETA on the fix? I'm currently planning on deploying NextDNS on few dozen ras-pi this weekend. Will this effect the one-liner installer script at all?
-
Jake Shin A fix was deployed 2 hours ago as from the time of this post. It should work as normal installing.
-
-
The fix is incomplete. The armored key (https://repo.nextdns.io/nextdns-armored.gpg
) wasn't updated. -
In fedora when I do a sudo dnf upgrade I see this for when it tries to update from the Nextdns repo:
Error: Failed to download metadata for repo 'nextdns': repomd.xml GPG signature verification error: Bad GPG signature
I assume there is still a problem?-
d c Existing installations will remain broken as you're seeing. The only way to "fix" it now is to reinstall again with the latest version obtained off their website, as it will contain an updated verification key.
-
d c You will have to update the GPG key manually by downloading the new one. Not sure of the command for fedora or where the key has been stored.
-
@nextdns
uninstalled the nextdns client in fedora. Rebooted and tried to do manual re-install so I can see the errors.
sudo curl -Ls https://repo.nextdns.io/nextdns.repo -o /etc/yum.repos.d/nextdns.repo
sudo yum install -y nextdns
nextdns 723 B/s | 659 B 00:00
nextdns 6.9 kB/s | 2.4 kB 00:00
nextdns 916 B/s | 659 B 00:00
Error: Failed to download metadata for repo 'nextdns': repomd.xml GPG signature verification error: Bad GPG signature
Ignoring repositories: nextdns
Last metadata expiration check: 0:35:10 ago on Thu 20 Apr 2023 07:04:25 PM EDT.
No match for argument: nextdns
Error: Unable to find a match: nextdns
I think the nextdns.repo file needs to be updated?
-
d c On Debian/Ubuntu you need to uninstall it, then also delete the GPG key that remains still on your system. Then rerun the installation script for linux and it will download and install the newest GPG key. Until you remove the old one, it may keep breaking.
On another RHEL/CentOS/AlmaLinux/CloudLinux system, I had to edit the nextdns.repo file and disable the GPG verification in order to get it to work.
-
Underpants Gnome Actually uninstalling is not required, you just need to download the new key and replace the old one.
See the install script for a clue on how to get new key.
https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh -
R P M That script is huge. What am I looking for? Should I just run the script again?
-
Scott Morris Depending on your linux distro the GPG key might be located “/usr/share/keychains” or “etc/apt/keyrings” could be somewhere else of course. Search the install script for yourself if you so wish, look for “.gpg”
Download the new key replacing the old from:
https://repo.nextdns.io/nextdns.gpg -
I finally found it for Fedora!
There is a folder "/var/cache/dnf/" in there you can find the keyrings for every repo. You have to delete the folder starting with "nextdns-"
After that run a simple "dnf update" and everything should be fine again. -
Yanick Nice find and thanks for sharing.
-
Yanick That did the trick, thanks!
-
R P M actually works for raspbian, thanks!
-
-
I run the CLI on an ASUS router and looked at the script, but none of the GPG related locations on that router currently contain a NextDNS key.
No actions required on ASUS routers?
-
Rob Does the ASUS router even have a package manager on it? My guess would be probably not and if so you only need to run the install script again to update NextDNS CLI.
-
R P M It does have one (`opkg` from Entware), but NextDNS is not in the repository.
So the GPG key is only used in relation to a package manager?
-
-
Rob said:
So the GPG key is only used in relation to a package manager?From my understanding that is correct.
-
I think I fixed the issue.
For Ubuntu/Debian users:
- Open Terminal
- Run the command to remove the old nextdns.gpg
sudo rm /etc/apt/keyrings/nextdns.gpg - Run the command to add the new GPG key to your system (taken from the install script)
sudo wget -qO /etc/apt/keyrings/nextdns.gpg https://repo.nextdns.io/nextdns.gpg -
Run apt update and apt dist-upgrade to confirm that the change worked.
sudo apt update && sudo apt dist-upgrade -y
-
Jake Shin Don’t forget for 2) & 3) some may have the key located in “/usr/share/keyrings/“ so just replace the path with what’s correct on your machine.
After updating a few other installations, I have found that you need to modify the apt sources list file for NextDNS, by running:
sudo touch -m /etc/apt/sources.list.d/nextdns.list
If not done it might pick up the old one still. Rebooting the machine will also work if you don’t want to use the command above.
-
Jake Shin Worked great on Debian - thanks for sharing and saving me some google time!
