4

After setting up a new apt repository with aptly, signing the repository, serving the repository with aptly and adding the public gpg key to the apt keyring, I encounter a failure during the apt update command:

Err:3 http://#REPO_URL#/#NAME# #DISTRIBUTION# InRelease                                    
  The following signatures were invalid: #KEY_ID#
Hit:4 http://apt.postgresql.org/pub/repos/apt sid-pgdg InRelease                  
Reading package lists... Done
W: GPG error: http://#REPO_URL#/#NAME# #DISTRIBUTION# InRelease: The following signatures were invalid: #KEY_ID#
E: The repository 'http://#REPO_URL#/#NAME# #DISTRIBUTION# InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

And yet the signature and the gpg keys are good. I succeed to verify the gpg signature on the InRelease file:

curl http://#REPO_URL#/InRelease | gpg --keyring /etc/apt/trusted.gpg --verify
gpg: Signature made Wed 11 Jan 2017 04:01:23 PM CET
gpg:                using RSA key #KEY_ID#
gpg: Good signature from "#DESCRIPTION_GPG_KEY#" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: #GOOD_KEY_FINGERPRINT#

I also verified the Release and Release.gpg file with similar command.

I tried to find what's done during the apt update with a strace -o /tmp/strace -ff apt update then grep:

grep 'apt.*key' ./strace*
./strace.29829:execve("/usr/bin/apt-key", ["/usr/bin/apt-key", "--quiet", "--readonly", "verify", "--status-fd", "3", "/tmp/apt.sig.ORUwxh", "/tmp/apt.data.kKXyrN"], [/* 28 vars */]) = 0
./strace.29829:open("/usr/bin/apt-key", O_RDONLY)      = 4
./strace.29888:execve("/usr/bin/apt-key", ["/usr/bin/apt-key", "--quiet", "--readonly", "verify", "--status-fd", "3", "/tmp/apt.sig.utRWBD", "/tmp/apt.data.Fo1Lka"], [/* 28 vars */]) = 0
./strace.29888:open("/usr/bin/apt-key", O_RDONLY)      = 4
./strace.29947:execve("/usr/bin/apt-key", ["/usr/bin/apt-key", "--quiet", "--readonly", "verify", "--status-fd", "3", "/tmp/apt.sig.ug6xiV", "/tmp/apt.data.Yv4zFs"], [/* 28 vars */]) = 0
./strace.29947:open("/usr/bin/apt-key", O_RDONLY)      = 4
./strace.30006:execve("/usr/bin/apt-key", ["/usr/bin/apt-key", "--quiet", "--readonly", "verify", "--status-fd", "3", "/tmp/apt.sig.QSyrCg", "/tmp/apt.data.LK9DGO"], [/* 28 vars */]) = 0
./strace.30006:open("/usr/bin/apt-key", O_RDONLY)      = 4

How can I debug and fix this error?

FlogFR
  • 200
  • 1
    I had the same issue with aptly 0.8, upgrading to aptly 0.9.7 and re-publishing fixed it. The only difference I found was that aptly 0.9.7 creates the content-arch.gz and includes the SHA512 sums in the files. – Pinaraf Jan 13 '17 at 14:51

2 Answers2

4

I had the same issue with an upgrade from Debian 8 (jessie) to Debian 9 (stretch). It turns out Debian 9 requires at least a 2048-bit GPG key, and mine had only 1024 bits. The following steps worked for me to fix:

  • Create a new GPG key with 4096 bits
  • Update my GPG configuration to use that key as the default (~/.gnupg/gpg.conf, default-key option)
  • Re-sign my Release file, creating Release.gpg and InRelease

At this point, things started working again.

Norman Ramsey
  • 274
  • Can you link some documentation/changelog about this ? – 131 Sep 30 '17 at 15:31
  • @131 all I have are the release notes for stretch – Norman Ramsey Sep 30 '17 at 19:15
  • Can you edit your answer with a link to https://www.debian.org/releases/stable/i386/release-notes/ch-information.en.html#apt-new-requirements-to-mirrors ? The sha256 requirement took me 1 day to figure out (thank you a lot !) => the error message state only "Invalid public key" – 131 Sep 30 '17 at 21:28
  • 1
    @131 stuck on phone. Not keen to edit a closed question through the keyhole – Norman Ramsey Oct 01 '17 at 01:50
  • OMG Thank you very much @NormanRamsey , I was trying to find information about the invalid signature messages in my runs of apt-get update and the key used to sign the Release file in my repository is 1024 bits. – cringe Oct 23 '17 at 11:21
  • One way to verify if a system is detecting it as weak algo is with gpg --verbose --keyring /etc/apt/trusted.gpg --verify Release.gpg Release where Release.gpg and Release are both published in the APT repo. – bithavoc Apr 24 '18 at 19:24
0

This bugs came from a bugged version of aptly (don't remember which version).

After an upgrade, the error disappeared.

FlogFR
  • 200