- This topic has 8 replies, 3 voices, and was last updated Mar 7-7:24 pm by Xunzi_23.
-
Posts
-
Xunzi_23
While settung up a system I woke up to the fact that Libreoffice latest Version 7.5.* has been stuck in
Debian Experimental for a couple of Months. User needs as much MS compatibility as possible.
Running antiX 23 Testing, should work ok on antiX 22.Remove current Libreoffice, for new users maybe easiest way is to use synaptic, after removing main packages
do sudo apt autoremove to clean the system of older LO Librarys.Download latest LibreOffice from libreoffice.org If wished with additional language packs.
Unpack the downloaded packages, open the unpacked folders to access the debs.
enter sudo apt install in terminal, mark then drag and drop all debs in to the terminal window, press enter for install.
You might need to install java which must fit your system. Needed for Base but also to use LanguageTool extension.I am using default-jre default-jre-headless java-common
You may need to activate java in Writer, menu, Extras Options Extended Use a java JRE.
In some cases Oracle or Amazon Java might be a personal preference. If so please, Just search, download then follow install
instructions.
andyprough
No need to drag and drop, just ‘sudo apt install ./*.deb’.
Thanks andyprough,
I was writing for persons with very limited linux knowhow so kept as simple as possible.To use the command you gave user must cd to the correct location or he will just get a cryptic error.
cd /home/demo/Downloads/LibreOffice_7.5.1.2_Linux_x86-64_deb/DEBS demo@antix1:~/Downloads/LibreOffice_7.5.1.2_Linux_x86-64_deb/DEBS $ sudo apt install ./*.debAbove will work asuming username demo and downnloaded to downloads, unpacked with graphical tool.
cd command = change directory.After install is finished user can close the terminal with $ exit then enter.
Robin
Allow me two remarks:
1.) Libreoffice itself doesn’t provide 32 bit packages. So on 32 bit machines you have to wait for debian or somebody else to build it.
2.) I strongly recommend to check against an official checksum before using the downloaded file for installation.For this you need to go to the official libreoffice download archive site, they hide it away from you on their default download web site:
Official Libreoffice Download ArchiveYou can download the checksum file directly from there, along with the package itself, the help package and language package for your language:
wget http://downloadarchive.documentfoundation.org/libreoffice/old/7.5.1.2/deb/x86_64/LibreOffice_7.5.1.2_Linux_x86-64_deb.tar.gz.asc wget http://downloadarchive.documentfoundation.org/libreoffice/old/7.5.1.2/deb/x86_64/LibreOffice_7.5.1.2_Linux_x86-64_deb.tar.gzApply same procedure for the localised language and help packages you want, they also have their own .asc signature files you need to check separately.
(Instead of wget you can use as well the download function in your web browser, just make sure to download the .asc file along with the respective package file always.)
Unfortunately Libreoffice stopped providing shasum or md5 checksum files for easy checking the packages after download, providing merely .asc files now. This makes checking the download a bit like a rocky road on antiX. Here’s how to do it:
Enter the following command in a terminal window (e.g. roxterm) to check the installer package you’ve downloaded against the .asc file:
$ gpg --verify './LibreOffice_7.5.1.2_Linux_x86-64_deb.tar.gz.asc' './LibreOffice_7.5.1.2_Linux_x86-64_deb.tar.gz' gpg: Signature made Fri Feb 24 14:00:55 2023 CET gpg: using RSA key C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3 gpg: Can't check signature: No public keyThis was a fail. The downloaded package can’t get checked against the provided signature file, since libreoffice doesn’t seem to have an official public key on the default gpg keyserver. Seaching their web site site for the official libreoffice public key also failed, so the download can’t get checked against the provided asc signature file.
As long the download is not checked, it might be damaged or even corrupted on transport, and it might damage your system when using the file, or libreoffice might fail in some functionality later even when it installs. So we need the official libreoffice public code signing key they use for all their software. You have to search and search tons of mailing lists to find out they sign all their recent packages with an undocumented public key, issued to “build@documentfoundation.org”. OK, let’s search for it using gpg:
$ gpg --search-keys build@documentfoundation.org gpg: data source: https://keys.openpgp.org:443 gpg: key "build@documentfoundation.org" not found on keyserver gpg: keyserver search failed: Not foundOk, this was a fail again. Maybe they use a different key server, let’s try whether they have their own one:
gpg --keyserver hkp://keys.libreoffice.org --search-keys build@documentfoundation.org gpg: error searching keyserver: No name gpg: keyserver search failed: No namePeople at Libreoffice seem to treat the piece of information where to find their official public key like a business secret… That’s ridiculous.
Again, some hours later, after again searching tons of mailing list entries it turned out you have to use another keyserver, since they still use “keys.gnupg.net” which was marked as deprecated some years ago already.
ask.libreoffice.org
LibreOffice mailing list archive
Let’s try it anyway:$ gpg --keyserver hkp://keys.gnupg.net --search-keys build@documentfoundation.org gpg: data source: http://pgp.surf.nl:11371 (1) LibreOffice Build Team (CODE SIGNING KEY) <build@documentfoundation.or 4096 bit RSA key F434A1EFAFEEAEA3, created: 2010-10-11So, finally we have what we need: The proper key ID to import, and the key server from where to import it.
$ gpg --keyserver hkp://keys.gnupg.net --recv-key F434A1EFAFEEAEA3 gpg: key F434A1EFAFEEAEA3: "LibreOffice Build Team (CODE SIGNING KEY) <build@documentfoundation.org>" imported gpg: Total number processed: 1 gpg: imported : 1And now let’s check again the downloaded file against the provided asc file:
$ gpg --verify './LibreOffice_7.5.1.2_Linux_x86-64_deb.tar.gz.asc' './LibreOffice_7.5.1.2_Linux_x86-64_deb.tar.gz' gpg: Signature made Fri Feb 24 14:00:55 2023 CET gpg: using RSA key C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3 gpg: Good signature from "LibreOffice Build Team (CODE SIGNING KEY) <build@documentfoundation.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: C283 9ECA D940 8FBE 9531 C3E9 F434 A1EF AFEE AEA3This download was obviously fine, even when gpg comes up with another big fat confusing warning. The significant line in the output is:
gpg: Good signature from "LibreOffice Build Team (CODE SIGNING KEY) ...)To understand the confusing warning about “not certified with a trusted signature” you can read
gnupg.org – Validating other keysThe crucial part is: You can’t know whether this Christian Lohmaier who has posted the key information in a public mailing list some years ago actually was in a position to make official statements about official keys used for code signing of official libreoffice builds. Nor you can verify that the person who has uploaded the key to the keys.gnupg.net key server actually was authorised to act for libreoffice organisation or development team. Everybody could have uploaded this key some years ago, obviously it is not signed by any trusted person or organisation officially.
On the other hand: The key matches all the packages on the official libreoffice site, so it is highly probably this is actually the proper key, even when it is nowhere documented on their site. You just have to venture best guess. At least the full key fingerprint matches the one posted by this Christian Lohmaier, whoever he might be. Let’s hope he is the guy mentioned here: https://www.documentfoundation.org/engineering-sc/ , member of the libreoffice Engineering Steering Committee. There are probably more than a single Christian Lohmaier living on the world, and secondly everybody could have sent this mail to the mailing list in his name, faking his mail address, since the mail itself isn’t signed with a mail certificate. Why do they make such a secret about their public code signing key, not officially publishing it easy to look up on their website?
Well. Since our primary goal was merely to check whether the donwload was damaged on transport: The line “good signature from ..” means that the download was not damaged, so everything is ok here, you can safely use the package.
What an effort for this simple task!
You have to repeat the last check command for the downloaded help file package and language file package. (No need to repeat the key-search and key-installation steps on your system).
I long for the time when libreoffice still provided simple checksum files for checking a download instead of complicated signature chains in a web of trust, that end in nirvana.
——————-
P.S.:
In case the downloaded file was damaged the crucial line would have read:
gpg: BAD signature from "LibreOffice Build Team (CODE SIGNING KEY) <build@documentfoundation.org>" [unknown]Windows is like a submarine. Open a window and serious problems will start.
andyprough
@Xunsi_23 – I actually did not know that you could drag and drop files onto the terminal and get their names in a list like that. It’s pretty cool. I would still just write the command with the wildcard myself.
Thanks Robin, Ouch, next time I try to give more and better info. 32 Bit has not been on offer from LO Org for a while.
I used Bit Torrent which does a hash check against the repo file.
I agree checksums could be more prominently advertised, they are available on the mirrors though. Click on info, located under the
download button.
