0

I am trying to setup a Dockerized Wheezy for some development which production servers are still on this old unmaintained Debian version.

The main problem I get is with checking the GPG signatures of the official archive repositories.

Starting from the official docker image, replacing /etc/apt/sources.list with

deb http://archive.debian.org/debian wheezy main

if I try apt-get update I get the result:

W: GPG error: http://archive.debian.org wheezy Release: The following signatures were invalid: KEYEXPIRED 1587841717 KEYEXPIRED 1668891673 KEYEXPIRED 1557241909

Checking the GPG keys with apt-key list | grep expired

gpg: /etc/apt//trustdb.gpg: trustdb created
pub   4096R/2B90D010 2014-11-21 [expired: 2022-11-19]
pub   4096R/C857C906 2014-11-21 [expired: 2022-11-19]
pub   4096R/518E17E1 2013-08-17 [expired: 2021-08-15]
pub   4096R/473041FA 2010-08-27 [expired: 2018-03-05]
pub   4096R/B98321F9 2010-08-07 [expired: 2017-08-05]
pub   4096R/46925553 2012-04-27 [expired: 2020-04-25]
pub   4096R/65FFB764 2012-05-08 [expired: 2019-05-07]

So I update most of them with apt-key adv --recv-keys --keyserver keyserver.ubuntu.com $(apt-key list | grep expired | sed -E 's=[^/]+/([^ ]+).*=\1=g' | tr '\n' ' ') but still getting this result from apt-key list:

pub   4096R/518E17E1 2013-08-17 [expired: 2021-08-15]
pub   4096R/B98321F9 2010-08-07 [expired: 2017-08-05]
pub   4096R/65FFB764 2012-05-08 [expired: 2019-05-07]

And now a call to apt-get update gives W: GPG error: http://archive.debian.org wheezy Release: The following signatures were invalid: KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1668891673 KEYEXPIRED 1557241909

Then I tried getting the official debian keyring deb but it looks like it cannot be installed

dpkg -i /tmp/debian-archive-keyring_2023.4_all.deb 
dpkg-deb: error: archive '/tmp/debian-archive-keyring_2023.4_all.deb' contains not understood data member control.tar.xz, giving up
dpkg: error processing /tmp/debian-archive-keyring_2023.4_all.deb (--install):
subprocess dpkg-deb --control returned error exit status 2
Errors were encountered while processing:
  /tmp/debian-archive-keyring_2023.4_all.deb

apt-get --allow-unauthenticated update does not work neither does replacing the source.list file content with

deb [trusted=yes] http://archive.debian.org/debian wheezy main

So is there a way to update those GPG keys or make it so apt does not check them?

Easiest way to experience the problem if you have docker available:

>docker run -it debian:7.11 bash
root@f391e03326c6:/# echo "deb http://archive.debian.org/debian wheezy main" > /etc/apt/sources.list
root@f391e03326c6:/# apt-get update --allow-unauthenticated
Improve this question

1 Answer 1

Reset to default
1

Debian 7 "Wheezy" has been end-of-life over five years since May 2018. For that reason, the expired PGP-keys won't be renewed nor replaced. You could use apt-get with --allow-unauthenticated, but you really should upgrade to a distribution that is still maintained. From man apt-get(8):

--allow-unauthenticated

Ignore if packages can't be authenticated and don't prompt about it. This can be useful while working with local repositories, but is a huge security risk if data authenticity isn't ensured in another way by the user itself. The usage of the Trusted option for sources.list(5) entries should usually be preferred over this global override. Configuration Item: APT::Get::AllowUnauthenticated.

Improve this answer
3
  • --allow-unauthenticated does not do anything. I tried deleting the expired keys in case it would let it not try them, to no avail.
    – Arkh
    Sep 29 at 13:06
  • Ok, looks the GPG messages are just warning and not blocking errors.
    – Arkh
    Sep 29 at 14:08
  • Yes, and now you are accepting those warnings at your own risk.
    – Esa Jokinen
    Sep 29 at 14:45

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .