Hello Michael, * On Tue, Jul 19, 2022 at 08:28:35AM +0200 Michael Behrisch wrote:
Actually it works if I use your repo but not with mine. I still get "Signature invalid" errors, so there might be really a problem with my signature. Can I update it somehow?
You are right, but I am not sure WHY this happens. I added your repository in a Debian VM, I get the signature problems. Now, the interesting part: $ wget https://download.opensuse.org/repositories/home:/behrisch/Debian_11/InReleas... $ wget https://download.opensuse.org/repositories/home:/behrisch/Debian_11/Release $ wget https://download.opensuse.org/repositories/home:/behrisch/Debian_11/Release.... # gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/home_behrisch.gpg --verify InRelease gpg: Signatur vom Di 19 Jul 2022 17:04:46 CEST gpg: mittels DSA-Schlüssel 56DFF5B0559BC40E gpg: Korrekte Signatur von "home:behrisch OBS Project home:behrisch@build.opensuse.org" [unbekannt] gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur! gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört. Haupt-Fingerabdruck = 22E0 D9DA E3D6 3FCB A97A B999 56DF F5B0 559B C40E # gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/home_behrisch.gpg --verify /var/lib/apt/lists/partial/download.opensuse.org_repositories_home\:_behrisch_Debian%5f11_InRelease gpg: Signatur vom Di 19 Jul 2022 17:04:46 CEST gpg: mittels DSA-Schlüssel 56DFF5B0559BC40E gpg: Korrekte Signatur von "home:behrisch OBS Project home:behrisch@build.opensuse.org" [unbekannt] gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur! gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört. Haupt-Fingerabdruck = 22E0 D9DA E3D6 3FCB A97A B999 56DF F5B0 559B C40E # gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/home_behrisch.gpg --verify Release.gpg Release gpg: Signatur vom Di 19 Jul 2022 17:04:46 CEST gpg: mittels DSA-Schlüssel 56DFF5B0559BC40E gpg: Korrekte Signatur von "home:behrisch OBS Project home:behrisch@build.opensuse.org" [unbekannt] gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur! gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört. Haupt-Fingerabdruck = 22E0 D9DA E3D6 3FCB A97A B999 56DF F5B0 559B C40E # gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/home_strik.gpg --verify /var/lib/apt/lists/download.opensuse.org_repositories_home\:_strik_Debian%5f11_InRelease gpg: Signatur vom Di 19 Jul 2022 19:53:17 CEST gpg: mittels RSA-Schlüssel 5648F685941B3F8F gpg: Korrekte Signatur von "home:strik OBS Project home:strik@build.opensuse.org" [unbekannt] gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur! gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört. Haupt-Fingerabdruck = 4A96 F212 11DF 78D0 4CE1 5FC5 5648 F685 941B 3F8F Ok, the signatures are correct. # cat /etc/apt/sources.list.d/behrisch.list #deb [signed-by=/etc/apt/trusted.gpg.d/home_behrisch.gpg] https://download.opensuse.org/repositories/home:/behrisch/Debian_11/ / deb https://download.opensuse.org/repositories/home:/behrisch/Debian_11/ / Note the commented-out line (#deb) where I added a signed-by to hint apt which key to use; it does not work, either, if I use that line instead of the line below. However: # LANG=C apt update Hit:1 http://deb.debian.org/debian bullseye InRelease Hit:2 http://security.debian.org/debian-security bullseye-security InRelease Get:3 https://download.opensuse.org/repositories/home:/strik/Debian_11 InRelease [1526 B] Get:4 https://download.opensuse.org/repositories/home:/behrisch/Debian_11 InRelease [1224 B] Err:4 https://download.opensuse.org/repositories/home:/behrisch/Debian_11 InRelease The following signatures were invalid: 22E0D9DAE3D63FCBA97AB99956DFF5B0559BC40E Reading package lists... Done W: GPG error: https://download.opensuse.org/repositories/home:/behrisch/Debian_11 InRelease: The following signatures were invalid: 22E0D9DAE3D63FCBA97AB99956DFF5B0559BC40E E: The repository 'https://download.opensuse.org/repositories/home:/behrisch/Debian_11 InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. You see, my signature (home:/strik) is accepted, while your (home:/behrisch) is not. Now, the download InRelease file is correct, too: # gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/home_behrisch.gpg --verify /var/lib/apt/lists/partial/download.opensuse.org_repositories_home\:_behrisch_Debian%5f11_InRelease gpg: Signatur vom Di 19 Jul 2022 17:04:46 CEST gpg: mittels DSA-Schlüssel 56DFF5B0559BC40E gpg: Korrekte Signatur von "home:behrisch OBS Project home:behrisch@build.opensuse.org" [unbekannt] gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur! gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört. Haupt-Fingerabdruck = 22E0 D9DA E3D6 3FCB A97A B999 56DF F5B0 559B C40E This can be proved with a hash, too: # sha256sum /var/lib/apt/lists/partial/download.opensuse.org_repositories_home\:_behrisch_Debian%5f11_InRelease InRelease 9575e3d96428ff24ecc302fb882bed37d9b96801ff5239292863021adaedf19e /var/lib/apt/lists/partial/download.opensuse.org_repositories_home:_behrisch_Debian%5f11_InRelease 9575e3d96428ff24ecc302fb882bed37d9b96801ff5239292863021adaedf19e InRelease I am not sure if this is a problem of OBS or a problem of apt in this case. At the moment, I would believe more of a problem of apt here. Even "moving /var/lib/apt/lists/ out of the way" and doing a fresh apt update does not solve the problem, nor does using apt-get or aptitude. I also checked the user, group and access rights of the files in /etc/apt/sources.list.d/ and /etc/apt/trusted.gpg.d/; I cannot see any differences between your and my files. I am sorry, I cannot help you here. As I am thinking more of a Debian problem than of a OBS problem, I would consider changing to the debian-user-german mailing list for this specific problem. They might have some ideas, hints or similar on what is going on here. Regards, Spiro -- Spiro R. Trikaliotis https://spiro.trikaliotis.net/