Updated APT archive signing key

General
1

Hi all,

If you’re using apt.mopidy.com and apt >= 3.0 to install Mopidy Debian packages, you might have seen the following warning:

> sudo apt update
...
Fetched 20,5 kB in 20s (1.016 B/s)
All packages are up to date.    
Warning: https://apt.mopidy.com/dists/bookworm/InRelease: Policy will reject signature within a year, see --audit for details

Tl;dr: How to fix it

To fix the above warning, update your system’s copy of the Mopidy APT archive’s key:

sudo mkdir -p /etc/apt/keyrings
sudo wget -q -O /etc/apt/keyrings/mopidy-archive-keyring.gpg https://apt.mopidy.com/mopidy-archive-keyring.gpg
sudo wget -q -O /etc/apt/sources.list.d/mopidy.sources https://apt.mopidy.com/bookworm.sources

Background

If you rerun apt update with the --audit flag you get a bit more details:

> sudo apt update --audit
...
All packages are up to date.    
Warning: https://apt.mopidy.com/dists/bookworm/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://apt.mopidy.com/dists/bookworm/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 9E36464A7C030945EEB7632878FD980E271D2943 is not bound:
              No binding signature at time 2024-07-07T08:51:57Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

The Mopidy APT archive signing key is originally from 2010(!), and thus have been using SHA-1 in a “binding signature”.

To fix the above warning, the APT archive now has an updated signing key where the “binding signature” has been changed to use the more secure SHA-256 instead of SHA-1. The APT archive’s metadata files have been resigned with the updated key.

If we had switched to a new signing key without some transition plan, it would break Mopidy APT updates for everyone until they replaced their copy of the archive key.

According to my own testing after updating the key and the archive:

  • If you do nothing, you’ll still see the above warning. Nothing has changed.
  • If you update your system’s copy of the Mopidy APT archive’s signing key, as described above, the warning should go away.

Which means that this fix is hopefully a strict improvement for everyone.

How the archive signing key was updated

If you’re managing an APT archive yourself and find this post searching for how to solve this issue, here’s how I did it:

  1. Use sq-keyring-linter to update the archive’s secret key. Their README is quite useful.
    For me: gpg --export-secret-key 271D2943 | sq-keyring-linter --fix | gpg --import
  2. Export and publish an updated public key.
    For me: gpg --export 271D2943 > mopidy-archive-keyring.gpg, commit the change, and push to the mopidy/apt repo.
  3. Resign the archive’s metadata files. For me, using reprepro to manage the archive: reprepro -b reprepro export, commit, and push to the mopidy/apt repo.
3 Likes