Brings the user to:
https://download.documentfoundation.org/libreoffice/stable/7.5.1/deb/x86_64/LibreOffice_7.5.1_Linux_x86-64_deb.tar.gz.mirrorlistMirrors for LibreOffice_7.5.1_Linux_x86-64_deb.tar.gz
File informationFilename: LibreOffice_7.5.1_Linux_x86-64_deb.tar.gz
Path: /libreoffice/stable/7.5.1/deb/x86_64/LibreOffice_7.5.1_Linux_x86-64_deb.tar.gz
Size: 189M (198642873 bytes)
Last modified: Fri, 24 Feb 2023 14:51:35 GMT (Unix time: 1677250295)
SHA-256 Hash: ea3a0559061eaf461d409855ff4cb3bc0360310c79b2c4f6366fe8f5f2dd5a2c
SHA-1 Hash: 890e3d8fbf753e53b4a69193ef339a9dd91ffd0a
MD5 Hash: 5d8ff898b598f99e2dc2543a37428253
BitTorrent Information Hash: 567c1190e3637bbed0fa8663d207ddd9798d220c
PGP signature availableBitTorrent checks the file hash which I admit is not real proof, but the rest could also be faked by
“interested authoritys”.- This reply was modified 2 months, 1 week ago by Xunzi_23.
Many thanks, Xunzi23, for scenting out the place where at least the checksums iteslf are published!
Actually these info links contain the needed checksums, even when no checksum file is provided, so instead of$ shasum -c './cheksumfile.sum' ./LibreOffice_7.5.1.2_Linux_x86-64_deb.tar.gz: OKnow you have manually to compare character by character the output of the command
$ shasum -a256 './LibreOffice_7.5.1.2_Linux_x86-64_deb.tar.gz' ea3a0559061eaf461d409855ff4cb3bc0360310c79b2c4f6366fe8f5f2dd5a2c ./LibreOffice_7.5.1.2_Linux_x86-64_deb.tar.gzwith the respective line in the info link:
SHA-256 Hash: ea3a0559061eaf461d409855ff4cb3bc0360310c79b2c4f6366fe8f5f2dd5a2c
It must match.
Same procedure for all the additional packages you have downloaded.Also you could use the following terminal command to let it get checked automatically, mostly just like when you’d have a checksum file at hand:
$ f='./LibreOffice_7.5.1.2_Linux_x86-64_deb.tar.gz'; s="ea3a0559061eaf461d409855ff4cb3bc0360310c79b2c4f6366fe8f5f2dd5a2c"; [ "$(shasum -a256 $f | cut -d' ' -f1)" == "$s" ] && echo 'OK' || echo 'BAD' OKIt returns either “OK” or “BAD”, depending on whether the checksum matches with the file.
For each downloaded package to check, you have to replace the file name and the checksum string within the command.So, having still relatively easy to handle checksums for libreoffice direct downloads is great, but this doesn’t solve the riddle why the libreoffice public code signing key chain of trust ends in nowhere :shrug: and why they don’t publish the key (or point to it) officially on their website, while providing .asc files relying on this key the same time.
Windows is like a submarine. Open a window and serious problems will start.
Hi Robin,
have to admit I use the checksum comparisons for short term memory training.
Regarding Key all I find isChristian Lohmaier lohmaier at googlemail.com
Fri Feb 27 05:06:09 PST 2015Previous message: key
Next message: key
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]Hi *,
On Fri, Feb 27, 2015 at 12:14 AM, <philorder at tutanota.de> wrote:
> where is the fingerprint to check pgp signature
> thanksThe public key is on the public keyservers, you can obtain it e.g.
with the following command:gpg –keyserver hkp://keys.gnupg.net –recv-keys AFEEAEA3
If it asks you to verify the key’s fingerprint, it is:
C283 9ECA D940 8FBE 9531 C3E9 F434 A1EF AFEE AEA3
ciao
ChristianFrom: https://lists.freedesktop.org/archives/libreoffice/2015-February/066756.html
Which means as you say either trust AFEEAEA3 published using GMail,
which always curls my hair or go nuts.Maybe it would be worthwhile pushing the issue to document Foundation
Mother of Libreoffice, rather than devs who seem are pretty immune to
a lot of persons asking for the key to be easily found.Document Foundation is Interesting, Especialy for Handbooks and Cheat sheets as well as
background information.@Robin, would you please take a look at
https://keyserver.ubuntu.com/pks/lookup?search=Libreoffice&fingerprint=on&op=index
Maybe the somewhat frustrating secret of the LO team is not so well hidden after all.
Perhaps ! Just needs right tools or search.LibreOffice Build Team (CODE SIGNING KEY) <build@documentfoundation.org>
seems contained along with loads of developer keys.I do not have your expertise so unsure.
According to some posts Kleopatra from KDE or on win seems to also be able to find the key but
pulls in a huge number of extra packages so I have not tested it myself.https://keyserver.ubuntu.com/ advanced search filtering options also look pretty interesting.
- This reply was modified 2 months ago by Xunzi_23.
- You must be logged in to reply to this topic.
