[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Debian is not allowing tor to update despite it being listed as a trusted respritory



Thank you. But running wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Simply displays a message "no valid openpgp data found". My sources file looks like this now.deb http://deb.debian.org/debian buster main
deb-src http://deb.debian.org/debian buster main

## Major bug fix updates produced after the final release of the
## distribution.
deb http://security.debian.org/ buster/updates main
deb-src http://security.debian.org/ buster/updates main

deb http://deb.torproject.org/torproject.org buster main
deb http://deb.torproject.org/torproject.org buster main

deb-src http://deb.torproject.org/torproject.org buster main



## Uncomment the following two lines to add software from the 'backports'
## repository.
##
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
deb http://deb.debian.org/debian buster-backports main
deb-src http://deb.debian.org/debian buster-backports main
deb http://ftp.de.debian.org/debian stretch main
deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org buster main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org buster main

Thank you.


--Keifer


On Wed, May 4, 2022 at 7:27 PM tor admin via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx> wrote:
Your sources.list file entry looks incorrect.  I would definitely not recommend using trust=yes for a repo like tor, as it bypasses apt's security checks.

According to the instructions you linked, your source for the tor packages should be listed in /etc/apt/sources.list.d/tor.list as something like:

deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org buster main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org buster main

The instructions tell you how to import the repo key as well:


# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null



On 5/3/22 13:10, Keifer Bly wrote:
I am not sure how to get rid of the trusty / ubuntu packages? I simply followed the instructions here:


Thanks.
--Keifer


On Mon, May 2, 2022 at 10:31 PM Keifer Bly <keifer.bly@xxxxxxxxx> wrote:

Hi all,

 

So I am running a tor relay on Debian, but no matter what when updating tor there is an “updating from such a respiritpry can’t be done securely and is therefore disabled by default”. Here is the log

 

 

Get:1 http://security.debian.org buster/updates InRelease [65.4 kB]

Hit:2 http://deb.debian.org/debian buster InRelease

Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]

Get:4 http://deb.debian.org/debian buster-backports InRelease [46.7 kB]

Ign:5 http://ftp.de.debian.org/debian stretch InRelease

Hit:6 http://ftpde.debian.org/debian stretch Release

Ign:7 http://deb.torproject.org/torproject.org trusty InRelease

Ign:8 http://deb.torproject.org/torproject.org trusty Release

Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:10 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:12 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:13 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:10 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:12 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:13 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:14 https://deb.torproject.org/torproject.org amd64 InRelease

Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:10 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:12 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:13 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Err:15 https://deb.torproject.org/torproject.org amd64 Release

  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 95.216.163.36 443]

Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:10 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:12 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:13 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:10 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:12 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:13 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:10 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:12 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:13 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Err:9 http://deb.torproject.org/torproject.org trusty/main Sources

  404  Not Found [IP: 116.202.120.166 80]

Ign:10 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:12 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:13 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Reading package lists... Done

N: Ignoring file 'DEADJOE' in directory '/etc/apt/sources.list.d/' as it has no filename extension

E: The repository 'https://deb.torproject.org/torproject.org amd64 Release' does not have a Release file.

N: Updating from such a repository can't be done securely, and is therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user configuration details.

root@vps-3e661acc:/home/debian# nano /etc/apt/sources.list

root@vps-3e661acc:/home/debian# nano /etc/apt/sources.list

root@vps-3e661acc:/home/debian# apt-get update

Hit:1 http://security.debian.org buster/updates InRelease

Hit:2 http://deb.debian.org/debian buster InRelease

Hit:3 http://deb.debian.org/debian buster-updates InRelease

Hit:4 http://deb.debian.org/debian buster-backports InRelease

Ign:5 https://deb.torproject.org/torproject.org amd64 InRelease

Ign:6 http://ftp.de.debian.org/debian stretch InRelease

Ign:7 http://deb.torproject.org/torproject.org trusty InRelease

Hit:8 http://ftp.de.debian.org/debian stretch Release

Ign:9 http://deb.torproject.org/torproject.org trusty Release

Err:10 https://deb.torproject.org/torproject.org amd64 Release

  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 116.202.120.165 443]

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:13 http://deb.torproject.org/torprojectorg trusty/main all Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torprojectorg/torproject.org trusty/main amd64 Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en

Err:11 http://deb.torproject.org/torproject.org trusty/main Sources

  404  Not Found [IP: 95.216.163.36 80]

Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en

Reading package lists... Done

N: Ignoring file 'DEADJOE' in directory '/etc/apt/sourceslist.d/' as it has no filename extension

E: The repository 'https://deb.torproject.org/torproject.org amd64 Release' does not have a Release file.

