Open Bug 1989626 Opened 9 months ago Updated 8 months ago

New mozillavpn-keyring BREAKS apt COMPLETELY if Firefox deb is installed per official instructions

Categories

(Mozilla VPN :: General, defect)

Product:
Mozilla VPN
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: mozilla-bugzilla, Assigned: nkirby)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0

Steps to reproduce:

  1. Install Firefox following the latest (142) information on https://support.mozilla.org/en-US/kb/install-firefox-linux on Ubuntu 25.04.
  2. Install MozillaVPN in the past (unsure if past installation is required, but that's my case).
  3. Update the mozillavpn package from 2.30.0 to 2.31.0, which has a new Recommends on mozillavpn-keyring.
    This has the effect of apt installed mozillavpn_2.31.0~rc20250916222335-static1_amd64.deb and mozillavpn-keyring_2.31.0~rc20250916222335-static1_all.deb

Actual results:

  1. Wait & receive pop-up from Ubuntu Software Updater
    OR
    Run sudo apt upgrade
  2. Receive error message, with exit code 100:
Error: Conflicting values set for option Signed-By regarding source https://packages.mozilla.org/apt/ mozilla: /usr/share/keyrings/mozilla-apt-keyring.gpg != /etc/apt/keyrings/packages.mozilla.org.asc
Error: The list of sources could not be read.
Error: Conflicting values set for option Signed-By regarding source https://packages.mozilla.org/apt/ mozilla: /usr/share/keyrings/mozilla-apt-keyring.gpg != /etc/apt/keyrings/packages.mozilla.org.asc
Error: The list of sources could not be read.

(I believe it is duplicated bc I have both Firefox and MozillaVPN installed)

This COMPLETELY breaks apt & apt-get. It is impossible to update package lists, upgrade any packages, use apt list, apt-get search mozillavpn, or sudo apt remove mozillavpn-keyring.

Expected results:

New MozillaVPN keyring should not conflict with long-standing official Firefox installation instructions.

Basically, apt really doesn't like that the same source target, https://packages.mozilla.org/apt mozilla main, has two DIFFERENT keyfiles--/etc/apt/keyrings/packages.mozilla.org.asc (Firefox instructions) vs /usr/share/keyrings/mozilla-apt-keyring.gpg (mozilla-keyring package).

To un-break apt temporarily, for anyone who finds this bug...

cd /etc/apt/sources.list.d
sudo mv mozilla-apt-repo.list mozilla-apt-repo.list.save

That should say apt-cache search mozillavpn, to illustrate that even local interaction with apt is broken. I can't seem to edit my original bug to correct it.

Also, I'm wrong about the effect...

MozillaVPN 2.30 remains installed after the keyring package is installed, because apt seemingly fails immediately after the keyring installation.

same issue here on Debian 13.

cd /etc/apt/sources.list.d
sudo mv mozilla-apt-repo.list mozilla-apt-repo.list.save

temporary solved the issue

Assignee: nobody → nkirby

So, the purpose of the mozillavpn-keyring package was to try and automate the deprecation of the Ubuntu PPA and switch users over to the Mozilla APT repository instead. It is only a recommended package, so a cleaner solution might be to remove the package from your system, for example any of the following commands should do it:

  • apt-get remove mozillavpn-keyring
  • apt remove mozillavpn-keyring
  • dpkg --remove mozillavpn-keyring

In the meantime, we are going to work on getting an update out immediately that will remove the dependency on mozillavpn-keyring until a better method can be found to guide users to upgrade away from the Launchpad and PPA-based installation.

Another data point... I performed the upgrade on my laptop that has the same Mozilla apt source setup. mozillavpn DID upgrade to 2.31 there, unlike my desktop where mozillavpn stayed at 2.30. I'm not sure why the discrepancy.

(In reply to Naomi Kirby from comment #4)

So, the purpose of the mozillavpn-keyring package was to try and automate the deprecation of the Ubuntu PPA and switch users over to the Mozilla APT repository instead. It is only a recommended package, so a cleaner solution might be to remove the package from your system, for example any of the following commands should do it:

  • apt-get remove mozillavpn-keyring
  • apt remove mozillavpn-keyring
  • dpkg --remove mozillavpn-keyring

In the meantime, we are going to work on getting an update out immediately that will remove the dependency on mozillavpn-keyring until a better method can be found to guide users to upgrade away from the Launchpad and PPA-based installation.

FYI, only the dpkg command will resolve the situation. apt will not run in ANY fashion when this situation occurs.

I verified dpkg --remove mozillavpn-keyring works (and that none of the apt commands work to remove) on 2 hosts.

But again, I'm more concerned about breaking apt for people who don't have the knowledge to fix it!

Oops, nevermind! It does NOT fix it.

You MUST use --purge!

The correct command to fix this is...

sudo dpkg --purge mozillavpn-keyring

We have shipped a 2.31.1 update that removes the Recommends dependency on mozillavpn-keyring which should prevent this issue from affecting any additional users.

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.