Invalid signatures reported by clients in successfully published repository
19 views
Skip to first unread message
David Laštovička
Nov 19, 2023, 11:31:17 AM11/19/23
to aptly-discuss
Hello everyone,
I followed a procedure like described in the https://www.aptly.info/tutorial/mirror/. I.e. creating few filtered mirrors, their snapshots, merging, publishing.
All went without issues, but when I configure the client and run `sudo apt-get update`, so it complains:
Get:1 http://dl-intense:8080 mantic InRelease [4.132 B]Err:1 http://dl-intense:8080 mantic InRelease
At least one invalid signature was encountered.
[...skipped...]
Reading package lists... Done
W: GPG error: http://dl-intense:8080 mantic InRelease: At least one invalid signature was encountered.
E: The repository 'http://dl-intense:8080 mantic InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://dl-intense:8080 mantic InRelease: At least one invalid signature was encountered.
E: The repository 'http://dl-intense:8080 mantic InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
To exclude issues with Apache configuration I used aptly serve with the same result.
In .aptly.conf I tried to change gpgProvider to gpg2, run the aptly publish drop and publish snapshot again, but no improvement.
I use:
- aptly version: 1.5.0+ds1-2
- gpg (GnuPG) 2.2.40
- gpg keys without passphrase
Can someone point to some direction? I have no idea what I can try differently, as I don't get any errors during the process of the repository creation.
David Laštovička
Nov 19, 2023, 12:45:17 PM11/19/23
to aptly-discuss
In the meantime, I tried to download the Release, Release.gpg and InRelease files and use gpg --verify to check the signatures.
Here is the outcome:
gpg --verify InRelease
Signature made So 19 Nov 2023 17:11:43 CET
gpg: using RSA key B3B218F0330205CEE49A552E07AFBA683C975B01
gpg: Good signature from "XXXXX"
gpg: using RSA key B3B218F0330205CEE49A552E07AFBA683C975B01
gpg: Good signature from "XXXXX"
and
gpg --verify Release.gpg Release
gpg: Signature made Mo 16 Okt 2023 23:12:53 CEST
gpg: using RSA key 871920D1991BC93C
gpg: Can't check signature: No public key
gpg: Signature made Mo 16 Okt 2023 23:12:53 CEST
gpg: using RSA key 871920D1991BC93C
gpg: Can't check signature: No public key
It seems that the two files are signed using a different key?!
The first one using the key B3B218F0330205CEE49A552E07AFBA683C975B01 is ok, as expected.
The second one 871920D1991BC93C does not correspond to any key that I have in the system...
In addition, before generating the repository I had completely deleted the content of .aptly.conf, to be sure that I start from scratch.
David Laštovička
Nov 19, 2023, 1:37:15 PM11/19/23
to aptly-discuss
Ok, resolved. I recreated the whole repo and passed explicitly the gpg key to aptly aptly publish -gpg-key="B3B218F0330205CEE49A552E07AFBA683C975B01" and it works now!
Reply all
Reply to author
Forward
0 new messages