On Wed, Aug 16, 2017 at 08:57:44AM +0200, Adam Cecile wrote:
Hello,Since I upgraded to Stretch I get the following warning when running apt update: W: Failed to fetch http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh/dists/jessie-cdh5/InRelease The following signatures were invalid: F36A89E33CC1BD0F71079007327574EE02A818DDThe sources.list entry is:deb [arch=amd64, trusted=yes] http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 contribProblem is that the key is trusted, so I guess the warning comes from something else but I don't know why. I'd like to understand from where it comes and how to kill this warning (triggers apt warnings in monitoring system).
As far as I can tell, that message isn't saying that the key is untrusted, but rather that the message isn't (correctly) signed by a known key. The error is saying that the signature is invalid. If the signature (or the data) were corrupted during download, then that would invalidate the signature. If the signature was created using a key that you don't have, then that would invalidate the signature (perhaps the upstream has rotated to a new key?)
Also, rather than saying "trusted=yes", I believe that a more secure method is as follows:
1. Fetch the key from the upstream source. 2. If necessary, run "gpg --dearmour < upstream.asc > upstream.gpg" 3. Move upstream.gpg into /etc/apt/trusted.gpg.d4. Alter your apt line to read "deb [..., signed-by=/etc/apt/trusted.gpg.d/upstream.gpg] http://...";
The theory behind this is that ONLY the repository associated with that key can be signed by that key. If you add the key to the main keyring, then there is a possibility that they key could be used to (freadulently) sign the main repository and you'd trust it.
Thanks in advance, Regards, Adam.
-- For more information, please reread.
Attachment:
signature.asc
Description: PGP signature