Package: extrepo Version: 0.8 Severity: normal If I install a package using a supported external repo:
extrepo enable brave_release apt update apt install brave-browser the current Brave signing key will automatically be fetched and placed in /var/lib/extrepo/keys/. However, when Brave updates their signing key, then what I get is a message along the lines of: $ sudo apt update ... Err:3 https://brave-browser-apt-release.s3.brave.com stable InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C ... W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://brave-browser-apt-release.s3.brave.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C W: Failed to fetch https://brave-browser-apt-release.s3.brave.com/dists/stable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C W: Some index files failed to download. They have been ignored, or old ones used instead. until, assuming the new signing key was merged in the extrepo-data repository, I manually refresh the local key using: extrepo update brave_release Given that upstream key rotations such as these should generally be encouraged (as opposed to never-expiring or 10year-long expiries), many users are going to get stuck with broken updates and won't know from the apt error message that they need to do an extrepo update. I suggest a simple fix, a daily cronjob or systemd timer which goes through all enabled repos and updates the local copy of the keys. These keys are already signed by extrepo, so the trust chain is maintained at all times. Francois -- https://fmarier.org/
