Package repo key expiry

Hi all,

I notice from time to time that the packages in the opensuse repository end up with an expired signature:

Err:5 https://download.opensuse.org/repositories/security:/zeek/Debian_10 InRelease
   The following signatures were invalid: EXPKEYSIG 69D1B2AAEE3D166A security OBS Project <security@build.opensuse.org>
Fetched 1,540 B in 1s (2,506 B/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://download.opensuse.org/repositories/security:/zeek/Debian_10 InRelease: The following signatures were invalid: EXPKEYSIG 69D1B2AAEE3D166A security OBS Project <security@build.opensuse.org>
W: Failed to fetch https://download.opensuse.org/repositories/security:/zeek/Debian_10/InRelease The following signatures were invalid: EXPKEYSIG 69D1B2AAEE3D166A security OBS Project <security@build.opensuse.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.

Is it possible that they've rotated keys and that a new build needs to be triggered in order to get a valid signature? It seems like this condition is something someone could monitor for.

-lou

Hi Lou,

Thanks a lot for the report. That actually seems very possible - it seems, however, not optimal that they did not notify us of this.

I will just trigger a rebuild of zeek (and zeek-lts) - let’s see if that fixes this. If it does not I will raise an issue with OBS.

Johanna

Hi Johanna,

Thank you for looking at this. I see that the signatures and packages were updated on 09.02.2021 but unfortunately I get the same signature expiration error for their key

  apt-key list
  /etc/apt/trusted.gpg