Problem during installation: The repository is not signed

Question

Problem during installation: The repository is not signed

sosnus opened this issue a year ago · 4 comments

sosnus commented a year ago

Compatible Device

I'm running Raspotify on a compatible Device

Are you sure?

I'm not trying to run Raspotify on a ARMv6 device

Compatible OS

I'm running Raspotify on a compatible OS

Compatible Configuration

I'm running Raspotify on a compatible Configuration

Latest Version

I'm running the latest version of Raspotify

Are you sure?

I'm not running Raspotify 0.31.8.1 on a Pi v1 or Pi Zero

Due Diligence

I have done my due diligence

What happened?

Hi, I try install dtcooper/raspotify on fresh installation of Debian 11 on RPi2.
When I execute this script, I see output like this:

hal9000@raspberrypi:~ $ sudo apt-get -y install curl && curl -sL https://dtcooper.github.io/raspotify/install.sh | sh
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
curl is already the newest version (7.74.0-1.3+deb11u7).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Hit:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease
Get:2 https://dtcooper.github.io/raspotify raspotify InRelease [3,143 B]                
Hit:3 http://archive.raspberrypi.org/debian bullseye InRelease                          
Err:2 https://dtcooper.github.io/raspotify raspotify InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXXXXXXXX
Reading package lists... Done
W: GPG error: https://dtcooper.github.io/raspotify raspotify InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 09146F2F7953A455
E: The repository 'https://dtcooper.github.io/raspotify raspotify InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Maybe I forgot about something?

Why I see:

W: GPG error: https://dtcooper.github.io/raspotify raspotify InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 09146F2F7953A455
E: The repository 'https://dtcooper.github.io/raspotify raspotify InRelease' is not signed.

Should I do it in less secure way?

Relevant log output and/or the contents of /etc/raspotify/crash_report if any ( sudo journalctl -u raspotify -b and sudo cat /etc/raspotify/crash_report )

cd: /etc/raspotify/: No such file or directory

Answer 1 · 2023-04-22T23:18:48.000Z

For some strange reason the key wasn't downloaded in the install process from the looks of things?

It should be at /usr/share/keyrings/raspotify_key.asc.

If it's not there you should be able to fix the issue with:

curl -sSL https://dtcooper.github.io/raspotify/key.asc | sudo tee /usr/share/keyrings/raspotify_key.asc >/dev/null

sudo chmod 644 /usr/share/keyrings/raspotify_key.asc

Answer 2 · 2023-04-23T18:27:11.000Z

Successfully add key using Your commands:

curl -sSL https://dtcooper.github.io/raspotify/key.asc | sudo tee /usr/share/keyrings/raspotify_key.asc >/dev/null
sudo chmod 644 /usr/share/keyrings/raspotify_key.asc

But still same problem :/

hal9000@raspberrypi:~ $ sudo chmod 644 /usr/share/keyrings/raspotify_key.asc
hal9000@raspberrypi:~ $ sudo apt-get -y install curl && curl -sL https://dtcooper.github.io/raspotify/install.sh | sh
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
curl is already the newest version (7.74.0-1.3+deb11u7).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Hit:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease
Hit:2 http://archive.raspberrypi.org/debian bullseye InRelease              
Get:3 https://dtcooper.github.io/raspotify raspotify InRelease [3,143 B]    
Err:3 https://dtcooper.github.io/raspotify raspotify InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 09146F2F7953A455
Reading package lists... Done
W: GPG error: https://dtcooper.github.io/raspotify raspotify InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 09146F2F7953A455
E: The repository 'https://dtcooper.github.io/raspotify raspotify InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
hal9000@raspberrypi:~ $

Answer 3 · 2023-04-23T18:54:36.000Z

hmmm, after reading a lot of threads on StackOverflow, I found solution, but I don't know it is safety option or not.
If You want avoid this problem, execute:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 09146F2F7953A455

before:

sudo apt-get -y install curl && curl -sL https://dtcooper.github.io/raspotify/install.sh | sh

Spotify working, so for me everything is ok. What do You mean @JasonLG1979 , should we close this issue?
And of course, thank You for rapid response to question! ;)

Answer 4 · 2023-04-23T19:49:14.000Z

I'm not sure why it happens but I've used Debian based OS's almost exclusively for over 15 yrs and I can count on 1 hand how many times I've had key issues. I'd call it a fluke. 99.999% of the time there should be no reason to explicitly/manually trust the key, but as far as I can tell it's safe to do so, so long as you trust where the key comes from.

This really isn't a Raspotify bug. We're doing everything right. It's just that for some reason unknown (to me at least) something went sideways. You just happened to be that 0.001%.

It's good info to have though so if anyone else has the same issue I can point them to this bug report.