LEAP logo

LEAP Encryption Access Project

Repository Key Refresh

We screwed up and let our debian repository key expire. The responsible parties have been punished (no more free back rubs). You have three options to fix:

option 1 - blindly upgrade

You can just ignore the warnings about the packages being unauthenticated. This will upgrade your leap-keyring package, which includes the updated key. This is potentially dangerious and should be avoided.

apt-get update --allow-unauthenticated
apt-get upgrade --allow-unauthenticated

option 2 - re-add key without checking fingerprint

You can simply re-import the key to your apt keyring. This method is less dangerious, but requires you to trust the certificate authority system (which never a good idea).

curl https://dl.bitmask.net/apt.key | apt-key add -

option 3 - update the key from keyserver

With this method, we update the key by pulling it from a keyserver and then importing to apt-key. This method is the most secure (so long as you follow all the steps and actually verify the fingerprint).

Find the long key-id of the current LEAP archive signing key:

apt-key adv --list-keys --keyid-format 0xLONG

You should see this among the output:

pub   4096R/0x1E34A1828E207901 2013-02-06 [expired: 2014-02-06]
uid                            LEAP archive signing key 

Now, grab that specific key-id from a keyserver, and verify the fingerprint:

gpg --recv-key 0x1E34A1828E207901
gpg --fingerprint 0x1E34A1828E207901

You should see this as output:

pub   4096R/8E207901 2013-02-06 [expires: 2015-02-07]
      Key fingerprint = 1E45 3B2C E87B EE2F 7DFE  9966 1E34 A182 8E20 7901
uid                  LEAP archive signing key 

Make sure that the fingerprint in this output matches the long key-id you listed with apt-key. Without this step, it would be very easy for an attacker to feed you a bogus key.

Finally, import the key into apt-key:

gpg --armor --export 0x1E34A1828E207901  | sudo apt-key add -