Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Change Linux signing key via keyring package
See original GitHub issuedetails in https://github.com/brave/devops/issues/361
Note that this involves:
- Rotating the key (details in issue above)
- Updating the linux install documentation to show the new key
QA steps (only needs to be done on Linux):
- For each linux platform, download the key that is linked in https://brave-browser.readthedocs.io/en/latest/installing-brave.html#linux in the Release Channel section (for instance
https://brave-browser-apt-release.s3.brave.com/brave-core.asc) - Import the downloaded key into gpg:
gpg --import /path/to/downloaded/file - Run the command
gpg --list-keys $KEY_IDwhere KEY_ID is the ID of the key that you just imported. This should be displayed in the terminal output from step 2. - There should be no keys that show rsa2048, only rsa4096.
Issue Analytics
- State:
- Created 5 years ago
- Comments:23 (17 by maintainers)
Top Results From Across the Web
pacman/Package signing - ArchWiki - Arch Linux
To determine if packages are authentic, pacman uses GnuPG keys in a web of trust model. The current Master Signing Keys are found...
Read more >APT key management utility - manpages.ubuntu!
apt-key is used to manage the list of keys used by apt to authenticate packages. Packages which have been authenticated using these keys...
Read more >An exposed apt signing key and how to improve apt security
At first, we thought that the exposed signing key could only be used by an attacker to forge packages distributed through our package...
Read more >7.5. Package signing in Debian
The debian-archive-keyring package is used to distribute keys to apt . Upgrades to this package can add (or remove) gpg keys for the...
Read more >Updating the CUDA Linux GPG Repository Key
Alternate method: Manually install the new signing key. If you can't install the cuda-keyring package, you can install the new signing key ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@Mikaela Hi there. Thank you for reporting this. Yesterday when the 0.58.9 dev build was released it was signed with the wrong key, as you’ve discovered. I just resigned the packages and put them up for you to use. Please report back if you experience any issues.
My guess as to what’s happening is that you installed Brave prior to our changing the installation instructions and fixing the key update mechanism. If that’s the key, there would have been an old key in
/etc/apt/trusted.gpgon your machine (instead of the new location of/etc/apt/trusted.gpd.d/brave-browser-release.gpg). This will have been cleaned up automatically in the upgrade ofbrave-keyringand as long as you keep that package up-to-date, you shouldn’t run into the same problems again.