Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

GPG error updating Debian repositories



  • Hi. I'm having troubles using debian repositories on Ubuntu.
    I've followed the instructions to use the debian repository and the key was imported correctly, but when I run apt update command the following error appears:

    W: GPG error: https://myserver:8080/debian/stable jammy InRelease: The following signatures were invalid: BADSIG D263579579B65410 stable@proget
    E: The repository "https://myserver:8080/debian/stable jammy InRelease" is not signed.
    

    I tried on Bionic and Jammy versions with several client computers. I tried importing the key with apt and using a keyring directory. I tried with different feeds. But the same error always appears.
    How could I solve it? Is it any way to recreate the ".asc" keys? Maybe there is some kind of error with them.

    Thank you.


  • inedo-engineer

    Hi @daniel-scati,

    Unfortunately we're not familiar enough with apt to know how to troubleshoot this issue. We do know it works for us (when we follow the instructions) and apparently other users, but not sure why it's not working when you're trying it.

    I did a quick search for "GPG error The following signatures were invalid: BADSIG" and found a ton of content, and a really long article that's a bit advertisement-filled, but seems to cover a lot of bases: https://itsfoss.com/solve-gpg-error-signatures-verified-ubuntu/

    This is a bit frustrating, but the author mentions:

    it's not 'run this command to fix this issue' kind of problem. You have to identify the root cause and then try to follow the suggestions. That leaves quite some work on your end but that's what it is.

    If you have any insight on how to resolve this (and specifically something we can add to our troubleshooting docs), please let us know.

    Best,
    Alana



  • Is there any documentation about how ProGet generate the certificates for Debian repositories? or, where I could find them in a Windows installation? To have something to start working with.
    I tried searching for any file with .asc extension, but there is nothing found in my Windows installation, so I guess certificates like stable.asc are generated/stored somehow on the website for download ¿?

    I'm totally willing to help as far as I can. Thank you.


  • inedo-engineer

    Hi @daniel-scati,

    ProGet generates a signing key when you first create a Debian feed; it's stored in the database, so you won't be able to find it on disk. You can "see" (i.e. download) the key under Manage Feed > "signing key".

    We don't really document how the key is generated, but looking at the code... we use BouncyCastle to create a 4096-bit nonexpiring PGP key with <feed-name>@proget as the pgp comment. That's what gets saved in the database, and is what you end up downloading.

    So creating a new feed would give you a new signing key.

    Hope that helps.

    Cheers,
    Alana



  • Hello
    Just in case, starting from Ubuntu 22.04, certificates for Debian repositories stored in Proget can be imported using this command

    curl -fsSL ${proget}/${feed}/keys/${feed}.asc | sudo gpg --dearmor  -o /etc/apt/keyrings/${feed}.gpg
    

    A source file in /etc/apt/sources.list.d/ will contain

    deb [arch=amd64 signed-by=/etc/apt/keyrings/${feed}.gpg] ${proget}/${feed} ${distribution} ${components}  
    

    Best regards
    PhilippeC.


  • inedo-engineer

    Thanks @philippe-camelio_3885!

    Should we update our docs to reflect this? Does this basically only apply to Ubuntu 22.04+?

    Currently, the instruction we have uses apt-key add instead:
    https://docs.inedo.com/docs/proget-feeds-debian

    Thanks,
    Alana



  • @atripp
    Yes, you should update the doc.
    Starting debian 11 and ubuntu 22.04 apt-key is deprecated.

    You will find more details on this article

    Best regards
    PhilippeC.


  • inedo-engineer

    @philippe-camelio_3885 thank you much, we just updated the docs :)



  • @philippe-camelio_3885 thanks for the piece of advice about how to import the certificate on Jammy, but I already used that way, and it also fails.
    After several tests I found out the root of the problem, and strange as it may seem, it is caused for the Description field in the Properties of Manage Feed. The feed description supports markdown format, but if it contains a break line with a blank line, after some minutes (or hours?) it will start to fail in the client when execute an update.
    One example of a description that reproduce the bug could be:

    **Fabricación**
    
    Instaladores Ubuntu liberados a producción
    

    The second blank line is the one that causes the issue. Fortunately, edit the description removing the blank line solves it 🤠


  • inedo-engineer

    @daniel-scati great work finding that :)

    The Feed Description is written in the Release Index, and the Debian "Stanza" format is kind of weird like that.

    However, newlines should already be replaced...

    var desc = FeedCache.GetFeed(this.feedId)?.Feed_Description;
    if (!string.IsNullOrWhiteSpace(desc))
        writer.WriteLine($"Description: {desc.ReplaceLineEndings("\n ")}");
    

    A blank line with a space isn't supposed to create a new "stanza", but maybe it is in your version?? We'll look closer; perhaps we should just strip the newline altogether and replace it with a space.

    Cheers,
    Alana


  • inedo-engineer

    @daniel-scati we'll also get this fixed via PG-2635 in an upcoming maintenance release (hopefully 2024.2), which is targeted for next Friday.



  • Fix verified on 2024.2 version.
    Thank you.


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation