Is this a security issue? Regolith repos secure?

[andrewebdev]

When trying to run updates, (sudo apt update && sudo apt upgrade) I get Public key errors:

Get:8 https://regolith-desktop.org/release-ubuntu-jammy-amd64 jammy InRelease [2,376 B]
Err:8 https://regolith-desktop.org/release-ubuntu-jammy-amd64 jammy InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY

and

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://regolith-desktop.org/release-ubuntu-jammy-amd64 jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY

This is making me feel slightly anxious, and I'm wondering why the public key is no longer available, or why it changed. How do I know the repo is secure, and someone didn't change it to add malware to the repos?

[kgilmer]

Hi @andrewebdev , have a look here: https://github.com/orgs/regolith-linux/discussions/888 In essence the previous signing key expired and a new one was generated. You just need to replace the expired key with the new one.

[andrewebdev]

thx!

[andrewebdev]

Hmm, the origin and labels also changed .... it makes me nervous. Was that also part of the update?

Get:8 https://regolith-desktop.org/release-ubuntu-jammy-amd64 jammy InRelease [2,376 B]
E: Repository 'https://regolith-desktop.org/release-ubuntu-jammy-amd64 jammy InRelease' changed its 'Origin' value from 'https://regolith-release-ubuntu-jammy-amd64.s3.us-east-2.amazonaws.com' to 'https://regolith-desktop.org/release-ubuntu-jammy-amd64'
E: Repository 'https://regolith-desktop.org/release-ubuntu-jammy-amd64 jammy InRelease' changed its 'Label' value from 'https://regolith-release-ubuntu-jammy-amd64.s3.us-east-2.amazonaws.com' to 'https://regolith-desktop.org/release-ubuntu-jammy-amd64'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.

Apologies if I'm a bit over-cautious.

[kgilmer]

No need to apologize @andrewebdev , you raise valid and important concerns. I would ask the same questions. Regarding the change to Origin and Label, this was done to reduce overhead costs of the project. Earlier I was relying on AWS for file storage and compute for arm64 builds, but the monthly costs ended up being more than I felt the project could handle. So, over time, I moved away from AWS. This repo configuration change is part of that migration. More specifically, voulage is the Regolith build system, package builds are implemented as GitHub workflows. Here is one commit (of several) I made as part of that migration off of S3.

More generally, everything about the Regolith Desktop project is open other than the package signing key and repo server credentials. If there are any questions about how packages are built or how they might be verified I'd be happy to answer them.

Perhaps I should keep a public log of these kinds of infrastructure and configuration changes, but I'm not sure if people would think to look for such a thing. Let me know if you have any ideas on how we can improve!

[andrewebdev]

Thx for the clarification. I guessed it may have to do with AWS costs when I noticed the host change, but wanted to confirm. 'Tis the nature of open source and passion projects, I guess. We have to save costs.

Most people just say "yes" when they see updates without a second thought, so I doubt documenting the changes would lead people to see it. That said, a pinned post explaining the Key and Repo changes might be good for others that run into the same issue. This way they can know why it's happening and how they can resolve it etc. And would people like myself at ease ;)

[kgilmer]

That said, a pinned post explaining the Key and Repo changes might be good for others that run into the same issue.

Good call. I'll try this out next time any user-impacting infra changes are made