There are new and old repos, you’re pointing to old repos…which are signed with an old key (key ID 31D2…). If you installed when the old repos were in use, the installer would have installed the public key used to verify that signature.
Use sudo apt-key list to see which Virtualmin key you have. If you have the Virtualmin 6 key, you’ve downgraded your repos to the old ones. Why?
If you have no Virtualmin key listed…I’m not sure how that’d happen. I guess you removed it?
You can reinstall the key with (this is for the old key):
Why are there old broken repos around? Also why have the version number in the repo path when the version number is already inherent in the package file? Is there a web page that lists the correct apt-get paths for 6.0.9 gpl?
Adding that repo also gets errors.
Is there some good reason why the existing repo has not been fixed such that 6.0.9 gpl which is already in that repo, actually installs?
Err:9 http://software.virtualmin.com/vm/6/gpl/apt virtualmin-universal InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY D9F9010760D62A6B
Err:11 http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release.gpg
The following signatures were invalid: 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9
Reading package lists… Done
W: GPG error: http://software.virtualmin.com/vm/6/gpl/apt virtualmin-universal InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY D9F9010760D62A6B
E: The repository ‘http://software.virtualmin.com/vm/6/gpl/apt virtualmin-universal InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
$ sudo apt-key list| head -n 11
Warning: apt-key output should not be parsed (stdout is not a terminal)
/etc/apt/trusted.gpg
End users don’t generally see it or need to care about it. It is imported during installation.
The old repository is no longer used by the installer and hasn’t been for a couple of years. I can’t change the key without breaking it for everyone…there is no non-breaking way to do it.
How do you only have the one repo? Did you not install with the install script? It sets up both repos (universal and the distro specific one). Adding /vm/6 to both of the old repo paths is all that is needed to go from old to new repos.
I had the old repo from the original install on Ubuntu 16.04 The machine has been upgraded to 18.04 since then. I was trying to get 6.08 to upgrade to 6.09 without losing all my settings.
I see. That’s unfortunate. While the old key was valid, you could have released an update that installs the new key, then after “some time” has passed, you could re-sign the repository with the new key instead of the old one.
Unfortunately the old key appears to no longer be trusted by Ubuntu 18.04 so upgrades fail. Resigning the old repository with the new key would allow upgrades to work, but the new key would have to be manually added.
I’ve seen other vendors include both the /etc/apt/sources.list.d/*.list file and the /etc/apt/trusted.gpg.d/*.gpg file in the package. This allows one to manually install the .deb and then have updates automatically installed later. I’d recommend this approach.
I did run the install script, long ago. Since then I only run apt to apply updates. I generally have unattended-upgrades enabled. On dev systems I add “*:*” to the upgrade list so that packages from all listed repositories are upgraded automatically. On this host, the failed sha1 key was causing it to reject the Release file as it could not validate with the Release.gpg as the 3* key, though installed, is to low security to be “trusted”.
In general, apt is the way to install updates on Debian and Ubuntu systems. Changes like repository paths should be done inside the package, either by including files as mentioned above, or less preferably, by including scripts that do modifications at package installation time.