3

Bad GPG signature

https://www.reddit.com/r/nextdns/comments/12rdvc4/psst_nextdns_your_package_signing_key_expired/

Already reported on Reddit, but I thought I'd post here for awareness.

23 replies

null
    • NextDNs
    • 5 mths ago
    • Reported - view

    We are working on a fix

    • Jake_Shin
    • 5 mths ago
    • Reported - view

    Hi, any ETA on the fix? I'm currently planning on deploying NextDNS on few dozen ras-pi this weekend. Will this effect the one-liner installer script at all?

      • R_P_M
      • 5 mths ago
      • Reported - view

      Jake Shin A fix was deployed 2 hours ago as from the time of this post. It should work as normal installing. 

    • Guillaume_Ausset
    • 5 mths ago
    • Reported - view

    The fix is incomplete. The armored key (https://repo.nextdns.io/nextdns-armored.gpg
    ) wasn't updated.

    • d_c
    • 5 mths ago
    • Reported - view

    In fedora when I do a sudo dnf upgrade I see this for when it tries to update from the Nextdns repo:

    Error: Failed to download metadata for repo 'nextdns': repomd.xml GPG signature verification error: Bad GPG signature
    I assume there is still a problem?

      • R_P_M
      • 5 mths ago
      • Reported - view

      d c You will have to update the GPG key manually by downloading the new one. Not sure of the command for fedora or where the key has been stored. 

      • d_c
      • 5 mths ago
      • Reported - view

      @nextdns

      uninstalled the nextdns client in fedora. Rebooted and tried to do manual re-install so I can see the errors.

       

      sudo curl -Ls https://repo.nextdns.io/nextdns.repo -o /etc/yum.repos.d/nextdns.repo
      sudo yum install -y nextdns
      nextdns                                                                                                                         723  B/s | 659  B     00:00    
      nextdns                                                                                                                         6.9 kB/s | 2.4 kB     00:00    
      nextdns                                                                                                                         916  B/s | 659  B     00:00    
      Error: Failed to download metadata for repo 'nextdns': repomd.xml GPG signature verification error: Bad GPG signature
      Ignoring repositories: nextdns
      Last metadata expiration check: 0:35:10 ago on Thu 20 Apr 2023 07:04:25 PM EDT.
      No match for argument: nextdns
      Error: Unable to find a match: nextdns
       

      I think the nextdns.repo file needs to be updated?

      • R_P_M
      • 5 mths ago
      • Reported - view

      Underpants Gnome Actually uninstalling is not required, you just need to download the new key and replace the old one. 
       

      See the install script for a clue on how to get new key. 
      https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh

      • Scott_Morris
      • 5 mths ago
      • Reported - view

      R P M That script is huge. What am I looking for?  Should I just run the script again?

      • R_P_M
      • 5 mths ago
      • Reported - view

      Scott Morris Depending on your linux distro the GPG key might be located  “/usr/share/keychains” or “etc/apt/keyrings” could be somewhere else of course. Search the install script for yourself if you so wish, look for “.gpg”

      Download the new key replacing the old from: 
      https://repo.nextdns.io/nextdns.gpg

      • Yanick
      • 5 mths ago
      • Reported - view

      I finally found it for Fedora!
      There is a folder "/var/cache/dnf/" in there you can find the keyrings for every repo. You have to delete the folder starting with "nextdns-"
      After that run a simple "dnf update" and everything should be fine again.

      • R_P_M
      • 5 mths ago
      • Reported - view

      Yanick Nice find and thanks for sharing. 

      • Scott_Morris
      • 5 mths ago
      • Reported - view

      Yanick That did the trick, thanks!

      • puchijon
      • 4 mths ago
      • Reported - view

      R P M actually works for raspbian, thanks!

      • Maxime_Michaud
      • 3 mths ago
      • Reported - view

      Yanick Thank you !

    • iOS Developer
    • Rob
    • 5 mths ago
    • Reported - view

    I run the CLI on an ASUS router and looked at the script, but none of the GPG related locations on that router currently contain a NextDNS key.

    No actions required on ASUS routers?

      • R_P_M
      • 5 mths ago
      • Reported - view

      Rob Does the ASUS router even have a package manager on it? My guess would be probably not and if so you only need to run the install script again to update NextDNS CLI. 

      • iOS Developer
      • Rob
      • 5 mths ago
      • Reported - view

      R P M It does have one (`opkg` from Entware), but NextDNS is not in the repository.

      So the GPG key is only used in relation to a package manager?

    • R_P_M
    • 5 mths ago
    • Reported - view
    Rob said:
    So the GPG key is only used in relation to a package manager?

     From my understanding that is correct. 

    • Jake_Shin
    • 4 mths ago
    • Reported - view

    I think I fixed the issue. 

    For Ubuntu/Debian users: 

    1. Open Terminal
    2. Run the command to remove the old nextdns.gpg 
      sudo rm /etc/apt/keyrings/nextdns.gpg

       

    3.  Run the command to add the new GPG key to your system (taken from the install script)
      sudo wget -qO /etc/apt/keyrings/nextdns.gpg https://repo.nextdns.io/nextdns.gpg

       

    4. Run apt update and apt dist-upgrade to confirm that the change worked. 

      sudo apt update && sudo apt dist-upgrade -y
      • R_P_M
      • 4 mths ago
      • Reported - view

      Jake Shin Don’t forget for 2) & 3) some may have the key located in “/usr/share/keyrings/“ so just replace the path with what’s correct on your machine. 

      After updating a few other installations, I have found that you need to modify the apt sources list file for NextDNS, by running:

      sudo touch -m /etc/apt/sources.list.d/nextdns.list

      If not done it might pick up the old one still. Rebooting the machine will also work if you don’t want to use the command above. 

      • Chris_Leidich
      • 4 mths ago
      • Reported - view

      Jake Shin Worked great on Debian - thanks for sharing and saving me some google time!

Content aside

  • 3 Likes
  • 3 mths agoLast active
  • 23Replies
  • 715Views
  • 12 Following