How add key of 3rd party repo?

Discussion:

(too old to reply)

Hans

2024-09-22 16:50:01 UTC

Dear list,

I want to install jitsi-meet in Debian 12, but whatever I do, the system does not accept the key
for the repo.

There are several ways documented, but none of them is working. And some of them are mixed
with Ubuntu. But Ubuntu is not debian! This is what I tried:

1. What the jitsi-site says:
curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > /usr/share/
keyrings/jitsi-keyring.gpg'

2. What debian says:
curl -fsSL https://download.jitsi.org/jitsi-key.gpg.key | sq -o /usr/share/keyrings/jitsy-
key.gpg.key dearmor

alternatively

curl -fsSL https://download.jitsi.org/jitsi-key.gpg.key | gpg -o /usr/share/keyrings/jitsy-key.gpg
--dearmor

3.What I also did:
Copied the key to /usr/share/keyrings/

No success.

Copied the key to /etc/apt/trusted.gpg.d/

No success.

4. Full of despair tried "apt-key add" - deprecated!

No success.

What did I wrong? I also downloaded the key from the repository with a browser and copied
them (not using curl or wget in the commandline).

No I am lost, as there are several ways told in th eweb, but mostly Ubuntu based and maybe
not tested for debian. And: all are doing different!

Did I miss something else? Sadly apt-key is gone....

Best

Hans

Charles Curley

2024-09-22 17:10:01 UTC

Permalink

On Sun, 22 Sep 2024 18:44:04 +0200

Post by Hans
I want to install jitsi-meet in Debian 12, but whatever I do, the
system does not accept the key for the repo.
There are several ways documented, but none of them is working. And
some of them are mixed with Ubuntu. But Ubuntu is not debian! This is
curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg
--dearmor > /usr/share/ keyrings/jitsi-keyring.gpg'

When you do these things, *exactly* what results do you get? Copy and
paste the entire command line, including the prompt, the results, and
the next command line prompt.

In the line above, is there a typo: should there be a space between
"/share/" and "keyrings"?

--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Hans

2024-09-22 17:30:01 UTC

Permalink

Post by Charles Curley
On Sun, 22 Sep 2024 18:44:04 +0200

When you do these things, *exactly* what results do you get? Copy and
paste the entire command line, including the prompt, the results, and
the next command line prompt.
In the line above, is there a typo: should there be a space between
"/share/" and "keyrings"?

This is an eample:

curl -fsSL https://download.jitsi.org/jitsi-key.gpg.key | gpg -o /usr/share/keyrings/jitsy-key.gpg
--de
armor
No error messages!

Then

LANG=C apt-get update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://security.debian.org/debian-security bookworm-security InRelease

Hit:3 http://dl.winehq.org/wine-builds/debian bookworm InRelease

Hit:4 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid InRelease

Hit:5 http://deb.debian.org/debian bookworm-updates InRelease

Hit:6 http://download.opensuse.org/repositories/home:/cabelo/Debian_12 InRelease

Hit:7 http://deb.debian.org/debian bookworm-backports InRelease

Hit:8 https://linux.teamviewer.com/deb stable InRelease

Hit:9 http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/Debian_12
InRelease
Hit:10 https://fasttrack.debian.net/debian-fasttrack bookworm-fasttrack InRelease

Hit:11 https://updates.signal.org/desktop/apt xenial InRelease

Hit:12 https://fasttrack.debian.net/debian-fasttrack bookworm-backports-staging InRelease

Hit:13 https://deb.opera.com/opera-stable stable InRelease
Get:14 https://download.jitsi.org stable/ InRelease [1682 B]
Err:14 https://download.jitsi.org stable/ InRelease
The following signatures couldn't be verified because the public key is not available:
NO_PUBKEY B4D2D216F1FD7806
Output directory /var/lib/debtags/ does not exist
Reading package lists... Done
W: GPG error: https://download.jitsi.org stable/ InRelease: The following signatures couldn't be
verified because the pub
lic key is not available: NO_PUBKEY B4D2D216F1FD7806
E: The repository 'https://download.jitsi.org stable/ InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
No key recognized.

