Downloads.mender.io access denied error

danielbisar · November 14, 2022, 9:18am

It is kind of critical and I am not sure if this is the right place to ask. Accessing https://downloads.mender.io/repos/debian/ is currently not possible (access denied error) and when trying to access the repo with the previously always working GPG key I get now the error that the repo is not signed. Can anyone help me out?

robgio · November 14, 2022, 11:30am

Hi @danielbisar
yes, the old gpg key recently expired. You can renew it in the same way you installed the old one:

curl -fsSL https://downloads.mender.io/repos/debian/gpg | sudo tee /etc/apt/trusted.gpg.d/mender.asc

You can then verify it with:

   gpg --show-keys --with-fingerprint /etc/apt/trusted.gpg.d/mender.asc

reference: Downloads | Mender documentation

About the https://downloads.mender.io/repos/debian access, it’s expected that you cannot browse it, but still, it’s accessible by the package managers.

Thanks
Roberto

Dave · November 24, 2022, 9:56am

Hi,

I’m experiencing the same problem as @danielbisar. Followed your instructions and verified the key (expires 2024-10-23). But when performing apt update I get the following error:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://downloads.mender.io/repos/debian ubuntu/focal/stable InRelease: The following signatures were invd: EXPKEYSIG xxxxx Mender Team mender@northern.tech

Maybe it’s related to ubuntu 20 (focal)?

Any help is very appreciated. Thanks

robgio · November 24, 2022, 3:53pm

Hi @Dave
then you should rebuild your local repository index: can you try following steps?

sudo apt-get clean
sudo mv /var/lib/apt/lists /tmp
sudo apt-get clean
sudo apt-get update

Roberto

Dave · November 24, 2022, 4:23pm

Hi @robgio ,

I tried your instructions but unfortunately it did not resolve the problem.

Still getting errors:
W: GPG error: https://downloads.mender.io/repos/debian ubuntu/focal/stable InRelease: The following signatures were invalid: EXPKEYSIG xxxxx Mender Team mender@northern.tech
E: The repository ‘https://downloads.mender.io/repos/debian ubuntu/focal/stable InRelease’ is not signed.

I also noticed the not signed error. Could this be the cause?

robgio · November 25, 2022, 7:43am

Hi @Dave ,
the repository is actually signed, here’s my local test

root@646c7a45d1b3:/# apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Get:5 https://downloads.mender.io/repos/debian ubuntu/focal/stable InRelease [3722 B]
Get:6 https://downloads.mender.io/repos/debian ubuntu/focal/stable/main amd64 Packages [1730 B]
Fetched 5452 B in 1s (4379 B/s)    
Reading package lists... Done

root@646c7a45d1b3:/# cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"

Can you list all your imported keys and verify if the new one is present? You should see at least one Mender key:

$ apt-key list
/etc/apt/trusted.gpg.d/mender.asc
---------------------------------
pub   rsa3072 2020-11-13 [SC] [expires: 2024-10-23]
      E6C8 5734 5575 F921 8396  5662 2407 2B80 A1B2 9B00
uid           [ unknown] Mender Team <mender@northern.tech>
sub   rsa3072 2020-11-13 [E] [expires: 2024-10-23]

If you see the old one, please remove it and import the new one again:

$ apt-key del /etc/apt/trusted.gpg.d/mender.asc
OK
$ curl -fsSL https://downloads.mender.io/repos/debian/gpg | sudo tee /etc/apt/trusted.gpg.d/mender.asc

And verify if it matches E6C8 5734 5575 F921 8396 5662 2407 2B80 A1B2 9B00 with the following command:

$ gpg --show-keys --with-fingerprint /etc/apt/trusted.gpg.d/mender.asc

Dave · November 25, 2022, 8:34am

Hi @robgio,

I found the root cause of the problem. Besides mender.asc there was also an expired Mender key in /etc/apt/trusted.gpg. Removed the expired one from trusted.gpg and importing the new one resolved the issue.

Thanks for all the support.

SebSauer · February 21, 2023, 8:55am

Hey,

sorry to revive the topic here- I just did the express installation according to documentation on a Debian 11 and ran into the same error.

The documentary claims :

The Mender GPG public key and APT repository will be added to your trusted APT keychain and sources list respectively without asking for confirmation.

Error-Log:

W: https://downloads.mender.io/repos/debian/dists/debian/bullseye/stable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/mender.asc are ignored as the file is not readable by user '_apt' executing apt-key.

W: GPG-Fehler: https://downloads.mender.io/repos/debian debian/bullseye/stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 24072B80A1B29B00

E: Das Depot »https://downloads.mender.io/repos/debian debian/bullseye/stable InRelease« ist nicht signiert. (is not signed.)

pseyfert · January 18, 2024, 11:55am

Any update on this issue? I too just went through those instructions and get

apt update
…
Err:27 https://downloads.mender.io/repos/debian ubuntu/focal/stable InRelease
  The following signatures were invalid: EXPKEYSIG 24072B80A1B29B00 Mender Team <mender@northern.tech>
Reading package lists... Done

while the key looks fine

pseyfert@canephora:~ > gpg --show-keys --with-fingerprint /etc/apt/trusted.gpg.d/mender.asc                                                                                                          12:54:23
pub   rsa3072 2020-11-13 [SC] [expires: 2024-10-23]
      E6C8 5734 5575 F921 8396  5662 2407 2B80 A1B2 9B00
uid                      Mender Team <mender@northern.tech>
sub   rsa3072 2020-11-13 [E] [expires: 2024-10-23]

robgio · January 18, 2024, 12:00pm

Maybe you also have the expired key in the old keyring. Does this command shows multiple Mender keys?

sudo apt-key list

pseyfert · January 18, 2024, 1:32pm

yes, i did. now after fixing

sudo apt-key list
…
/etc/apt/trusted.gpg.d/mender.asc
---------------------------------
pub   rsa3072 2020-11-13 [SC] [expires: 2024-10-23]
      E6C8 5734 5575 F921 8396  5662 2407 2B80 A1B2 9B00
uid           [ unknown] Mender Team <mender@northern.tech>
sub   rsa3072 2020-11-13 [E] [expires: 2024-10-23]

the error changes

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://downloads.mender.io/repos/debian ubuntu/focal/stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 24072B80A1B29B00

robgio · January 18, 2024, 1:40pm

Can you please retry to download the new gpg key and hit update?

curl -fsSL https://downloads.mender.io/repos/debian/gpg | sudo tee /etc/apt/trusted.gpg.d/mender.asc

apt-get update

Topic		Replies	Views
Mender client installation couldn't proceed with error - Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 18.238.25.107 443] General Discussions mender-client	8	347	July 11, 2023
"Can not fetch update image" error General Discussions	2	684	June 9, 2019
Downloads.mender.io is not trusted by Debian WSL command line on Win 10 General Discussions	3	109	November 16, 2023
SSL CA certificate setup on mender production General Discussions	5	2066	November 27, 2019
Certificate issue when upgrading server from 2.6 to 3.2.1 General Discussions	8	535	May 4, 2022

Downloads.mender.io access denied error

Related Topics