Debian Signature Key Errors After Running Argon Eon Config Install Script

Problem

I was able to successfully run apt get update before the Argon Eon Config script installation, but now receive a verification error for packages. The only difference to the system was the installation of the Argon Eon Config script.

System Info

Raspberry Pi 4b 8GB
Debian 11 Bullseye
uname -a output: Linux raspberryNAS 5.15.76-v8+ #1597 SMP PREEMPT Fri Nov 4 12:16:41 GMT 2022 aarch64 GNU/Linux
Installed OS from Raspberry Pi Imager for x64 Raspberry Pi OS Lite

Background

I went through setup of my OpenMediaVault and ran update, upgrade and installed additional packages without issue or error prior to running the install script for the Eon config, so I could manage the OLED and the fans. I can successfully manage it, but there appears to be some configuration it updates that breaks key signing/verification for debian packages. This has also broken installation of plugins for OpenMediaVault as well.

Technical Details

Installation Script Command:
curl https://download.argon40.com/argoneon.sh | bash

Command Executed
sudo apt update

Results

Get:1 file:/var/cache/openmediavault/archives  InRelease
Ign:1 file:/var/cache/openmediavault/archives  InRelease
Get:2 file:/var/cache/openmediavault/archives  Release
Ign:2 file:/var/cache/openmediavault/archives  Release
Get:3 file:/var/cache/openmediavault/archives  Packages
Ign:3 file:/var/cache/openmediavault/archives  Packages
Get:4 file:/var/cache/openmediavault/archives  Translation-en
Ign:4 file:/var/cache/openmediavault/archives  Translation-en
Get:3 file:/var/cache/openmediavault/archives  Packages
Ign:3 file:/var/cache/openmediavault/archives  Packages
Get:4 file:/var/cache/openmediavault/archives  Translation-en
Ign:4 file:/var/cache/openmediavault/archives  Translation-en
Get:3 file:/var/cache/openmediavault/archives  Packages
Ign:3 file:/var/cache/openmediavault/archives  Packages
Get:4 file:/var/cache/openmediavault/archives  Translation-en
Ign:4 file:/var/cache/openmediavault/archives  Translation-en
Get:3 file:/var/cache/openmediavault/archives  Packages
Ign:3 file:/var/cache/openmediavault/archives  Packages
Get:4 file:/var/cache/openmediavault/archives  Translation-en
Ign:4 file:/var/cache/openmediavault/archives  Translation-en
Get:3 file:/var/cache/openmediavault/archives  Packages
Ign:3 file:/var/cache/openmediavault/archives  Packages     
Get:4 file:/var/cache/openmediavault/archives  Translation-en
Ign:4 file:/var/cache/openmediavault/archives  Translation-en     
Get:3 file:/var/cache/openmediavault/archives  Packages           
Ign:3 file:/var/cache/openmediavault/archives  Packages     
Get:4 file:/var/cache/openmediavault/archives  Translation-en
Ign:4 file:/var/cache/openmediavault/archives  Translation-en     
Get:3 file:/var/cache/openmediavault/archives  Packages           
Get:4 file:/var/cache/openmediavault/archives  Translation-en
Ign:4 file:/var/cache/openmediavault/archives  Translation-en     
Hit:5 http://deb.debian.org/debian bullseye InRelease             
Hit:6 http://deb.debian.org/debian bullseye-updates InRelease                                                                                                                                                                                
Hit:7 http://security.debian.org/debian-security bullseye-security InRelease                                                                                                                                                                 
Err:8 https://openmediavault.github.io/packages shaitan InRelease                                                                                                                                                                            
  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 185.199.109.153 443]
Err:9 https://openmediavault-plugin-developers.github.io/packages/debian shaitan InRelease                                                                                                                          
  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 185.199.111.153 443]
Err:10 https://download.docker.com/linux/debian bullseye InRelease                                                                                                       
  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 18.165.32.47 443]
Err:5 http://deb.debian.org/debian bullseye InRelease                                                       
  The following signatures were invalid: EXPKEYSIG 648ACFD622F3D138 Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org> EXPKEYSIG 0E98404D386FA1D9 Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org> EXPKEYSIG 605C66F00D6C9793 Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
Hit:11 http://archive.raspberrypi.org/debian bullseye InRelease
Err:6 http://deb.debian.org/debian bullseye-updates InRelease
  The following signatures were invalid: EXPKEYSIG 648ACFD622F3D138 Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org> EXPKEYSIG 0E98404D386FA1D9 Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
Err:7 http://security.debian.org/debian-security bullseye-security InRelease
  The following signatures were invalid: EXPKEYSIG 112695A0E562B32A Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org> EXPKEYSIG 54404762BBB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
Hit:12 http://packages.openmediavault.org/public shaitan InRelease
Reading package lists... Done                                 
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures were invalid: EXPKEYSIG 648ACFD622F3D138 Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org> EXPKEYSIG 0E98404D386FA1D9 Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org> EXPKEYSIG 605C66F00D6C9793 Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian bullseye-updates InRelease: The following signatures were invalid: EXPKEYSIG 648ACFD622F3D138 Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org> EXPKEYSIG 0E98404D386FA1D9 Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org/debian-security bullseye-security InRelease: The following signatures were invalid: EXPKEYSIG 112695A0E562B32A Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org> EXPKEYSIG 54404762BBB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease  The following signatures were invalid: EXPKEYSIG 648ACFD622F3D138 Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org> EXPKEYSIG 0E98404D386FA1D9 Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org> EXPKEYSIG 605C66F00D6C9793 Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye-updates/InRelease  The following signatures were invalid: EXPKEYSIG 648ACFD622F3D138 Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org> EXPKEYSIG 0E98404D386FA1D9 Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
W: Failed to fetch https://openmediavault-plugin-developers.github.io/packages/debian/dists/shaitan/InRelease  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 185.199.111.153 443]
W: Failed to fetch https://download.docker.com/linux/debian/dists/bullseye/InRelease  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 18.165.32.47 443]
W: Failed to fetch http://security.debian.org/debian-security/dists/bullseye-security/InRelease  The following signatures were invalid: EXPKEYSIG 112695A0E562B32A Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org> EXPKEYSIG 54404762BBB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
W: Failed to fetch https://openmediavault.github.io/packages/dists/shaitan/InRelease  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 185.199.109.153 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.

Contents of /etc/os-release

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

This appears to be related to the fact that for some reason the script updates the date/time on the system. I’m having many issues getting it properly set to current date as well. Will update after more troubleshooting.

Output from date
Sat Jan 11 00:33:17 EST 2048

Current Time
Mon Jan 2 13:58:05 EST 2023

It is confirmed that manually setting the date/time corrects the issues I was having. The problem is I cannot get RTC Date to do anything with the configurations and am not sure if it updates automatically without a schedule.

Reviewing the scripts, it seems to come down to a potential issue with operating system identification (best educated guess). Starting with Bullseye, Rasbian is no longer in the /etc/os-release information. Looking at the RTC script, it seems to either be Rasbian or Ubuntu, nothing in-between. This suggests that either nothing is executed or something else is executed that I don’t see in the scripts (limited understanding of some of the functions in said scripts).

Either way, due to the date issues, it seems to have caused cascading issues across services and applications. So if you’re running the most recent release of Raspberry Pi OS, ensure you check your date after the config installation, or don’t utilize it at all until the check for Rasbian in the /etc/os-release has been fixed across the various shell scripts.

Found a temporary solution until the shell scripts are updated by Argon. If you follow the steps below, the date/time is not changed to the future and all of the scripts work. It is worth noting that if you want to run the config ENSURE TO COPY OVER THE os-release before you run the config and then set it back. I’m sure there may be more elegant solutions, but this worked for me:

  1. Run sudo apt update and sudo apt upgrade (Ensure you’re up to date before messing with the os-release
  2. sudo cp /etc/os-release /etc/os-release.original
  3. sudo cp /etc/os-release /etc/os-release.rasbian
  4. sudo nano /etc/os-release.raspian
  5. Modify as noted below (Change name to Rasbian from Bullseye in a few places and add ID_LIKE)
PRETTY_NAME="Rasbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
  1. sudo cp /etc/os-release.rasbian /etc/os-release
  2. Run the Argon Eon config installation script as normal
  3. Run the config and make changes per your desires/needs (argon-config)
  4. sudo cp /etc/os-release.original /etc/os-release

From this point, just make sure to copy the os-release back before you make any changes to the argon eon config. The only thing this may miss is if one of the scripts checks something other than os-release. But this was an effective work around for me until the shell scripts are updated by Argon.

Hope this was helpful to some one struggling. This bug made me reflash my pi from a fully operationalized setup with plex and dockers, so this is more than just a small issue.

Did you install a battery for the RTC?

Many people had time issues until they installed a battery.

Oh man, thank you so much for this. I had the battery out during assembly and completely spaced installing it. I’ll test on a fresh image when I can and make sure the battery is indeed the issue.

Thanks again!

Was indeed the battery. Thanks again!