And the entry in /etc/apt/sources.list.d/jitsi-stable.list is this:
deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable

Should be all ok, but it isn't.

Best

Hans

The Wanderer

2024-09-22 17:40:02 UTC

Permalink

Am Sonntag, 22. September 2024, 19:05:35 CEST schrieb Charles

Post by Charles Curley
On Sun, 22 Sep 2024 18:44:04 +0200

Post by Hans
I want to install jitsi-meet in Debian 12, but whatever I do,
the system does not accept the key for the repo.
There are several ways documented, but none of them is working.
And some of them are mixed with Ubuntu. But Ubuntu is not debian!
curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c
'gpg --dearmor > /usr/share/ keyrings/jitsi-keyring.gpg'

When you do these things, *exactly* what results do you get? Copy
and paste the entire command line, including the prompt, the
results, and the next command line prompt.
In the line above, is there a typo: should there be a space
between "/share/" and "keyrings"?

curl -fsSL https://download.jitsi.org/jitsi-key.gpg.key | gpg -o /usr/share/keyrings/jitsy-key.gpg
--dearmor
No error messages!

I notice that this is not the same filename as the one in the quote
further above. The original had 'jitsi-keyring.gpg', and this one has
'jitsy-key.gpg' - that's two differences.

(Also, this command line isn't 'including the prompt'.)

<snip>

deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable

This is referencing the original filename, not the one you used in your
"no error messages" command.

Does that file exist? If so, what contents does it have? Are they the
same as the one in the other filename?

Should be all ok, but it isn't.

If the file named in the sources.list entry doesn't exist (or has the
wrong contents), then I think that would explain it.

--
The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw

Hans

2024-09-22 18:10:01 UTC

Permalink

Post by The Wanderer

Post by Hans
curl -fsSL https://download.jitsi.org/jitsi-key.gpg.key | gpg -o
/usr/share/keyrings/jitsy-key.gpg --dearmor
No error messages!

I notice that this is not the same filename as the one in the quote
further above. The original had 'jitsi-keyring.gpg', and this one has
'jitsy-key.gpg' - that's two differences.
(Also, this command line isn't 'including the prompt'.)

This might be an error by me, as there are several names in the different
documentations. I rechecked and the names are identical. Maybe a typo here in
this mail.

Post by The Wanderer
<snip>

Post by Hans
deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg]
https://download.jitsi.org stable

This is referencing the original filename, not the one you used in your
"no error messages" command.

Yes, this is the required entry of one of the documentations in the web. As I
mentioned before: There are several different instructions, and they are
different, as one is for Ubuntu, Ubuntu+Debian and Debian.

Post by The Wanderer
Does that file exist? If so, what contents does it have? Are they the
same as the one in the other filename?

Yes, it does exist.

Post by The Wanderer

Post by Hans
Should be all ok, but it isn't.

If the file named in the sources.list entry doesn't exist (or has the
wrong contents), then I think that would explain it.

Yes, you are correct, but I rechecked. There is "jitsi-keyring.gpg.key", which
is from the original jitsi-site, and there is also "jitsi-key.gpg", which is
from the jitsi-*keyring*.deb (on the original jitsi-meet website), which I
testwise downloaded manually and installed using dpkg.

At the moment, there is only one key existent: jitsi-keyring.gpg.key, which is
acually resides in /usr/share/keyrings/.

But I found the reason!

The eys are set "rw- --- ---", so they could not read.

This adds another problem: Looks like gpg or sq is setting wrong rights.

Several minutes ago I discovered another issue: /usr/bin/dpkg was set
to "rwx r-- r--", what is also wrong. As I did not change this, it must have
been changed by some upgrade. Had this issue already in 2014 (with a
mediathekview problem, same reason),

I suppose, we can safely close this. Thanks for your help, again laerned
something.

Best regards

Hans

David Wright

2024-09-23 01:00:01 UTC

Permalink

Post by Charles Curley
When you do these things, *exactly* what results do you get? Copy and
paste the entire command line, including the prompt, the results, and
the next command line prompt.

[ … ]

Post by Charles Curley
But I found the reason!
The eys are set "rw- --- ---", so they could not read.
This adds another problem: Looks like gpg or sq is setting wrong rights.
Several minutes ago I discovered another issue: /usr/bin/dpkg was set
to "rwx r-- r--", what is also wrong. As I did not change this, it must have
been changed by some upgrade. Had this issue already in 2014 (with a
mediathekview problem, same reason),
I suppose, we can safely close this. Thanks for your help, again laerned
something.

From the clues left dotted around, my bet is that you've messed up
your system with the way you become root, affecting its umask.

A couple of months ago (and back in 2020), you were exhorting Debian
to set a mask for users of at least 027, and I'm wondering whether,
in your case, it might have been changed to 077 since around one of
those times.

Back in 2014, you had the permissions on dpkg set to -rwxr-x---,
which would correspond to a umask of 027, so perhaps you had already
tightened your system from the Debian default, 022, to 027 by then.

So it now comes down to why system components are getting the user's
umask applied to them. For that, I looked back to 2014 when you seemed
to be a bit more forthcoming with pasting prompts into your posts.
Your first post in the thread¹ starts with:

| Ok, so let’s start as root:
|
| su -p
| ***@protheus2:~# LANG=C mediathekview

Well, three cases of su are:

~$ umask
0027 ← the securer default was set for this user.
~$ su
Password:
/home/auser# umask
0022 ← correct
/home/auser#
exit
~$ su -
Password:
~# umask
0022 ← correct
~#
logout
~$ su -p
Password:
~# umask
0027 ← wrong for root
~#
exit
~$

So I'm guessing that you've been installing things after having become
root with -p. I don't know whether APT and dpkg can themselves modify
any excessively restrictive umask, and I'm unwilling to test that here.

¹ https://lists.debian.org/debian-user/2014/07/msg00053.html

Cheers,
David.

Hans

2024-09-23 08:00:01 UTC

Permalink

Hi David,

this is a very good and value hint! What you are telling is very reasonable
and makes fully sense. Yes, in the past I olayed aroud mith umask, and it can
really happen, that I messed up things by doing so.

I will recheck my settings and if there are any missettings, of course correct
them to debian's actual default settings.

Besides, i am still concerned about the default umask settings, but this I
already mentioned and will not be reopened again.

Again: Thank you very much for pointing me to this!

Made me happy!

Best regards

Hans

Post by David Wright
From the clues left dotted around, my bet is that you've messed up
your system with the way you become root, affecting its umask.
A couple of months ago (and back in 2020), you were exhorting Debian
to set a mask for users of at least 027, and I'm wondering whether,
in your case, it might have been changed to 077 since around one of
those times.
Back in 2014, you had the permissions on dpkg set to -rwxr-x---,
which would correspond to a umask of 027, so perhaps you had already
tightened your system from the Debian default, 022, to 027 by then.
So it now comes down to why system components are getting the user's
umask applied to them. For that, I looked back to 2014 when you seemed
to be a bit more forthcoming with pasting prompts into your posts.
|
| su -p
~$ umask
0027 ← the securer default was set for this user.
~$ su
/home/auser# umask
0022 ← correct
/home/auser#
exit
~$ su -
~# umask
0022 ← correct
~#
logout
~$ su -p
~# umask
0027 ← wrong for root
~#
exit
~$
So I'm guessing that you've been installing things after having become
root with -p. I don't know whether APT and dpkg can themselves modify
any excessively restrictive umask, and I'm unwilling to test that here.
¹ https://lists.debian.org/debian-user/2014/07/msg00053.html
Cheers,
David.

Juri Grabowski

2024-09-23 17:10:01 UTC

Permalink

Hello together,

for the next time you can just run following commands to enable
jitsi-repo:

apt-get update ; apt-get -y install extrepo ;
extrepo enable jitsi-stable

Best Regards,
Juri Grabowski