[tor-relays] Debian is not allowing tor to update despite it being listed as a trusted respritory

Wed May 4 21:04:13 UTC 2022

Your sources.list file entry looks incorrect.  I would definitely not 
recommend using trust=yes for a repo like tor, as it bypasses apt's 
security checks.

According to the instructions you linked 
<https://support.torproject.org/apt/tor-deb-repo/>, your source for the 
tor packages should be listed in /etc/apt/sources.list.d/tor.list as 
something like:

> deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] 
> https://deb.torproject.org/torproject.org buster main
> deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] 
> https://deb.torproject.org/torproject.org buster main

The instructions tell you how to import the repo key as well:

>
> # wget -qO- 
> https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc 
> | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg 
> >/dev/null

On 5/3/22 13:10, Keifer Bly wrote:
> I am not sure how to get rid of the trusty / ubuntu packages? I simply 
> followed the instructions here:
>
> https://support.torproject.org/apt/tor-deb-repo/
>
> Thanks.
> --Keifer
>
>
> On Mon, May 2, 2022 at 10:31 PM Keifer Bly <keifer.bly at gmail.com> wrote:
>
>     Hi all,
>
>     So I am running a tor relay on Debian, but no matter what when
>     updating tor there is an “updating from such a respiritpry can’t
>     be done securely and is therefore disabled by default”. Here is
>     the log
>
>     Get:1 http://security.debian.org buster/updates InRelease [65.4 kB]
>
>     Hit:2 http://deb.debian.org/debian buster InRelease
>
>     Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
>
>     Get:4 http://deb.debian.org/debian buster-backports InRelease
>     [46.7 kB]
>
>     Ign:5 http://ftp.de.debian.org/debian stretch InRelease
>
>     Hit:6 http://ftpde.debian.org/debian stretch Release
>
>     Ign:7 http://deb.torproject.org/torproject.org trusty InRelease
>
>     Ign:8 http://deb.torproject.org/torproject.org trusty Release
>
>     Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:10 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:10 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:14 https://deb.torproject.org/torproject.org amd64 InRelease
>
>     Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:10 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Err:15 https://deb.torproject.org/torproject.org amd64 Release
>
>       Certificate verification failed: The certificate is NOT trusted.
>     The certificate chain uses expired certificate.  Could not
>     handshake: Error in the certificate verification. [IP:
>     95.216.163.36 443]
>
>     Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:10 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:10 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:9 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:10 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Err:9 http://deb.torproject.org/torproject.org trusty/main Sources
>
>       404  Not Found [IP: 116.202.120.166 80]
>
>     Ign:10 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Reading package lists... Done
>
>     N: Ignoring file 'DEADJOE' in directory '/etc/apt/sources.list.d/'
>     as it has no filename extension
>
>     E: The repository 'https://deb.torproject.org/torproject.org amd64
>     Release' does not have a Release file.
>
>     N: Updating from such a repository can't be done securely, and is
>     therefore disabled by default.
>
>     N: See apt-secure(8) manpage for repository creation and user
>     configuration details.
>
>     root at vps-3e661acc:/home/debian# nano /etc/apt/sources.list
>
>     root at vps-3e661acc:/home/debian# nano /etc/apt/sources.list
>
>     root at vps-3e661acc:/home/debian# apt-get update
>
>     Hit:1 http://security.debian.org buster/updates InRelease
>
>     Hit:2 http://deb.debian.org/debian buster InRelease
>
>     Hit:3 http://deb.debian.org/debian buster-updates InRelease
>
>     Hit:4 http://deb.debian.org/debian buster-backports InRelease
>
>     Ign:5 https://deb.torproject.org/torproject.org amd64 InRelease
>
>     Ign:6 http://ftp.de.debian.org/debian stretch InRelease
>
>     Ign:7 http://deb.torproject.org/torproject.org trusty InRelease
>
>     Hit:8 http://ftp.de.debian.org/debian stretch Release
>
>     Ign:9 http://deb.torproject.org/torproject.org trusty Release
>
>     Err:10 https://deb.torproject.org/torproject.org amd64 Release
>
>       Certificate verification failed: The certificate is NOT trusted.
>     The certificate chain uses expired certificate.  Could not
>     handshake: Error in the certificate verification. [IP:
>     116.202.120.165 443]
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:13 http://deb.torproject.org/torprojectorg trusty/main all
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torprojectorg/torproject.org trusty/main amd64
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Err:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>       404  Not Found [IP: 95.216.163.36 80]
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Reading package lists... Done
>
>     N: Ignoring file 'DEADJOE' in directory '/etc/apt/sourceslist.d/'
>     as it has no filename extension
>
>     E: The repository 'https://deb.torproject.org/torproject.org amd64
>     Release' does not have a Release file.
>
>     N: Updating from such a repository can't be done securely, and is
>     therefore disabled by default.
>
>     N: See apt-secure(8) manpage for repository creation and user
>     configuration details.
>
>     root at vps-3e661acc:/home/debian# tor
>
>     May 03 05:20:21.468 [notice] Tor 0.4.5.10 running on Linux with
>     Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4,
