Invalid signature for the apt repository

[Marco Marongiu]

Hello there

I am having trouble on my policy hub (Debian 13) with CFEngine's apt repository. The signature of the repository is being rejected. I have also explicitly trusted /etc/apt/trusted.gpg.d but it didn't help, the problem is in the signature itself:

Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [38 B]
Get:2 file:/etc/apt/mirrors/debian-security.list Mirrorlist [47 B]                                    
Hit:3 https://cdn-aws.deb.debian.org/debian trixie InRelease                                          
Get:4 https://cdn-aws.deb.debian.org/debian trixie-updates InRelease [47.3 kB]
Get:5 https://cdn-aws.deb.debian.org/debian trixie-backports InRelease [54.0 kB]
Hit:6 https://cdn-aws.deb.debian.org/debian-security trixie-security InRelease
Get:7 https://cdn-aws.deb.debian.org/debian trixie-backports/main Sources.diff/Index [63.3 kB]
Get:8 https://cdn-aws.deb.debian.org/debian trixie-backports/main Sources T-2026-02-09-0800.45-F-2026-02-09-0800.45.pdiff [945 B]
Get:8 https://cdn-aws.deb.debian.org/debian trixie-backports/main Sources T-2026-02-09-0800.45-F-2026-02-09-0800.45.pdiff [945 B]
Get:9 https://cfengine-package-repos.s3.amazonaws.com/pub/apt/packages stable InRelease [6648 B]
Err:9 https://cfengine-package-repos.s3.amazonaws.com/pub/apt/packages stable InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type  Caused by:     Signature Packet v3 is not considered secure since 2026-02-01T00:00:00Z
Warning: https://cfengine-package-repos.s3.amazonaws.com/pub/apt/packages/dists/stable/InRelease: Loading /etc/apt/trusted.gpg from deprecated option Dir::Etc::Trusted
Warning: OpenPGP signature verification failed: https://cfengine-package-repos.s3.amazonaws.com/pub/apt/packages stable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type  Caused by:     Signature Packet v3 is not considered secure since 2026-02-01T00:00:00Z
Error: The repository 'https://cfengine-package-repos.s3.amazonaws.com/pub/apt/packages stable InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.

Can you help with fixing the signature, pretty pretty please please? ;-)

Ciao,
-- bronto

[Lars Erik Wik]

Hi bronto,

thanks for reporting this. It appears signature verification tool on Debian 13 has deprecated signature packet v3. This means that we (the maintainers), need to re-sign our packages with a newer version. I created a ticket in our bug tracker to make this happen (see https://northerntech.atlassian.net/browse/CFE-4634).

In the meanwhile you can download packages from here: https://cfengine.com/downloads/cfengine-community/

Although, not recommended. You can also add `[trusted=yes]` to `/etc/apt/sources.list.d/cfengine-community.list` to skip the signature verification. It will look like this `deb [trusted=yes] https://cfengine-package-repos.s3.amazonaws.com/pub/apt/packages stable main`.

Best regards,

- Lars

[Lars Erik Wik]

Hi again bronto,

We have updated the repositories. Can you please try again (see https://cfengine.com/cfengine-linux-distros/).

Best regards,

- Lars