No_pubkey b9aec3a21f035485

Hello,
I have an error on Debian 11 when I do a
sudo apt-get update

W: GPG error: https://linux-clients.seafile.com/seafile-deb/buster stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B9AEC3A21F035485
E: The repository 'https://linux-clients.seafile.com/seafile-deb/buster stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

Anyone can help me ?

I have the same problem using the (inofficial/undocumented) bullseye repository (https://linux-clients.seafile.com/seafile-deb/bullseye) on Bullseye.
The problem first showed up a few days ago.

The problem appears yesterday on my linux mint. What can we do ?

I solved with these 2 commands :slight_smile:

sudo wget https://linux-clients.seafile.com/seafile.asc -O /usr/share/keyrings/seafile-keyring.asc

and

For Ubuntu 18.04
sudo bash -c “echo ‘deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] Index of /seafile-deb/bionic/ stable main’ > /etc/apt/sources.list.d/seafile.list”

For Ubuntu 20.04
sudo bash -c “echo ‘deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] Index of /seafile-deb/focal/ stable main’ > /etc/apt/sources.list.d/seafile.list”

For Debian 10 + 11
sudo bash -c “echo ‘deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] Index of /seafile-deb/buster/ stable main’ > /etc/apt/sources.list.d/seafile.list”

I test this, but i had an error :slight_smile:

zsh: bad pattern: [arch=amd64

So, i modified manually /etc/apt/source.list.d/seafile.list and I deleted the line and added this :

deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] http://linux-clients.seafile.com/seafile-deb/focal/ stable main

and it works.

Why is this necessary? I don’t feel comfortable hard-coding the signer without a proper announcement from Seafile, because I don’t understand what it means.

All I know is that the keys are there for security purposes. If the key is suddenly no longer available in the keyserver, perhaps it’s because it has been retracted because the Seafile package was compromised?

This is the documented way to use the repository, see: Install On Linux - Seafile User Manual

The old key expires in less than two weeks. I guess that is the reason.

Old key:

# gpg /usr/share/keyrings/seafile-keyring.asc.old
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3072 2020-06-01 [SC] [expires: 2022-06-01]
      C789DBBD226BACFA3708053BB9AEC3A21F035485
uid           seafile <seafile@seafile.com>
sub   rsa3072 2020-06-01 [E] [expires: 2022-06-01]

New key:

# gpg /usr/share/keyrings/seafile-keyring.asc    
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3072 2022-05-10 [SC] [expires: 2024-05-09]
      658A84218F4954AAB205037A2B844307BE7E9E8C
uid           seafile <123456@qq.com>
sub   rsa3072 2022-05-10 [E] [expires: 2024-05-09]

I have to admit, the new UID looks fishy!

1 Like

@Jonathan
can you please this uid please?
uid seafile 123456@qq.com

1 Like

We updated the expiring key. But the maintainer made a mistake when generating the key by using an unofficial email address. Sorry for the concern it raised. We’ll update the key again soon.

1 Like

Thank you for confirming this key is safe. :+1:

@Jonathan any updates on this?

The key has been updated.

1 Like

Even though I’ve followed the instructions given in the documentation, when I do the sudo apt update on my system, I’m still getting the following error:

Err:7 https://linux-clients.seafile.com/seafile-deb/focal stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 2B844307BE7E9E8C

userX@minipc:~$ lsb_release -a  
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal

userX@minipc:~$ LANG=all sudo wget https://linux-clients.seafile.com/seafile.asc -O /etc/apt/trusted.gpg.d/seafile-keyring.asc | sudo apt-key add -
--2022-07-18 08:24:49--  https://linux-clients.seafile.com/seafile.asc
Resolving linux-clients.seafile.com (linux-clients.seafile.com)... 3.86.184.216
Connecting to linux-clients.seafile.com (linux-clients.seafile.com)|3.86.184.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2460 (2.4K) [application/octet-stream]
Saving to: '/etc/apt/trusted.gpg.d/seafile-keyring.asc'

/etc/apt/trusted.gp 100%[===================>]   2.40K  --.-KB/s    in 0s      

2022-07-18 08:24:50 (366 MB/s) - '/etc/apt/trusted.gpg.d/seafile-keyring.asc' saved [2460/2460]

userX@minipc:~$ sudo cat /etc/apt/sources.list.d/seafile.list     
deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] https://linux
-clients.seafile.com/seafile-deb/focal/ stable main

Any ideas @Jonathan ?

This is because they have messed up in their documentation. If you look closely at current key installation commands (Debian 11 for example):

sudo wget https://linux-clients.seafile.com/seafile.asc -O /etc/apt/trusted.gpg.d/seafile-keyring.asc
sudo bash -c "echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] https://linux-clients.seafile.com/seafile-deb/bullseye/ stable main' > /etc/apt/sources.list.d/seafile.list"

you will see that the asc is saved to:
/etc/apt/trusted.gpg.d/seafile-keyring.asc

but the “signed-by” in the repo installation is trying to reference the key from:
/usr/share/keyrings/seafile-keyring.asc

Hence it doesn’t work. To fix this, just change the path to the asc in the second command, i.e. for Debian 11 it should be:

sudo bash -c "echo 'deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/seafile-keyring.asc] https://linux-clients.seafile.com/seafile-deb/bullseye/ stable main' > /etc/apt/sources.list.d/seafile.list"

This applies to other distros and they should really update docs for all of them.

4 Likes