Hi,
I’m having trouble with my Ubuntu machines throwing errors due to the Apt repository signatures. It seems to be the same symptom as this earlier post: New release of cvmfs 2.11 and it breaks the Debian apt admin gpg key signature
Namely, the following signatures were invalid: BADSIG 230D389D8AE45CE7 CernVM Administrator (cvmadmin) cernvm.administrator@cern.ch
That issue just said there was an infrastructure problem which got resolved. Is this the same issue again?
I’m trying to understand what the problem really is since the keys haven’t seemed to have changed.
If I remove and reinstall the cvmfs-release package, I get:
W: GPG error: http://cvmrepo.s3.cern.ch/cvmrepo/apt jammy-prod Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 230D389D8AE45CE7
E: The repository 'http://cvmrepo.s3.cern.ch/cvmrepo/apt jammy-prod Release' is not signed.
It seems like dpkg isn’t installing the key /etc/apt/trusted.gpg.d/cernvm.gpg
. If I manually unpack the key file and place it in /etc/apt/trusted.gpg.d/cernvm.gpg
then I’m back to the original error:
W: GPG error: http://cvmrepo.s3.cern.ch/cvmrepo/apt jammy-prod Release: The following signatures were invalid: BADSIG 230D389D8AE45CE7 CernVM Administrator (cvmadmin) <cernvm.administrator@cern.ch>
E: The repository 'http://cvmrepo.s3.cern.ch/cvmrepo/apt jammy-prod Release' is not signed.
I still cant see what’s wrong with the signatures. The key seems to use SHA1 hashes, which is no-longer supported on EL9, but on Ubuntu it looks like that should just be a warning, not an invalid signature error (Signature by key ... uses weak digest algorithm (SHA1)
).
Any ideas on how to debug further?