Brave-browser: Brave apt repo key expired

Do this, it appears to have fixed it for me:

curl -s https://brave-browser-apt-release.s3.brave.com/brave-core.asc | sudo apt-key --keyring /etc/apt/trusted.gpg.d/brave-browser-release.gpg add -

Thanks, that fixed it. Closing..

Without trying to sound alarmist, that ticks every checkbox in a packing server compromise.

With the old key:

/etc/apt/trusted.gpg.d/brave-browser-release.gpg
------------------------------------------------
pub   rsa4096 2018-10-15 [SC] [expires: 2019-08-08]
      D8BA D4DE 7EE1 7AF5 2A83  4B2D 0BB7 5829 C2D4 E821
uid           [ unknown] Brave Software <[email protected]>
sub   rsa2048 2018-10-15 [S] [expires: 2019-08-08]

The key isn't expired. You downloaded a key from the same server that throws a signature error, ie you just used the attacker's key to verify the compromised package (and subsequently got no error, since that's how signature verification works).

This bug isn't closed. The documentation still mentions the old key, so we need an official answer on what happened since the old key isn't yet expired.

@deZillium You make a good point. Re-opened.

@deZillium I found this on brave community forum.

https://community.brave.com/t/linux-users-please-update-your-linux-repos/53810

So it's probably not compromised. (Unless an attacker infiltrated the support staff, but that's just tinfoil hat)

I may be paranoid, but I'm still not satisfied with that. The post mentions that the key expires on April 13th. The key (as shown above by me) actually expires on August 8th (that's a 4 months difference, so not a typo).

I may need a new tin-foil hat, mine is getting pretty worn out by now.

@deZillium Then why did the key expire yesterday? I've had the key in my system for a long time. Only yesterday did it show "EXPKEYSIG 4FE13824E3FFC656" which I'm pretty sure means expired.

Just saying what "apt-key list" shows me. There are two "different" keys in apt-key: one source is trusted.gpg (output below) and the other is trusted.gpg.d/brave-browser-release.gpg (output above). Why the "same" key appears twice with matching IDs and different expirations is beyond me, unless someone extended the expiration date (but then shouldn't the key in trusted.gpg be updated?).

pub   rsa4096 2018-10-15 [SC] [expired: 2019-04-13]
      D8BA D4DE 7EE1 7AF5 2A83  4B2D 0BB7 5829 C2D4 E821
uid           [ expired] Brave Software <[email protected]>

(notice how the fingerprint matches the previous output)

cc: @mbacchi @bkero @mihaiplesa

We changed the installation instructions in #2509 so that the Brave key would no longer be in the global keyring (/etc/apt/trusted.gpg), but rather in its own one (/etc/apt/trusted.gpg.d/brave-browser-release.gpg). The brave-keyring package now takes care of providing the key in the latter location.

So you can safely delete the old one now:

apt-key --keyring /etc/apt/trusted.gpg del D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821

If you run through the installation instructions again, you will get the new key. It's actually the same key as before, but we extended the expiration on it since it was going to expire last Saturday.

We are working on a proper key rotation mechanism that will be seamless, so make sure you have the brave-keyring package installed to avoid these kinds of errors in the future.

Sorry you all experienced this. We are moving to have the signing key managed (optionally) by the brave-keyring package, which should have rotated this key out.

I (as the author) did not expect old copies of the installation instructions to be installing the key in an alternative location (from an older version of the instructions).

When the key went live, we also posted the new copy up at https://brave.com/signing-keys for verification.

A future version of the brave-keyring package will handle removing these expired keys. Thank you for bringing them to our attention. I'll be deploying this later today, pending code review.

@bkero Updating to the latest brave-keyring version (1.2) reports these warnings:

Setting up brave-keyring (1.2) ...
Warning: The postinst maintainerscript of the package brave-keyring
Warning: seems to use apt-key (provided by apt) without depending on gnupg or gnupg2.
Warning: This will BREAK in the future and should be fixed by the package maintainer(s).
Note: Check first if apt-key functionality is needed at all - it probably isn't!
OK

Not opening a separate bug report, since it's work on this bug that caused the warnings. As far as I can tell it's just the package dependencies that generate the warnings (manually checking the dependencies doesn't show any of the usual "Depends:" lines).

Apt depends on those packages which gives ("apt-cache depends apt" output):

  Depends: adduser
 |Depends: gpgv
    gpgv:i386
 |Depends: gpgv2
  Depends: gpgv1
    gpgv1:i386
  Depends: debian-archive-keyring
  Depends: init-system-helpers
  Depends: libapt-pkg5.0
  Depends: libc6
  Depends: libgcc1
  Depends: libstdc++6
  Breaks: apt-utils
 |Recommends: gnupg
    gnupg:i386
 |Recommends: gnupg2
  Recommends: gnupg1
    gnupg1:i386
  Suggests: apt-doc
 |Suggests: aptitude
    aptitude:i386
 |Suggests: synaptic
  Suggests: wajig
  Suggests: dpkg-dev
  Suggests: powermgmt-base
  Suggests: python-apt
  Replaces: apt-utils

"apt-cache depends brave-keyring" on the other hand shows that there are no dependencies for the package:

I opened a separate bug for this to make sure it doesn't slip through the cracks and gets fixed: https://github.com/brave/brave-release/issues/4 (private repo)

I've run Brave's updated installation instructions and am still getting this error:

$ sudo apt update
Hit:1 http://debian.cs.binghamton.edu/debian buster InRelease
Hit:2 https://deb.nodesource.com/node_11.x buster InRelease                                                            
Get:3 https://brave-browser-apt-release.s3.brave.com buster InRelease [2,825 B]                                        
Hit:4 http://security.debian.org/debian-security buster/updates InRelease                       
Err:3 https://brave-browser-apt-release.s3.brave.com buster InRelease
  The following signatures were invalid: EXPKEYSIG 4FE13824E3FFC656 Brave Software <[email protected]>
Hit:5 http://repo.steampowered.com/steam precise InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://brave-browser-apt-release.s3.brave.com buster InRelease: The following signatures were invalid: EXPKEYSIG 4FE13824E3FFC656 Brave Software <[email protected]>
W: Failed to fetch https://brave-browser-apt-release.s3.brave.com/dists/buster/InRelease  The following signatures were invalid: EXPKEYSIG 4FE13824E3FFC656 Brave Software <[email protected]>
W: Some index files failed to download. They have been ignored, or old ones used instead.

@nikolas You may have an old key in a different location on your system. Try the Debian installation instructions I suggested in https://github.com/brave/brave-browser/issues/1986#issuecomment-484594279.

@fmarier thank you, all good now.

In case you wondered, the source for Brave that causes this error is not in the usual location, but here (enough to comment it out to repair apt-get update):
/etc/apt/sources.list.d/brave-browser-release-bionic.list