Debian/Ubuntu Apt Repository not working

Hi,
I’m having trouble with my Ubuntu machines throwing errors due to the Apt repository signatures. It seems to be the same symptom as this earlier post: New release of cvmfs 2.11 and it breaks the Debian apt admin gpg key signature
Namely, the following signatures were invalid: BADSIG 230D389D8AE45CE7 CernVM Administrator (cvmadmin) cernvm.administrator@cern.ch

That issue just said there was an infrastructure problem which got resolved. Is this the same issue again?

I’m trying to understand what the problem really is since the keys haven’t seemed to have changed.
If I remove and reinstall the cvmfs-release package, I get:

W: GPG error: http://cvmrepo.s3.cern.ch/cvmrepo/apt jammy-prod Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 230D389D8AE45CE7
E: The repository 'http://cvmrepo.s3.cern.ch/cvmrepo/apt jammy-prod Release' is not signed.

It seems like dpkg isn’t installing the key /etc/apt/trusted.gpg.d/cernvm.gpg. If I manually unpack the key file and place it in /etc/apt/trusted.gpg.d/cernvm.gpg then I’m back to the original error:

W: GPG error: http://cvmrepo.s3.cern.ch/cvmrepo/apt jammy-prod Release: The following signatures were invalid: BADSIG 230D389D8AE45CE7 CernVM Administrator (cvmadmin) <cernvm.administrator@cern.ch>
E: The repository 'http://cvmrepo.s3.cern.ch/cvmrepo/apt jammy-prod Release' is not signed.

I still cant see what’s wrong with the signatures. The key seems to use SHA1 hashes, which is no-longer supported on EL9, but on Ubuntu it looks like that should just be a warning, not an invalid signature error (Signature by key ... uses weak digest algorithm (SHA1)).

Any ideas on how to debug further?

Hi Tim,

I’ve just checked with a docker image of ubuntu jammy on both x86_64 and arm64 and cvmfs installed ok - it also looks like the packages are ok and signed. The last time I think a package was truncated during upload which caused this issue.

Can you send me more details about your system and how you arrived at this error?
Cheers,
Valentin

Hi Valentin,

OK, that helped - indeed it works on my local machine, but the machines I’m managing are all using a shared HTTP proxy for apt.
Running sudo apt-get -o Acquire::http::proxy=false update works. I guess the proxy must have picked up some malformed repository data and fed it to all of these machines.

I can remove cvmfs-release, reinstall and apt update from the proxy to reproduce the error, so something is still stuck in the proxy’s cache. That should time out eventually and in the meantime I can have them bypass it. They don’t error again once they have properly updated their own apt cache.

Thanks for checking things so quickly, it did put me on the right path.

Cheers,
Tim