No_pubkey b9aec3a21f035485

Hello,
I have an error on Debian 11 when I do a
sudo apt-get update

W: GPG error: https://linux-clients.seafile.com/seafile-deb/buster stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B9AEC3A21F035485
E: The repository 'https://linux-clients.seafile.com/seafile-deb/buster stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

Anyone can help me ?

I have the same problem using the (inofficial/undocumented) bullseye repository (https://linux-clients.seafile.com/seafile-deb/bullseye) on Bullseye.
The problem first showed up a few days ago.

The problem appears yesterday on my linux mint. What can we do ?

I solved with these 2 commands :slight_smile:

sudo wget https://linux-clients.seafile.com/seafile.asc -O /usr/share/keyrings/seafile-keyring.asc

and

For Ubuntu 18.04
sudo bash -c “echo ‘deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] Index of /seafile-deb/bionic/ stable main’ > /etc/apt/sources.list.d/seafile.list”

For Ubuntu 20.04
sudo bash -c “echo ‘deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] Index of /seafile-deb/focal/ stable main’ > /etc/apt/sources.list.d/seafile.list”

For Debian 10 + 11
sudo bash -c “echo ‘deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] Index of /seafile-deb/buster/ stable main’ > /etc/apt/sources.list.d/seafile.list”

I test this, but i had an error :slight_smile:

zsh: bad pattern: [arch=amd64

So, i modified manually /etc/apt/source.list.d/seafile.list and I deleted the line and added this :

deb [arch=amd64 signed-by=/usr/share/keyrings/seafile-keyring.asc] http://linux-clients.seafile.com/seafile-deb/focal/ stable main

and it works.

Why is this necessary? I don’t feel comfortable hard-coding the signer without a proper announcement from Seafile, because I don’t understand what it means.

All I know is that the keys are there for security purposes. If the key is suddenly no longer available in the keyserver, perhaps it’s because it has been retracted because the Seafile package was compromised?

This is the documented way to use the repository, see: Install On Linux - Seafile User Manual

The old key expires in less than two weeks. I guess that is the reason.

Old key:

# gpg /usr/share/keyrings/seafile-keyring.asc.old
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3072 2020-06-01 [SC] [expires: 2022-06-01]
      C789DBBD226BACFA3708053BB9AEC3A21F035485
uid           seafile <seafile@seafile.com>
sub   rsa3072 2020-06-01 [E] [expires: 2022-06-01]

New key:

# gpg /usr/share/keyrings/seafile-keyring.asc    
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3072 2022-05-10 [SC] [expires: 2024-05-09]
      658A84218F4954AAB205037A2B844307BE7E9E8C
uid           seafile <123456@qq.com>
sub   rsa3072 2022-05-10 [E] [expires: 2024-05-09]

I have to admit, the new UID looks fishy!

1 Like

@Jonathan
can you please this uid please?
uid seafile 123456@qq.com

1 Like

We updated the expiring key. But the maintainer made a mistake when generating the key by using an unofficial email address. Sorry for the concern it raised. We’ll update the key again soon.

1 Like

Thank you for confirming this key is safe. :+1: