ooni
[Bug]: signature verification issue for install cli on Debian Trixie
What happened?
Apart from formatting issues (mentioned in https://github.com/ooni/ooni.org/issues/1848#issuecomment-3437403986) and permission issues (in https://github.com/ooni/ooni.org/issues/1849), there still a problem on Debian Trixie (current stable) with instructions in https://ooni.org/install/cli/ubuntu-debian/ and it refuses to proceed:
% sudo apt-get update
Hit:1 http://security.debian.org/debian-security trixie-security InRelease
Hit:2 https://deb.debian.org/debian trixie InRelease
Hit:3 https://deb.debian.org/debian trixie-updates InRelease
Hit:4 https://deb.debian.org/debian trixie-backports InRelease
Get:5 https://deb.ooni.org unstable InRelease [972 B]
Err:5 https://deb.ooni.org unstable InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring "/etc/apt/keyrings/ooni-apt-keyring.gpg" Caused by: 0: Reading "/etc/apt/keyrings/ooni-apt-keyring.gpg": EOF 1: EOF
Reading package lists... Done
W: OpenPGP signature verification failed: https://deb.ooni.org unstable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring "/etc/apt/keyrings/ooni-apt-keyring.gpg" Caused by: 0: Reading "/etc/apt/keyrings/ooni-apt-keyring.gpg": EOF 1: EOF
E: The repository 'https://deb.ooni.org unstable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Browser
Firefox
What platform are you running?
Linux
Relevant log output
Contact Details
GitHub
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
That seems to be because gpg 2.4.7-21+b3 present in Debian Stable (Trixie) uses new binary format ("keybox") which is incompatible with apt, which causes first step of the instructions [^1] to create incompatible key.
E.g.
% file -L /etc/apt/keyrings/ooni-apt-keyring.gpg /usr/share/keyrings/debian-archive-trixie-stable.gpg
/etc/apt/keyrings/ooni-apt-keyring.gpg: GPG keybox database version 1, created-at Thu Oct 23 14:24:53 2025, last-maintained Thu Oct 23 14:24:53 2025
/usr/share/keyrings/debian-archive-trixie-stable.gpg: OpenPGP Public Key Version 4, Created Mon Mar 24 18:56:21 2025, EdDSA; User ID; Signature; OpenPGP Certificate
Solution is using much more stable ASCII-armored interchange format (e.g. as described in apt-secure(8). That solution (key in separete ASCII-armored .asc file) should be supported by both older and newer Debian-based distributions.
OONI could ideally host their ASCII-armored key in on their website, but for the moment I've retrieved it from that Ubuntu keyserver manually. Full workaround for me was:
% sudo rm /etc/apt/keyrings/ooni-apt-keyring.gpg # remove old key in incompatible "keybox" key (from official instructions)
% sudo wget -q -O /etc/apt/keyrings/ooni-apt-keyring.asc "https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0xB5A08F01796E7F521861B449372D1FF271F2DD50" # fetch the key in ASCII armored format
% sudo chmod 644 /etc/apt/keyrings/ooni-apt-keyring.asc # fix permissions from #1849
% sudo sed -e 's/gpg/asc/g' -i /etc/apt/sources.list.d/ooniprobe.list # rename extension from `.gpg` (binary format used by the official instructions) to `.asc` for ASCII-armored format.
that workaround finally allowed for apt-get update and following apt-get install ooniprobe-cli to work
But ideally whole section should be reworked to simplify this "kludging" process.
[^1]: sudo gpg --no-default-keyring --keyserver hkp://keyserver.ubuntu.com --keyring /etc/apt/keyrings/ooni-apt-keyring.gpg --recv-keys 'B5A08F01796E7F521861B449372D1FF271F2DD50'