N: Updating from such a repository can't be done securely, and is therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user configuration details.

root@vps-3e661acc:/home/debian# tor

May 03 05:20:21.468 [notice] Tor 0.4.5.10 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, Libzstd 1.3.8 and Glibc 2.28 as libc.

May 03 05:20:21.469 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning

May 03 05:20:21.469 [notice] Read configuration file "/etc/tor/torrc".

May 03 05:20:21.470 [notice] Based on detected system memory, MaxMemInQueues is set to 1462 MB. You can override this by setting MaxMemInQueues by hand.

May 03 05:20:21.472 [notice] Opening Control listener on 127.0.0.1:9051

May 03 05:20:21.472 [notice] Opened Control listener connection (ready) on 127.0.0.1:9051

May 03 05:20:21.472 [notice] Opening OR listener on 0.0.0.0:9001

May 03 05:20:21.472 [notice] Opened OR listener connection (ready) on 0.0.0.0:9001

May 03 05:20:21.472 [notice] Opening OR listener on [::]:9001

May 03 05:20:21.472 [notice] Opened OR listener connection (ready) on [::]:9001

May 03 05:20:21.472 [notice] Opening Directory listener on 0.0.0.0:9030

May 03 05:20:21.472 [notice] Opened Directory listener connection (ready) on 0.0.0.0:9030

root@vps-3e661acc:/home/debian# sudo apt update && sudo apt install -y --only-upgrade tor

Hit:1 http://security.debian.org buster/updates InRelease

Hit:2 http://deb.debian.org/debian buster InRelease

Hit:3 http://deb.debian.org/debian buster-updates InRelease

Hit:4 http://deb.debian.org/debian buster-backports InRelease

Ign:5 http://ftp.de.debian.org/debian stretch InRelease

Hit:6 http://ftp.de.debian.org/debian stretch Release

Ign:7 https://deb.torproject.org/torproject.org amd64 InRelease

Ign:8 http://deb.torproject.org/torproject.org trusty InRelease

Ign:9 http://deb.torproject.org/torproject.org trusty Release

Err:10 https://deb.torproject.org/torproject.org amd64 Release

  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 116.202.120.165 443]

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:13 http://debtorproject.org/torproject.org trusty/main amd64 Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:11 http://debtorproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources

Ign:12 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Err:11 http://deb.torproject.org/torproject.org trusty/main Sources

  404  Not Found [IP: 95.216.163.36 80]

Ign:12 http://deb.torproject.org/torproject.org trusty/main all Packages

Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64 Packages

Ign:14 http://deb.torproject.org/torproject.org trusty/main Translation-en

Ign:15 http://deb.torproject.org/torproject.org trusty/main Translation-en_US

Reading package lists... Done

N: Ignoring file 'DEADJOE' in directory '/etc/apt/sources.list.d/' as it has no filename extension

E: The repository 'https://deb.torproject.org/torproject.org amd64 Release' does not have a Release file.

N: Updating from such a repository can't be done securely, and is therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user configuration details.

 

This happens despite tor being listed as trsuted in my sources file:

 

## Note, this file is written by cloud-init on first boot of an instance

## modifications made here will not survive a re-bundle.

## if you wish to make changes you can:

## a.) add 'apt_preserve_sources_list: true' to /etc/cloud/cloud.cfg

##     or do the same in user-data

## b.) add sources in /etc/apt/sources.list.d

## c.) make changes to template file /etc/cloud/templates/sources.list.debian.tmpl

###

 

# See http://www.debianorg/releases/stable/i386/release-notes/ch-upgrading.html

# for how to upgrade to newer versions of the distribution.

deb http://deb.debian.org/debian buster main

deb-src http://deb.debian.org/debian buster main

 

## Major bug fix updates produced after the final release of the

## distribution.

deb http://security.debian.org/ buster/updates main

deb-src http://security.debian.org/ buster/updates main

deb [trusted=yes] http://deb.debian.org/debian buster-updates main

deb-src [trusted=yes] http://deb.debian.org/debian buster-updates main

 

## Uncomment the following two lines to add software from the 'backports'

## repository.

##

## N.B. software from this repository may not have been tested as

## extensively as that contained in the main release, although it includes

## newer versions of some applications which may provide useful features.

deb http://deb.debian.org/debian buster-backports main

deb-src http://deb.debian.org/debian buster-backports main

deb http://ftp.de.debian.org/debian stretch main

 

deb [trusted=yes] http://deb.torproject.org/torproject.org trusty main

deb-src [trusted=yes] http://deb.torproject.org/torproject.org trusty main

 

 

So, for some reason Debian is seeing tor as untrusted despite that it has been listed as trusted. Tor is being run as root so its not a restricted user error. I am wondering why this might be happening? Thanks.

 

 

--Keifer

 


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays