Downloads.mender.io access denied error

It is kind of critical and I am not sure if this is the right place to ask. Accessing https://downloads.mender.io/repos/debian/ is currently not possible (access denied error) and when trying to access the repo with the previously always working GPG key I get now the error that the repo is not signed. Can anyone help me out?

Hi @danielbisar
yes, the old gpg key recently expired. You can renew it in the same way you installed the old one:

curl -fsSL https://downloads.mender.io/repos/debian/gpg | sudo tee /etc/apt/trusted.gpg.d/mender.asc

You can then verify it with:

   gpg --show-keys --with-fingerprint /etc/apt/trusted.gpg.d/mender.asc

reference: Downloads | Mender documentation

About the https://downloads.mender.io/repos/debian access, it’s expected that you cannot browse it, but still, it’s accessible by the package managers.

Thanks
Roberto

Hi,

I’m experiencing the same problem as @danielbisar. Followed your instructions and verified the key (expires 2024-10-23). But when performing apt update I get the following error:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://downloads.mender.io/repos/debian ubuntu/focal/stable InRelease: The following signatures were invd: EXPKEYSIG xxxxx Mender Team mender@northern.tech

Maybe it’s related to ubuntu 20 (focal)?

Any help is very appreciated. Thanks

Hi @Dave
then you should rebuild your local repository index: can you try following steps?

sudo apt-get clean
sudo mv /var/lib/apt/lists /tmp
sudo apt-get clean
sudo apt-get update

Roberto

Hi @robgio ,

I tried your instructions but unfortunately it did not resolve the problem.

Still getting errors:
W: GPG error: https://downloads.mender.io/repos/debian ubuntu/focal/stable InRelease: The following signatures were invalid: EXPKEYSIG xxxxx Mender Team mender@northern.tech
E: The repository ‘https://downloads.mender.io/repos/debian ubuntu/focal/stable InRelease’ is not signed.

I also noticed the not signed error. Could this be the cause?

Hi @Dave ,
the repository is actually signed, here’s my local test

root@646c7a45d1b3:/# apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Get:5 https://downloads.mender.io/repos/debian ubuntu/focal/stable InRelease [3722 B]
Get:6 https://downloads.mender.io/repos/debian ubuntu/focal/stable/main amd64 Packages [1730 B]
Fetched 5452 B in 1s (4379 B/s)    
Reading package lists... Done

root@646c7a45d1b3:/# cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"

Can you list all your imported keys and verify if the new one is present? You should see at least one Mender key:

$ apt-key list
/etc/apt/trusted.gpg.d/mender.asc
---------------------------------
pub   rsa3072 2020-11-13 [SC] [expires: 2024-10-23]
      E6C8 5734 5575 F921 8396  5662 2407 2B80 A1B2 9B00
uid           [ unknown] Mender Team <mender@northern.tech>
sub   rsa3072 2020-11-13 [E] [expires: 2024-10-23]

If you see the old one, please remove it and import the new one again:

$ apt-key del /etc/apt/trusted.gpg.d/mender.asc
OK
$ curl -fsSL https://downloads.mender.io/repos/debian/gpg | sudo tee /etc/apt/trusted.gpg.d/mender.asc

And verify if it matches E6C8 5734 5575 F921 8396 5662 2407 2B80 A1B2 9B00 with the following command:

$ gpg --show-keys --with-fingerprint /etc/apt/trusted.gpg.d/mender.asc

Hi @robgio,

I found the root cause of the problem. Besides mender.asc there was also an expired Mender key in /etc/apt/trusted.gpg. Removed the expired one from trusted.gpg and importing the new one resolved the issue.

Thanks for all the support.