Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
debian11 early - apt-get update - At least one invalid signature was encountered
1,101 views
Skip to first unread message
raf
Aug 14, 2021, 10:00:04 PM8/14/21
to
Hi,
Firstly, many thanks for debian-11. I've been looking
forward to the newer bind9 and its dnssec-policy
finally making it trivial to implement DNSSEC on a
stable system. Yay!
My problem: A day or two ago, I tried to upgrade to
debian-11 on a little VM on my laptop and I've run into
a problem.
I know it wasn't official yet, but I thought I could
get away with it. And I wanted to have done it once
before upgrading a more important VM. But I would like
to get this VM unbroken as well.
I wasn't as careful as usual with it (I didn't do the
backups mentioned in Release Notes section 4.1.1) but
I'm not sure if that would have helped.
I added the new the bullseye details to
/etc/apt/sources.list but I didn't comment out the
existing buster details at the same time. I think that
might have been my mistake. Then, I did apt update and
got GPG invalid signature errors.
And I still get them when I only have the buster
details in sources.list and when I only have the
bullseye details there. But before, everything
was fine.
With buster only:
deb http://ftp.au.debian.org/debian/ buster main
deb-src http://ftp.au.debian.org/debian/ buster main
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main
deb http://ftp.au.debian.org/debian/ buster-updates main
deb-src http://ftp.au.debian.org/debian/ buster-updates main
apt update looks like this:
Err:1 http://security.debian.org/debian-security buster/updates InRelease
At least one invalid signature was encountered.
Get:2 http://ftp.au.debian.org/debian buster InRelease [122 kB]
Get:3 http://ftp.au.debian.org/debian buster-updates InRelease [51.9 kB]
Err:2 http://ftp.au.debian.org/debian buster InRelease
At least one invalid signature was encountered.
Err:3 http://ftp.au.debian.org/debian buster-updates InRelease
At least one invalid signature was encountered.
Fetched 174 kB in 0s (452 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org/debian-security buster/updates InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian buster InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian buster-updates InRelease: At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/buster/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://security.debian.org/debian-security/dists/buster/updates/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/buster-updates/InRelease At least one invalid signature was encountered.
W: Some index files failed to download. They have been ignored, or old ones used instead.
With bullseye only:
deb http://ftp.au.debian.org/debian/ bullseye main contrib non-free
deb-src http://ftp.au.debian.org/debian/ bullseye main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
deb-src http://security.debian.org/debian-security bullseye-security main contrib non-free
deb http://ftp.au.debian.org/debian/ bullseye-updates main contrib non-free
deb-src http://ftp.au.debian.org/debian/ bullseye-updates main contrib non-free
apt update looks like:
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Err:1 http://security.debian.org/debian-security bullseye-security InRelease
At least one invalid signature was encountered.
Get:2 http://ftp.au.debian.org/debian bullseye InRelease [113 kB]
Get:3 http://ftp.au.debian.org/debian bullseye-updates InRelease [40.1 kB]
Err:2 http://ftp.au.debian.org/debian bullseye InRelease
At least one invalid signature was encountered.
Err:3 http://ftp.au.debian.org/debian bullseye-updates InRelease
At least one invalid signature was encountered.
Fetched 153 kB in 0s (448 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
1416 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org/debian-security bullseye-security InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian bullseye InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian bullseye-updates InRelease: At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/bullseye/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://security.debian.org/debian-security/dists/bullseye-security/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/bullseye-updates/InRelease At least one invalid signature was encountered.
W: Some index files failed to download. They have been ignored, or old ones used instead.
Changing security.debian.org to ftp.au.debian.org added this:
Err:3 http://ftp.au.debian.org/debian-security bullseye-security Release
404 Not Found [IP: 150.203.164.37 80]
Changing http to https (for ftp.au.debian.org) gives TLS certificate errors:
Could not handshake: Error in the certificate verification
Changing ftp.au.debian.org to deb.debian.org still had the signature errors.
