Bad GPG signature

d_c
5 mths ago
23replies

https://www.reddit.com/r/nextdns/comments/12rdvc4/psst_nextdns_your_package_signing_key_expired/

Already reported on Reddit, but I thought I'd post here for awareness.

- NextDNs
- 5 mths ago
- Reported - view
We are working on a fix
- d_c
  
  5 mths ago
  
  Reported - view
  NextDNS https://help.nextdns.io/t/35hcjmf?r=83hc2kz
- Jake_Shin
- 5 mths ago
- Reported - view
Hi, any ETA on the fix? I'm currently planning on deploying NextDNS on few dozen ras-pi this weekend. Will this effect the one-liner installer script at all?
- R_P_M
  
  5 mths ago
  
  Reported - view
  Jake Shin A fix was deployed 2 hours ago as from the time of this post. It should work as normal installing.
- Guillaume_Ausset
- 5 mths ago
- Reported - view
The fix is incomplete. The armored key (https://repo.nextdns.io/nextdns-armored.gpg
) wasn't updated.
- d_c
- 5 mths ago
- Reported - view
In fedora when I do a sudo dnf upgrade I see this for when it tries to update from the Nextdns repo:

Error: Failed to download metadata for repo 'nextdns': repomd.xml GPG signature verification error: Bad GPG signature
I assume there is still a problem?
- R_P_M
  
  5 mths ago
  
  Reported - view
  d c You will have to update the GPG key manually by downloading the new one. Not sure of the command for fedora or where the key has been stored.
- d_c
  
  5 mths ago
  
  Reported - view
  @nextdns
  
  uninstalled the nextdns client in fedora. Rebooted and tried to do manual re-install so I can see the errors.
  
  sudo curl -Ls https://repo.nextdns.io/nextdns.repo -o /etc/yum.repos.d/nextdns.repo
  sudo yum install -y nextdns
  nextdns 723 B/s | 659 B 00:00
  nextdns 6.9 kB/s | 2.4 kB 00:00
  nextdns 916 B/s | 659 B 00:00
  Error: Failed to download metadata for repo 'nextdns': repomd.xml GPG signature verification error: Bad GPG signature
  Ignoring repositories: nextdns
  Last metadata expiration check: 0:35:10 ago on Thu 20 Apr 2023 07:04:25 PM EDT.
  No match for argument: nextdns
  Error: Unable to find a match: nextdns
  
  I think the nextdns.repo file needs to be updated?
- R_P_M
  
  5 mths ago
  
  Reported - view
  Underpants Gnome Actually uninstalling is not required, you just need to download the new key and replace the old one.
  
  See the install script for a clue on how to get new key.
  https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh
- Scott_Morris
  
  5 mths ago
  
  Reported - view
  R P M That script is huge. What am I looking for? Should I just run the script again?
- R_P_M
  
  5 mths ago
  
  Reported - view
  Scott Morris Depending on your linux distro the GPG key might be located “/usr/share/keychains” or “etc/apt/keyrings” could be somewhere else of course. Search the install script for yourself if you so wish, look for “.gpg”
  
  Download the new key replacing the old from:
  https://repo.nextdns.io/nextdns.gpg
- Yanick
  
  5 mths ago
  
  Reported - view
  I finally found it for Fedora!
  There is a folder "/var/cache/dnf/" in there you can find the keyrings for every repo. You have to delete the folder starting with "nextdns-"
  After that run a simple "dnf update" and everything should be fine again.
- R_P_M
  
  5 mths ago
  
  Reported - view
  Yanick Nice find and thanks for sharing.
- Scott_Morris
  
  5 mths ago
  
  Reported - view
  Yanick That did the trick, thanks!
- puchijon
  
  4 mths ago
  
  Reported - view
  R P M actually works for raspbian, thanks!
- Maxime_Michaud
  
  3 mths ago
  
  Reported - view
  Yanick Thank you !
- iOS Developer
- Rob
- 5 mths ago
- Reported - view
I run the CLI on an ASUS router and looked at the script, but none of the GPG related locations on that router currently contain a NextDNS key.

No actions required on ASUS routers?
- R_P_M
  
  5 mths ago
  
  Reported - view
  Rob Does the ASUS router even have a package manager on it? My guess would be probably not and if so you only need to run the install script again to update NextDNS CLI.
- iOS Developer
  
  Rob
  
  5 mths ago
  
  Reported - view
  R P M It does have one (`opkg` from Entware), but NextDNS is not in the repository.
  
  So the GPG key is only used in relation to a package manager?
- R_P_M
- 5 mths ago
- Reported - view
Rob said:
So the GPG key is only used in relation to a package manager?

From my understanding that is correct.
- Jake_Shin
- 4 mths ago
- Reported - view
I think I fixed the issue.

For Ubuntu/Debian users:

Open Terminal

Run the command to remove the old nextdns.gpg
sudo rm /etc/apt/keyrings/nextdns.gpg

Run the command to add the new GPG key to your system (taken from the install script)
sudo wget -qO /etc/apt/keyrings/nextdns.gpg https://repo.nextdns.io/nextdns.gpg

Run apt update and apt dist-upgrade to confirm that the change worked.

sudo apt update && sudo apt dist-upgrade -y
- R_P_M
  
  4 mths ago
  
  Reported - view
  Jake Shin Don’t forget for 2) & 3) some may have the key located in “/usr/share/keyrings/“ so just replace the path with what’s correct on your machine.
  
  After updating a few other installations, I have found that you need to modify the apt sources list file for NextDNS, by running:
  
  sudo touch -m /etc/apt/sources.list.d/nextdns.list
  
  If not done it might pick up the old one still. Rebooting the machine will also work if you don’t want to use the command above.
- Chris_Leidich
  
  4 mths ago
  
  Reported - view
  Jake Shin Worked great on Debian - thanks for sharing and saving me some google time!

Content aside

3 Likes
3 mths agoLast active
23Replies
715Views
12 Following

Bad GPG signature

23 replies

Content aside

Home

Tags