3

Bad GPG signature

https://www.reddit.com/r/nextdns/comments/12rdvc4/psst_nextdns_your_package_signing_key_expired/

Already reported on Reddit, but I thought I'd post here for awareness.

25 replies

null
    • NextDNs
    • 7 mths ago
    • Reported - view

    We are working on a fix

    • Jake_Shin
    • 7 mths ago
    • Reported - view

    Hi, any ETA on the fix? I'm currently planning on deploying NextDNS on few dozen ras-pi this weekend. Will this effect the one-liner installer script at all?

      • R_P_M
      • 7 mths ago
      • Reported - view

      Jake Shin A fix was deployed 2 hours ago as from the time of this post. It should work as normal installing. 

    • Guillaume_Ausset
    • 7 mths ago
    • Reported - view

    The fix is incomplete. The armored key (https://repo.nextdns.io/nextdns-armored.gpg
    ) wasn't updated.

    • d_c
    • 7 mths ago
    • Reported - view

    In fedora when I do a sudo dnf upgrade I see this for when it tries to update from the Nextdns repo:

    Error: Failed to download metadata for repo 'nextdns': repomd.xml GPG signature verification error: Bad GPG signature
    I assume there is still a problem?

      • underpants_gnome
      • 7 mths ago
      • Reported - view

      d c Existing installations will remain broken as you're seeing. The only way to "fix" it now is to reinstall again with the latest version obtained off their website, as it will contain an updated verification key.

      • R_P_M
      • 7 mths ago
      • Reported - view

      d c You will have to update the GPG key manually by downloading the new one. Not sure of the command for fedora or where the key has been stored. 

      • d_c
      • 7 mths ago
      • Reported - view

      @nextdns

      uninstalled the nextdns client in fedora. Rebooted and tried to do manual re-install so I can see the errors.

       

      sudo curl -Ls https://repo.nextdns.io/nextdns.repo -o /etc/yum.repos.d/nextdns.repo
      sudo yum install -y nextdns
      nextdns                                                                                                                         723  B/s | 659  B     00:00    
      nextdns                                                                                                                         6.9 kB/s | 2.4 kB     00:00    
      nextdns                                                                                                                         916  B/s | 659  B     00:00    
      Error: Failed to download metadata for repo 'nextdns': repomd.xml GPG signature verification error: Bad GPG signature
      Ignoring repositories: nextdns
      Last metadata expiration check: 0:35:10 ago on Thu 20 Apr 2023 07:04:25 PM EDT.
      No match for argument: nextdns
      Error: Unable to find a match: nextdns
       

      I think the nextdns.repo file needs to be updated?

      • underpants_gnome
      • 7 mths ago
      • Reported - view

      d c On Debian/Ubuntu you need to uninstall it, then also delete the GPG key that remains still on your system. Then rerun the installation script for linux and it will download and install the newest GPG key. Until you remove the old one, it may keep breaking.

      On another RHEL/CentOS/AlmaLinux/CloudLinux system, I had to edit the nextdns.repo file and disable the GPG verification in order to get it to work.

      • R_P_M
      • 7 mths ago
      • Reported - view

      Underpants Gnome Actually uninstalling is not required, you just need to download the new key and replace the old one. 
       

      See the install script for a clue on how to get new key. 
      https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh

      • Scott_Morris
      • 7 mths ago
      • Reported - view

      R P M That script is huge. What am I looking for?  Should I just run the script again?

      • R_P_M
      • 7 mths ago
      • Reported - view

      Scott Morris Depending on your linux distro the GPG key might be located  “/usr/share/keychains” or “etc/apt/keyrings” could be somewhere else of course. Search the install script for yourself if you so wish, look for “.gpg”

      Download the new key replacing the old from: 
      https://repo.nextdns.io/nextdns.gpg

      • Yanick
      • 7 mths ago
      • Reported - view

      I finally found it for Fedora!
      There is a folder "/var/cache/dnf/" in there you can find the keyrings for every repo. You have to delete the folder starting with "nextdns-"
      After that run a simple "dnf update" and everything should be fine again.

      • R_P_M
      • 7 mths ago
      • Reported - view

      Yanick Nice find and thanks for sharing. 

      • Scott_Morris
      • 7 mths ago
      • Reported - view

      Yanick That did the trick, thanks!

      • puchijon
      • 6 mths ago
      • Reported - view

      R P M actually works for raspbian, thanks!

      • Maxime_Michaud
      • 5 mths ago
      • Reported - view

      Yanick Thank you !

    • iOS Developer
    • Rob
    • 7 mths ago
    • Reported - view

    I run the CLI on an ASUS router and looked at the script, but none of the GPG related locations on that router currently contain a NextDNS key.

    No actions required on ASUS routers?

      • R_P_M
      • 7 mths ago
      • Reported - view

      Rob Does the ASUS router even have a package manager on it? My guess would be probably not and if so you only need to run the install script again to update NextDNS CLI. 

      • iOS Developer
      • Rob
      • 7 mths ago
      • Reported - view

      R P M It does have one (`opkg` from Entware), but NextDNS is not in the repository.

      So the GPG key is only used in relation to a package manager?

    • R_P_M
    • 7 mths ago
    • Reported - view
    Rob said:
    So the GPG key is only used in relation to a package manager?

     From my understanding that is correct. 

    • Jake_Shin
    • 7 mths ago
    • Reported - view

    I think I fixed the issue. 

    For Ubuntu/Debian users: 

    1. Open Terminal
    2. Run the command to remove the old nextdns.gpg  
      sudo rm /etc/apt/keyrings/nextdns.gpg

       

    3.  Run the command to add the new GPG key to your system (taken from the install script) 
      sudo wget -qO /etc/apt/keyrings/nextdns.gpg https://repo.nextdns.io/nextdns.gpg

       

    4. Run apt update and apt dist-upgrade to confirm that the change worked.  

      sudo apt update && sudo apt dist-upgrade -y
      • R_P_M
      • 7 mths ago
      • Reported - view

      Jake Shin Don’t forget for 2) & 3) some may have the key located in “/usr/share/keyrings/“ so just replace the path with what’s correct on your machine. 

      After updating a few other installations, I have found that you need to modify the apt sources list file for NextDNS, by running:

      sudo touch -m /etc/apt/sources.list.d/nextdns.list

      If not done it might pick up the old one still. Rebooting the machine will also work if you don’t want to use the command above. 

      • Chris_Leidich
      • 7 mths ago
      • Reported - view

      Jake Shin Worked great on Debian - thanks for sharing and saving me some google time!

Login to reply

Content aside

  • 3 Likes
  • 5 mths agoLast active
  • 25Replies
  • 822Views
  • 12 Following