Here's what I think the preferred sources.list should be:
deb https://deb.debian.org/debian/ bullseye main contrib non-free
deb-src https://deb.debian.org/debian/ bullseye main contrib non-free
deb https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb-src https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb https://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb-src https://deb.debian.org/debian/ bullseye-updates main contrib non-free
(but I want to keep using ftp.au.debian.org if I can)
But the apt update output is still bad:
Get:1 https://deb.debian.org/debian bullseye InRelease [113 kB]
Err:1 https://deb.debian.org/debian bullseye InRelease
At least one invalid signature was encountered.
Get:2 https://deb.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Err:2 https://deb.debian.org/debian-security bullseye-security InRelease
At least one invalid signature was encountered.
Get:3 https://deb.debian.org/debian bullseye-updates InRelease [40.1 kB]
Err:3 https://deb.debian.org/debian bullseye-updates InRelease
At least one invalid signature was encountered.
Reading package lists... Done
W: GPG error: https://deb.debian.org/debian bullseye InRelease: At least one invalid signature was encountered.
E: The repository 'https://deb.debian.org/debian bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://deb.debian.org/debian-security bullseye-security InRelease: At least one invalid signature was encountered.
E: The repository 'https://deb.debian.org/debian-security bullseye-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://deb.debian.org/debian bullseye-updates InRelease: At least one invalid signature was encountered.
E: The repository 'https://deb.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
I just noticed that the bullseye items in sources.list
had "contrib non-free" which the buster details didn't
include. I removed them and tried again but it didn't
help.
This is a pure debian stable system.
apt-forktracer reported nothing when I started.
Now it reports 1682 packages.
The time on the VM is correct.
The VM disk isn't full (86% used, 950MB free).
Any idea what I can do to fix this?
Thanks for your time,
raf
Firstly, many thanks for debian-11. I've been looking
forward to the newer bind9 and its dnssec-policy
finally making it trivial to implement DNSSEC on a
stable system. Yay!
My problem: A day or two ago, I tried to upgrade to
debian-11 on a little VM on my laptop and I've run into
a problem.
I know it wasn't official yet, but I thought I could
get away with it. And I wanted to have done it once
before upgrading a more important VM. But I would like
to get this VM unbroken as well.
I wasn't as careful as usual with it (I didn't do the
backups mentioned in Release Notes section 4.1.1) but
I'm not sure if that would have helped.
I added the new the bullseye details to
/etc/apt/sources.list but I didn't comment out the
existing buster details at the same time. I think that
might have been my mistake. Then, I did apt update and
got GPG invalid signature errors.
And I still get them when I only have the buster
details in sources.list and when I only have the
bullseye details there. But before, everything
was fine.
With buster only:
deb http://ftp.au.debian.org/debian/ buster main
deb-src http://ftp.au.debian.org/debian/ buster main
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main
deb http://ftp.au.debian.org/debian/ buster-updates main
deb-src http://ftp.au.debian.org/debian/ buster-updates main
apt update looks like this:
Err:1 http://security.debian.org/debian-security buster/updates InRelease
At least one invalid signature was encountered.
Get:2 http://ftp.au.debian.org/debian buster InRelease [122 kB]
Get:3 http://ftp.au.debian.org/debian buster-updates InRelease [51.9 kB]
Err:2 http://ftp.au.debian.org/debian buster InRelease
At least one invalid signature was encountered.
Err:3 http://ftp.au.debian.org/debian buster-updates InRelease
At least one invalid signature was encountered.
Fetched 174 kB in 0s (452 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org/debian-security buster/updates InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian buster InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian buster-updates InRelease: At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/buster/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://security.debian.org/debian-security/dists/buster/updates/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/buster-updates/InRelease At least one invalid signature was encountered.
W: Some index files failed to download. They have been ignored, or old ones used instead.
With bullseye only:
deb http://ftp.au.debian.org/debian/ bullseye main contrib non-free
deb-src http://ftp.au.debian.org/debian/ bullseye main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
deb-src http://security.debian.org/debian-security bullseye-security main contrib non-free
deb http://ftp.au.debian.org/debian/ bullseye-updates main contrib non-free
deb-src http://ftp.au.debian.org/debian/ bullseye-updates main contrib non-free
apt update looks like:
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Err:1 http://security.debian.org/debian-security bullseye-security InRelease
At least one invalid signature was encountered.
Get:2 http://ftp.au.debian.org/debian bullseye InRelease [113 kB]
Get:3 http://ftp.au.debian.org/debian bullseye-updates InRelease [40.1 kB]
Err:2 http://ftp.au.debian.org/debian bullseye InRelease
At least one invalid signature was encountered.
Err:3 http://ftp.au.debian.org/debian bullseye-updates InRelease
At least one invalid signature was encountered.
Fetched 153 kB in 0s (448 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
1416 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org/debian-security bullseye-security InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian bullseye InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian bullseye-updates InRelease: At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/bullseye/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://security.debian.org/debian-security/dists/bullseye-security/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/bullseye-updates/InRelease At least one invalid signature was encountered.
W: Some index files failed to download. They have been ignored, or old ones used instead.
Changing security.debian.org to ftp.au.debian.org added this:
Err:3 http://ftp.au.debian.org/debian-security bullseye-security Release
404 Not Found [IP: 150.203.164.37 80]
Changing http to https (for ftp.au.debian.org) gives TLS certificate errors:
Could not handshake: Error in the certificate verification
Changing ftp.au.debian.org to deb.debian.org still had the signature errors.
Here's what I think the preferred sources.list should be:
deb https://deb.debian.org/debian/ bullseye main contrib non-free
deb-src https://deb.debian.org/debian/ bullseye main contrib non-free
deb https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb-src https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb https://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb-src https://deb.debian.org/debian/ bullseye-updates main contrib non-free
(but I want to keep using ftp.au.debian.org if I can)
But the apt update output is still bad:
Get:1 https://deb.debian.org/debian bullseye InRelease [113 kB]
Err:1 https://deb.debian.org/debian bullseye InRelease
At least one invalid signature was encountered.
Get:2 https://deb.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Err:2 https://deb.debian.org/debian-security bullseye-security InRelease
At least one invalid signature was encountered.
Get:3 https://deb.debian.org/debian bullseye-updates InRelease [40.1 kB]
Err:3 https://deb.debian.org/debian bullseye-updates InRelease
At least one invalid signature was encountered.
Reading package lists... Done
W: GPG error: https://deb.debian.org/debian bullseye InRelease: At least one invalid signature was encountered.
E: The repository 'https://deb.debian.org/debian bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://deb.debian.org/debian-security bullseye-security InRelease: At least one invalid signature was encountered.
E: The repository 'https://deb.debian.org/debian-security bullseye-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://deb.debian.org/debian bullseye-updates InRelease: At least one invalid signature was encountered.
E: The repository 'https://deb.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
I just noticed that the bullseye items in sources.list
had "contrib non-free" which the buster details didn't
include. I removed them and tried again but it didn't
help.
This is a pure debian stable system.
apt-forktracer reported nothing when I started.
Now it reports 1682 packages.
The time on the VM is correct.
The VM disk isn't full (86% used, 950MB free).
Any idea what I can do to fix this?
Thanks for your time,
raf
john doe
Aug 15, 2021, 2:30:04 AM8/15/21
to
Some hints more than an answer:
- Try to remove the gpg keys in '/etc/apt' directory.
- Try to remove the Debian apt-keyring pkg ('$ apt-get --autoremove
purge <PKG-NAME]')
$ apt-get update && apt-get full-upgrade
P.S.
I would first try the first step and see how it goes
--
John Doe
raf
Aug 15, 2021, 4:50:05 AM8/15/21
to
On Sun, Aug 15, 2021 at 08:24:13AM +0200, john doe <johndo...@mail.com> wrote:
> The below assumes that 'sources.list' is set only for bullseye
>
> Some hints more than an answer:
> - Try to remove the gpg keys in '/etc/apt' directory.
> - Try to remove the Debian apt-keyring pkg ('$ apt-get --autoremove
> purge <PKG-NAME]')
>
> $ apt-get update && apt-get full-upgrade
>
> P.S.
