forum


https://forum.z-wave.me:443/

Repository key change

https://forum.z-wave.me:443/viewtopic.php?f=3422&t=35416

Page 1 of 1

Repository key change

Posted: 25 Jul 2022 16:18
by hubert
Can you post some official confirmation that this new key for your raspbian package repository is legit please?

The key is available from keyserver.ubuntu.com but without any mention on your site I can't tell if it's legit or your repo got hacked

Code: Select all

Err:5 https://repo.z-wave.me/z-way/raspbian buster InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D5AA8FC24C6547A2

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repo.z-wave.me/z-way/raspbian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D5AA8FC24C6547A2
W: Failed to fetch https://repo.z-wave.me/z-way/raspbian/dists/buster/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D5AA8FC24C6547A2

Re: Repository key change

Posted: 25 Jul 2022 16:24
by PoltoS
Hello!

Yes, the old key has expired and the new one is available from the key server. You can use the following script to update it:
https://storage.z-wave.me/RaspbianInstall (this is the script you used to download Z-Way)

Re: Repository key change

Posted: 25 Jul 2022 16:33
by hubert
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys D5AA8FC24C6547A2

also works

Re: Repository key change

Posted: 27 Jul 2022 16:00
by xurg
PoltoS wrote:
25 Jul 2022 16:24
 Yes, the old key has expired and the new one is available from the key server. You can use the following script to update it:
https://storage.z-wave.me/RaspbianInstall (this is the script you used to download Z-Way)
Is there a reason why https://repo.z-wave.me/z-way/raspbian/p ... _armhf.deb apparently got at least touched along the way? It has a timestamp of July 20th but it has been released for quite a while longer now. (I do not have saved the old .deb so I can cmp its contents.) A simple key exchange should not have affected the pool contents. Sorry for being paranoid, and I know no serious hacker would leave a silly timestamp like this, but I really think you should be extra transparent with all of your activities these days.

Re: Repository key change

Posted: 28 Jul 2022 00:50
by PoltoS
We have re-uploaded all .deb packages with fixed dependencies. The code was not re-compiled, just .deb dependency altered. All this to allow arm 64 installations. Soon we will release the new script that will allow both arm 32 and 64 bits installations.
All times are UTC+03:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited