As of September 2021, an adjustment made by our secure network communications provider has resulted in all Endless OS installations that are running a version older than Endless OS 3.8.3 being unable to upgrade to the latest release.
This only affects out-of-date installations found in the present day, typically only affecting users that have not had sufficient connectivity to perform an OS update since June 2020, and/or dated computer stock that has had Endless OS preinstalled years ago and is now being distributed in the present day.
Installations that were upgraded to EOS-3.8.3 or beyond before September 2021 are not affected by this issue.
To confirm that you are affected by this problem, please first check the Endless OS version that you are running. This issue only affects Endless OS 3.8.2 or older. You will need to follow the appropriate instructions below depending on which Endless OS version you are running currently.
If affected, you'll find yourself unable to update the OS and certain apps. Even though you are not running the latest version, automatic updates will not succeed, and manual update attempts will either not show any available update, or inform you that no update is available.
If you have attempted to diagnose this issue by looking at system logs or using command-line tools, this situation is highlighted by the error messages Unacceptable TLS certificate or GPG signatures found, but none are in trusted keyring.
If you are experiencing this problem on Endless OS 3.4, 3.5, 3.6, 3.7 or 3.8, please perform the following steps.
Establish internet connectivity, if you are not already online.
Open the Terminal app
Enter or copy-paste the following commands.
wget -nv http://ostree.endlessm.com/keys/eos-ostree-keyring.gpg
sudo ostree remote gpg-import -k eos-ostree-keyring.gpg eos
sudo ostree pull --url=http://ostree.endlessm.com/ostree/eos eos
sudo ostree pull --url=http://ostree.endlessm.com/ostree/eos eos os/eos/amd64/eos3a
sudo ostree admin upgrade --deploy-only
These commands will produce brief output and return you to the command shell when done.
You may be prompted for your user account password during this process. Your password may not appear as you type it in, but if prompted, type it in anyway and press Enter.
The two ostree pull commands in the sequence above will download Endless OS updates, and may take some time. The final command in the sequence will install a previously-downloaded Endless OS update, and may also take some time.
Reboot your computer
To free up disk space associated with previous versions of the OS, open the Terminal again and run:
rm -f eos-ostree-keyring.gpg
sudo ostree refs --delete eos:os/eos
sudo ostree prune --refs-only
If you are experiencing this problem on Endless OS 3.0, 3.1, 3.2, or 3.3, please perform the following steps instead of the above procedure.
Establish internet connectivity, if you are not already online.
Open the Terminal app
Enter or copy-paste the following commands.
wget -nv http://ostree.endlessm.com/keys/eos-ostree-keyring.gpg
sudo ostree remote gpg-import -k eos-ostree-keyring.gpg eos
sudo sed -i -e 's,https://ostree.endlessm,http://ostree.endlessm,' /ostree/repo/config
sudo ostree admin upgrade
sudo sed -i -e 's,http://ostree.endlessm,https://ostree.endlessm,' /ostree/repo/config
These commands will produce brief output and return you to the command shell when done.
You may be prompted for your user account password during this process. Your password may not appear as you type it in, but if prompted, type it in anyway and press Enter.
The final ostree admin upgrade command will download and install Endless OS updates, and may take some time.
Reboot your computer
Check the Endless OS version number. You should now be running version 3.3.20.
Open the Terminal app
Enter or copy-paste the following command.
sudo ostree pull --url=http://ostree.endlessm.com/ostree/eos eos os/eos/amd64/eos3a
sudo ostree admin deploy eos:os/eos/amd64/eos3a
This command will produce brief output and return you to the command shell when done.
You may be prompted for your user account password during this process. Your password may not appear as you type it in, but if prompted, type it in anyway and press Enter.
Reboot your computer. You should now be running Endless OS 3.9.
To free up disk space associated with previous versions of the OS, open the Terminal again and run:
rm -f eos-ostree-keyring.gpg
sudo ostree refs --delete eos:os/eos
sudo ostree prune --refs-only
The following supplemental information is intended for developers and technicians.
There are actually two issues with similar effects that cause this situation to be encountered; the above procedure works around both issues.
In 2019, we became aware that the GPG keys used to to verify Endless OS ostree updates and apps were due to expire in May 2021. We took action by releasing EOS-3.6.1 on July 9th 2019 with the keys updated to expire in 2026 and 2029. All users that upgrade to EOS-3.6.1 or newer before the 2021 expiry would therefore avoid this issue.
We also put measures in place to periodically extend the expiry of these keys going forward, and in terms of a more comprehensive solution, we are exploring Flatpak's key update mechanism and looking to add GPG key update capabilities to ostree.
In September 2021, the second issue came along, effectively masking the first one since it covers an extended range of OS releases: our HTTPS Certificate Authority provider's DST Root CA X3 certificate expired. This wouldn't normally have any effect because modern devices are expected to trust the ISRG Root X1 certificate instead, however, since the certificate chaining is done in a less common way, it triggered a GnuTLS bug, causing the ISGR Root X1 certificate to be rejected.
The solution above works around the problem as follows:
The newly installed OS has a fixed GnuTLS version, and updated GPG keys for OS & apps, resolving the issues described here. Special consideration is applied for multiple upgrade paths (the user may be coming from a regular OS version, or from a nexthw branch that traverses an end-of-life branch redirect, or from an eos3.3 release which needs to traverse an ostree checkpoint).