>     Libzstd 1.3.8 and Glibc 2.28 as libc.
>
>     May 03 05:20:21.469 [notice] Tor can't help you if you use it
>     wrong! Learn how to be safe at
>     https://www.torproject.org/download/download#warning
>
>     May 03 05:20:21.469 [notice] Read configuration file "/etc/tor/torrc".
>
>     May 03 05:20:21.470 [notice] Based on detected system memory,
>     MaxMemInQueues is set to 1462 MB. You can override this by setting
>     MaxMemInQueues by hand.
>
>     May 03 05:20:21.472 [notice] Opening Control listener on
>     127.0.0.1:9051 <http://127.0.0.1:9051>
>
>     May 03 05:20:21.472 [notice] Opened Control listener connection
>     (ready) on 127.0.0.1:9051 <http://127.0.0.1:9051>
>
>     May 03 05:20:21.472 [notice] Opening OR listener on 0.0.0.0:9001
>     <http://0.0.0.0:9001>
>
>     May 03 05:20:21.472 [notice] Opened OR listener connection (ready)
>     on 0.0.0.0:9001 <http://0.0.0.0:9001>
>
>     May 03 05:20:21.472 [notice] Opening OR listener on [::]:9001
>
>     May 03 05:20:21.472 [notice] Opened OR listener connection (ready)
>     on [::]:9001
>
>     May 03 05:20:21.472 [notice] Opening Directory listener on
>     0.0.0.0:9030 <http://0.0.0.0:9030>
>
>     May 03 05:20:21.472 [notice] Opened Directory listener connection
>     (ready) on 0.0.0.0:9030 <http://0.0.0.0:9030>
>
>     root at vps-3e661acc:/home/debian# sudo apt update && sudo apt
>     install -y --only-upgrade tor
>
>     Hit:1 http://security.debian.org buster/updates InRelease
>
>     Hit:2 http://deb.debian.org/debian buster InRelease
>
>     Hit:3 http://deb.debian.org/debian buster-updates InRelease
>
>     Hit:4 http://deb.debian.org/debian buster-backports InRelease
>
>     Ign:5 http://ftp.de.debian.org/debian stretch InRelease
>
>     Hit:6 http://ftp.de.debian.org/debian stretch Release
>
>     Ign:7 https://deb.torproject.org/torproject.org amd64 InRelease
>
>     Ign:8 http://deb.torproject.org/torproject.org trusty InRelease
>
>     Ign:9 http://deb.torproject.org/torproject.org trusty Release
>
>     Err:10 https://deb.torproject.org/torproject.org amd64 Release
>
>       Certificate verification failed: The certificate is NOT trusted.
>     The certificate chain uses expired certificate.  Could not
>     handshake: Error in the certificate verification. [IP:
>     116.202.120.165 443]
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:13 http://debtorproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:11 http://debtorproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Ign:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Err:11 http://deb.torproject.org/torproject.org trusty/main Sources
>
>       404  Not Found [IP: 95.216.163.36 80]
>
>     Ign:12 http://deb.torproject.org/torproject.org trusty/main all
>     Packages
>
>     Ign:13 http://deb.torproject.org/torproject.org trusty/main amd64
>     Packages
>
>     Ign:14 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en
>
>     Ign:15 http://deb.torproject.org/torproject.org trusty/main
>     Translation-en_US
>
>     Reading package lists... Done
>
>     N: Ignoring file 'DEADJOE' in directory '/etc/apt/sources.list.d/'
>     as it has no filename extension
>
>     E: The repository 'https://deb.torproject.org/torproject.org amd64
>     Release' does not have a Release file.
>
>     N: Updating from such a repository can't be done securely, and is
>     therefore disabled by default.
>
>     N: See apt-secure(8) manpage for repository creation and user
>     configuration details.
>
>     This happens despite tor being listed as trsuted in my sources file:
>
>     ## Note, this file is written by cloud-init on first boot of an
>     instance
>
>     ## modifications made here will not survive a re-bundle.
>
>     ## if you wish to make changes you can:
>
>     ## a.) add 'apt_preserve_sources_list: true' to /etc/cloud/cloud.cfg
>
>     ##     or do the same in user-data
>
>     ## b.) add sources in /etc/apt/sources.list.d
>
>     ## c.) make changes to template file
>     /etc/cloud/templates/sources.list.debian.tmpl
>
>     ###
>
>     # See
>     http://www.debianorg/releases/stable/i386/release-notes/ch-upgrading.html
>
>     # for how to upgrade to newer versions of the distribution.
>
>     deb http://deb.debian.org/debian buster main
>
>     deb-src http://deb.debian.org/debian buster main
>
>     ## Major bug fix updates produced after the final release of the
>
>     ## distribution.
>
>     deb http://security.debian.org/ buster/updates main
>
>     deb-src http://security.debian.org/ buster/updates main
>
>     deb [trusted=yes] http://deb.debian.org/debian buster-updates main
>
>     deb-src [trusted=yes] http://deb.debian.org/debian buster-updates main
>
>     ## Uncomment the following two lines to add software from the
>     'backports'
>
>     ## repository.
>
>     ##
>
>     ## N.B. software from this repository may not have been tested as
>
>     ## extensively as that contained in the main release, although it
>     includes
>
>     ## newer versions of some applications which may provide useful
>     features.
>
>     deb http://deb.debian.org/debian buster-backports main
>
>     deb-src http://deb.debian.org/debian buster-backports main
>
>     deb http://ftp.de.debian.org/debian stretch main
>
>     deb [trusted=yes] http://deb.torproject.org/torproject.org trusty main
>
>     deb-src [trusted=yes] http://deb.torproject.org/torproject.org
>     trusty main
>
>     So, for some reason Debian is seeing tor as untrusted despite that
>     it has been listed as trusted. Tor is being run as root so its not
>     a restricted user error. I am wondering why this might be
>     happening? Thanks.
>
>     --Keifer
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20220504/796fe69a/attachment-0001.htm>