>
> I would first try the first step and see how it goes
>
> --
> John Doe
Thanks, but removing keys from /etc/apt/trusted.gpg.d
> The below assumes that 'sources.list' is set only for bullseye
>
> Some hints more than an answer:
> - Try to remove the gpg keys in '/etc/apt' directory.
> - Try to remove the Debian apt-keyring pkg ('$ apt-get --autoremove
> purge <PKG-NAME]')
>
> $ apt-get update && apt-get full-upgrade
>
> P.S.
>
> I would first try the first step and see how it goes
>
> --
> John Doe
didn't help. There is no apt-keyring package. And I
couldn't bring myself to uninstall the
debian-archive-keyring package because I assumed that
would make it impossible to ever install anything ever
again. There was an old debian-keyring package that I
removed. But nothing helped.
Never mind. On another VM with the same sized disk, an
upgrade of a fresh debian-10 install got past that
point happily, but then ran out of disk when it got to
the kernel. So it probably wouldn't have worked anyway
(but 1GB spare should have been enough). Another VM
with double the disk upgraded fine.
And the important VM that matters upgraded fine as
well. So it's OK now.
Although bind9 crashed in a heap and dumped core and
couldn't run, as soon as I got it to DNSSEC-sign all my
zones. I wasn't expecting bind9 to crash immediately on
debian stable!
And it overwrote my carefully crafted and documented
zonefiles. I wasn't expecting that either (having read
all the documentation on the subject).
But that's a discussion for a different mailing list,
unless someone here knows what the crashing is about
(bind9-9.16.15 + DNSSEC = firetrucks and sirens). :-)
I hope I won't have to wait too long for bind9-9.16.19.
cheers,
raf
raf
Aug 15, 2021, 7:30:04 PM8/15/21
to
On Sun, Aug 15, 2021 at 06:47:34PM +1000, raf <deb...@raf.org> wrote:
> On Sun, Aug 15, 2021 at 08:24:13AM +0200, john doe <johndo...@mail.com> wrote:
>
> > The below assumes that 'sources.list' is set only for bullseye
> >
> > Some hints more than an answer:
> > - Try to remove the gpg keys in '/etc/apt' directory.
> > - Try to remove the Debian apt-keyring pkg ('$ apt-get --autoremove
> > purge <PKG-NAME]')
> >
> > $ apt-get update && apt-get full-upgrade
> >
> > P.S.
> >
> > I would first try the first step and see how it goes
> >
> > --
> > John Doe
It's working now on the original VM. Someone else reported
> On Sun, Aug 15, 2021 at 08:24:13AM +0200, john doe <johndo...@mail.com> wrote:
>
> > The below assumes that 'sources.list' is set only for bullseye
> >
> > Some hints more than an answer:
> > - Try to remove the gpg keys in '/etc/apt' directory.
> > - Try to remove the Debian apt-keyring pkg ('$ apt-get --autoremove
> > purge <PKG-NAME]')
> >
> > $ apt-get update && apt-get full-upgrade
> >
> > P.S.
> >
> > I would first try the first step and see how it goes
> >
> > --
> > John Doe
that keys have finally made it to a German mirror, solving
a similar problem for them. I guess I was having the same
A problem with the Australian mirror. But maybe that's just
a guess. The keys aren't actually new. But it sounds like
something to do with something taking a while to propagate
to mirrors.
cheers,
raf
jeremy ardley
Aug 15, 2021, 7:40:04 PM8/15/21
to
On 16/08/2021 7:19 am, raf wrote:
>
> It's working now on the original VM. Someone else reported
> that keys have finally made it to a German mirror, solving
> a similar problem for them. I guess I was having the same
> A problem with the Australian mirror. But maybe that's just
> a guess. The keys aren't actually new. But it sounds like
> something to do with something taking a while to propagate
> to mirrors.
>
> cheers,
> raf
Australian ones including ones in my city Perth.
I think there is some server speed selection in apt? So you may not be
using the servers you think you are using.
Jeremy
0 new messages