3

When installing a package using apt-get install, the package is installed but gives the following warning:

W: GPG error: http://12.345.67.890/repo stretch InRelease: The following signatures were invalid: 789B6B7630E9396A52F4D467B646B1C0B99B99E4
W: The repository 'http://12.345.67.890/repo stretch InRelease' is not signed.

Situation:

  1. I am the maintainer of the repository, and don't wish users to need implement workarounds on their side.
  2. The repository is being hosted on Centos7.
  3. reprepro.x86_64 4.17.0-3.el7 from epel is being used.
  4. The receiving machine is a RPi3.
  5. Both machine's date show identical times.

Steps taken (mostly from SetupWithReprepro )

  1. I generated GnuPG keys using default values and a passphrase.
  2. I configured Apache
  3. I configured reprepro
    • The Maintainer in repo/dists/stretch/main/binary-armhf/Packages lists the same name and email as was used with my GPG key.
    • In conf/distributions, I've used "SignWith: default" as well as my main public and secondary public key, but no change. Note that the user I've implemented under has only one GPN key.
  4. I did not use overrides.
  5. I added packages to the repository
  6. I exported the public GnuPG key
    • I've tested using both the main public and secondary public key, and they produce an identical key.
  7. I did not attempt to sign the Debian package using dpkg-sig as everything I've read states reprepro will automatically do so.
  8. I imported the public GnuPg key described by Step 6.

What can I do to prevent this warning? If no single answer, I also have sub-questions:

  1. Can the issue be related to installing on Centos7?
  2. Is the package’s changelog file the same as repo/dists/stretch/main/binary-armhf/Packages?
  3. Does my key somehow have to be sign or hosted by someone else due to web of trust?
  4. Do I need to also insert my email when exporting the public GnuPg key (i.e. step 6 above)? If so, how?
  5. How can I manually ensure the key is properly signed on a different machine?
  6. Is dpkg-sig or equivalent available for Centos7?
  7. Does dpkg-buildpackage also need to be used? It isn't referenced by SetupWithReprepro .
user1032531
  • 1,897
  • 6
  • 31
  • 36
  • I think you want to sign the repo and not the packages. – Rui F Ribeiro Feb 08 '18 at 19:02
  • 1
    @RuiFRibeiro Sorry, bad wording on my side. Yes, the repo is what I signed (or actually what reprepro is suppose to automatically sign). – user1032531 Feb 08 '18 at 19:07
  • Add the epel repo (download the epel rpm for setting this up), then add these deb compat packages:

    sudo yum install dpkg dpkg-devel gnupg2 perl-TimeDate

     – Rui F Ribeiro Feb 08 '18 at 19:20
  • @RuiFRibeiro The folowing is already installed: dpkg.x86_64, dpkg-dev.noarch, dpkg-devel.x86_64, dpkg-perl.noarch (all from 1.17.27-1.el7 @epel), gnupg2.x86_64 (from 2.0.22-4.el7 @base), perl-TimeDate.noarch (from 1:2.30-2.el7 @base) – user1032531 Feb 08 '18 at 19:27
  • See Building an apt repository on CentOS – GAD3R Feb 08 '18 at 19:42
  • 1
    Asked and answered at https://unix.stackexchange.com/questions/387053/ , I suspect. – JdeBP Feb 08 '18 at 21:01
  • @JdeBP Yes, it seems it has been asked... and answered. Prior to posting this question, I searched for quite a bit and didn't come across it. Thank you! Wish I found it earlier and saved the time coming up with theoretical causes... – user1032531 Feb 08 '18 at 21:47
  • Note that the "existing question" does not have a selected answer. I've been trying to verify whether it will solve the problem, however, have not yet been successful. – user1032531 Feb 09 '18 at 11:07

0 Answers0