Virtualmin fails to upgrade

Running on Ubuntu 18.04 I have 6.08 installed and apt won’t upgrade to 6.09. I had to download and install the .deb manually.

$ cat /etc/apt/sources.list.d/virtualmin.list
deb http://software.virtualmin.com/gpl/ubuntu/ virtualmin-universal main

$ sudo apt update&&sudo apt dist-upgrade
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:4 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Hit:5 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:6 http://dl.google.com/linux/chrome/deb stable Release
Ign:7 http://software.virtualmin.com/gpl/ubuntu virtualmin-universal InRelease
Hit:8 http://archive.canonical.com/ubuntu bionic InRelease
Get:9 http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release [9447 B]
Get:10 http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release.gpg [195 B]
Err:10 http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release.gpg
The following signatures were invalid: 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9
Fetched 9642 B in 2s (5973 B/s)
Reading package lists… Done
Building dependency tree
Reading state information… Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release: The following signatures were invalid: 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9
W: Failed to fetch http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-universal/Release.gpg The following signatures were invalid: 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

You might want to update the source.list . I am not sure, but I think its not the latest one.

http://software.virtualmin.com/vm/6/gpl/apt/

And btw, it wont update to 6.09 by running apt. You manually need to install that.
Thats the link: http://www.webmin.com/vdownload.html

Download it with wget and install it with dpkg -i webmin-virtual-server_6.09.gpl_all.deb

There are new and old repos, you’re pointing to old repos…which are signed with an old key (key ID 31D2…). If you installed when the old repos were in use, the installer would have installed the public key used to verify that signature.

Use sudo apt-key list to see which Virtualmin key you have. If you have the Virtualmin 6 key, you’ve downgraded your repos to the old ones. Why?

If you have no Virtualmin key listed…I’m not sure how that’d happen. I guess you removed it?

You can reinstall the key with (this is for the old key):

# wget https://software.virtualmin.com/lib/RPM-GPG-KEY-virtualmin
# apt-key import RPM-GPG-KEY-virtualmin

If you have the new (Virtualmin 6, key ID E36F…) key listed, just fix your repo paths to point to the right ones.

Why are there old broken repos around? Also why have the version number in the repo path when the version number is already inherent in the package file? Is there a web page that lists the correct apt-get paths for 6.0.9 gpl?

Adding that repo also gets errors.
Is there some good reason why the existing repo has not been fixed such that 6.0.9 gpl which is already in that repo, actually installs?

Err:9 http://software.virtualmin.com/vm/6/gpl/apt virtualmin-universal InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY D9F9010760D62A6B
Err:11 http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release.gpg
The following signatures were invalid: 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9
Reading package lists… Done
W: GPG error: http://software.virtualmin.com/vm/6/gpl/apt virtualmin-universal InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY D9F9010760D62A6B
E: The repository ‘http://software.virtualmin.com/vm/6/gpl/apt virtualmin-universal InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

$ sudo apt-key list| head -n 11
Warning: apt-key output should not be parsed (stdout is not a terminal)
/etc/apt/trusted.gpg

pub dsa1024 2005-07-11 [SC]
31D2 B188 72EA F68E FB81 F81D E8DD 3FA0 A0BD BCF9
uid [ unknown] Virtualmin, Inc. security@virtualmin.com
sub elg2048 2005-07-11 [E]

pub dsa1024 2002-02-28 [SCA]
1719 003A CE3E 5A41 E2DE 70DF D97A 3AE9 11F6 3C51
uid [ unknown] Jamie Cameron jcameron@webmin.com
sub elg1024 2002-02-28 [E]

See my post Virtualmin fails to upgrade .

The old repos are not broken. You’re missing a public key.

Edit: Hm…Actually, you seem to have the old key. No idea why it’s failing to validate signature. Have you tried apt-get clean?

Ah! The message:

The following signatures were invalid: 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9

is due to the old key not being secure enough for the new apt. Removing the old repository source and adding the new repository key fixed the issue.

$ wget -qO- http://software.virtualmin.com/lib/RPM-GPG-KEY-virtualmin-6 | sudo apt-key add -
Side note: It would be nice to remove RPM- from the name as this is not just for RPMs.

It would be nice if the old repository were resigned with a more secure key. I guess people have to change something to get the new key anyway.

What should be listed on Ubuntu 18.04 in apt sources? Right now I have only:

$ cat /etc/apt/sources.list.d/virtualmin.list
deb http://software.virtualmin.com/vm/6/gpl/apt/ virtualmin-universal main

I guess you could add: deb http://software.virtualmin.com/vm/6/gpl/apt virtualmin-bionic main too if you want.

End users don’t generally see it or need to care about it. It is imported during installation.

The old repository is no longer used by the installer and hasn’t been for a couple of years. I can’t change the key without breaking it for everyone…there is no non-breaking way to do it.

How do you only have the one repo? Did you not install with the install script? It sets up both repos (universal and the distro specific one). Adding /vm/6 to both of the old repo paths is all that is needed to go from old to new repos.

I had the old repo from the original install on Ubuntu 16.04 The machine has been upgraded to 18.04 since then. I was trying to get 6.08 to upgrade to 6.09 without losing all my settings.

I see. That’s unfortunate. While the old key was valid, you could have released an update that installs the new key, then after “some time” has passed, you could re-sign the repository with the new key instead of the old one.

Unfortunately the old key appears to no longer be trusted by Ubuntu 18.04 so upgrades fail. Resigning the old repository with the new key would allow upgrades to work, but the new key would have to be manually added.

I’ve seen other vendors include both the /etc/apt/sources.list.d/*.list file and the /etc/apt/trusted.gpg.d/*.gpg file in the package. This allows one to manually install the .deb and then have updates automatically installed later. I’d recommend this approach.

I did run the install script, long ago. Since then I only run apt to apply updates. I generally have unattended-upgrades enabled. On dev systems I add “*:*” to the upgrade list so that packages from all listed repositories are upgraded automatically. On this host, the failed sha1 key was causing it to reject the Release file as it could not validate with the Release.gpg as the 3* key, though installed, is to low security to be “trusted”.

In general, apt is the way to install updates on Debian and Ubuntu systems. Changes like repository paths should be done inside the package, either by including files as mentioned above, or less preferably, by including scripts that do modifications at package installation time.

Thanks for the help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.