Authentication warning when installing on Raspbian

gabkdlly · May 27, 2015, 9:01am

I followed the instructions from here, and I got the following output:

$ sudo apt-get install syncthing
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  syncthing
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 2.935 kB of archives.
After this operation, 0 B of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  syncthing
Install these packages without verification [y/N]?

I googled a little, and then I did this:

$ sudo apt-key adv --recv-key --keyserver pool.sks-keyservers.net D26E6ED000654A3E
$ sudo apt-key adv --recv-key --keyserver pool.sks-keyservers.net 49F5AEC0BCE524C7
$ sudo apt-get update

I still get the same authentication warning. I thought it best to report this, rather than just installing.

Did I do something wrong ?

Are the install instructions complete ?

calmh · May 27, 2015, 9:51am

What package does it actually try to install (version, architecture)? It looks to me like things are set up correctly, the packages are signed, and

jb@syno:~ $ curl -s https://syncthing.net/release-key.txt | gpg -v
gpg: armor header: Version: GnuPG v1
pub  2048R/D26E6ED000654A3E 2014-12-29 Syncthing Release Management <release@syncthing.net>
sig        D26E6ED000654A3E 2014-12-29   [selfsig]
sig        49F5AEC0BCE524C7 2014-12-29   Jakob Borg (calmh) <jakob@nym.se>
sub  2048R/681C3CFCF614F575 2014-12-29
sig        D26E6ED000654A3E 2014-12-29   [keybind]
sub  4096R/2B9FAE4C37C86D31 2015-05-11 [expires: 2025-05-08]
sig        D26E6ED000654A3E 2015-05-11   [keybind]

(that last key is the one that signs the packages) It looks like the same key is on the key servers, although your import command stalls for me for whatever reason.

gabkdlly · May 27, 2015, 10:04am

Thanks for the reply ! Does the following output answer your question about the version and architecture ?

$ apt-cache show syncthing 
Package: syncthing
Version: 0.11.6
Architecture: armhf
Maintainer: Syncthing Release Management <release@syncthing.net>
Depends: libc6
Filename: dists/syncthing/release/binary-armhf/syncthing_0.11.6_armhf.deb
Size: 2935192
MD5sum: 894cbe5b6f5ab65e8b648bb173d7d8be
SHA1: 0f707d763d6e960d3708c9a02bb2e6928d1f358e
SHA256: df4484c3be30175385be808f0c25cc1665eec3e943d886b90fcca0be569f23ef
Description: Open Source Continuous File Synchronization
 Syncthing does bidirectional synchronization of files between two or
 more computers.

calmh · May 27, 2015, 12:06pm

Yeah, it’s the right package (and checksum). Googling around seems to indicate there are various bugs in dpkg-sig causing it to fail verification.