3

I've inadvertently stepped into "update hell".

I updated a number of dependencies trying to install the Gerbera media server. In the process several existing services stopped running, including mariadb.

Then, when I tried to update/upgrade my mariadb install I hit the following error on the UKFast mirror I had been using:

apt-get update
...
Err:4 http://mirrors.ukfast.co.uk/sites/mariadb/repo/10.3/debian jessie InRelease
  The following signatures were invalid: 199369E5404BD5FC7D2FE43BCBCB082A1BB943DB
Reading package lists... Done

now, i've tried several recipes for updating GPG keys, including installing the debian-archive-keyring package. I also switched to a different mirror for mariadb, but still the same error:

GPG error: http://mirrors.coreix.net/mariadb/repo/10.2/debian jessie InRelease: The following signatures were invalid: 199369E5404BD5FC7D2FE43BCBCB082A1BB943DB

Searching the web for clues I'm beginning to think this is actually a problem with the way the mirror has their content signed, per this posting- Debian 9, APT, and "GPG error: ... InRelease: The following signatures were invalid:"

assuming this is the problem (the mirrors using obsolete SHA1 signatures), until the mirrors update their sigs, is there a way for me to persuade apt to process the package?

UPDATE

This seems to have been caused by my choosing an incorrect / unsupported combination of version names.

After trying a lot of combinations, I ended up using the following in /etc/sources.list.d/mariadb.list:

deb [arch=amd64,i386] http://mirrors.coreix.net/mariadb/repo/10.3/debian stretch main
deb-src http://mirrors.coreix.net/mariadb/repo/10.3/debian stretch main

Now Stretch isn't my current version (I'm on Buster), but I'm guessing Stretch is the latest release supported by MariaDB.

I'm wondering of the key error was a red herring, but at least it works now, without any further updates to the release keys.

Thanks to those who responded with suggestions.

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
Incans
  • 41
  • 1
    You can always ignore signatures, at least temporarily – Rui F Ribeiro Dec 24 '18 at 22:59
  • 1
    Maybe temporarily switch to another mirror before allowing in packages with an invalid signature and wait until it's fixed. You should be able to change it in /etc/apt/sources.list. But you should back it up before changing. – rudib Dec 24 '18 at 23:09
  • You mention Debian 8. My question talked about Debian 9. You can clarify the question by [edit]ing in the version of APT that you have upgraded to. (-: – JdeBP Dec 27 '18 at 11:56

1 Answers1

2

The key did change between Jessie and Stretch. For Stretch, you would use:

sudo apt-get install software-properties-common dirmngr
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://mirrors.coreix.net/mariadb/repo/10.3/debian stretch main'

For Jessie, you would use:

sudo apt-get install software-properties-common
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db
sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://mirrors.coreix.net/mariadb/repo/10.3/debian jessie main'

Our repositories for Debian "Sid" and the Ubuntu 16.04 and beyond "Xenial" use a new GPG signing key. As detailed in MDEV-9781, APT 1.2.7 (and later) prefers SHA2 GPG keys and now prints warnings when a repository is signed using a SHA1 key like our previous GPG key. We have created a new SHA2 key for use with these affected repositories.

Comment of the mariadb release manager:

Yes, there will be a Stretch repository eventually. It will use the same key we're now using for Sid.

See https://mariadb.com/kb/en/library/gpg/ as well as the repo configuration tool at https://downloads.mariadb.org/mariadb/repositories

GAD3R
  • 66,769
Ian Gilfillan
  • 121