debian11 early - apt-get update - At least one invalid signature was encountered

To: debian-user@lists.debian.org
Subject: debian11 early - apt-get update - At least one invalid signature was encountered
From: raf <debian@raf.org>
Date: Sun, 15 Aug 2021 11:46:31 +1000
Message-id: <[🔎] 20210815014631.GA22506@raf.org>
Mail-followup-to: debian-user@lists.debian.org

Hi,

Firstly, many thanks for debian-11. I've been looking
forward to the newer bind9 and its dnssec-policy
finally making it trivial to implement DNSSEC on a
stable system. Yay!

My problem: A day or two ago, I tried to upgrade to
debian-11 on a little VM on my laptop and I've run into
a problem.

I know it wasn't official yet, but I thought I could
get away with it. And I wanted to have done it once
before upgrading a more important VM. But I would like
to get this VM unbroken as well.

I wasn't as careful as usual with it (I didn't do the
backups mentioned in Release Notes section 4.1.1) but
I'm not sure if that would have helped.

I added the new the bullseye details to
/etc/apt/sources.list but I didn't comment out the
existing buster details at the same time. I think that
might have been my mistake. Then, I did apt update and
got GPG invalid signature errors.

And I still get them when I only have the buster
details in sources.list and when I only have the
bullseye details there. But before, everything
was fine.

With buster only:

deb http://ftp.au.debian.org/debian/ buster main
deb-src http://ftp.au.debian.org/debian/ buster main
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main
deb http://ftp.au.debian.org/debian/ buster-updates main
deb-src http://ftp.au.debian.org/debian/ buster-updates main

apt update looks like this:

Err:1 http://security.debian.org/debian-security buster/updates InRelease
At least one invalid signature was encountered.
Get:2 http://ftp.au.debian.org/debian buster InRelease [122 kB]
Get:3 http://ftp.au.debian.org/debian buster-updates InRelease [51.9 kB]
Err:2 http://ftp.au.debian.org/debian buster InRelease
At least one invalid signature was encountered.
Err:3 http://ftp.au.debian.org/debian buster-updates InRelease
At least one invalid signature was encountered.
Fetched 174 kB in 0s (452 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org/debian-security buster/updates InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian buster InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian buster-updates InRelease: At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/buster/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://security.debian.org/debian-security/dists/buster/updates/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/buster-updates/InRelease At least one invalid signature was encountered.
W: Some index files failed to download. They have been ignored, or old ones used instead.

With bullseye only:

deb http://ftp.au.debian.org/debian/ bullseye main contrib non-free
deb-src http://ftp.au.debian.org/debian/ bullseye main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
deb-src http://security.debian.org/debian-security bullseye-security main contrib non-free
deb http://ftp.au.debian.org/debian/ bullseye-updates main contrib non-free
deb-src http://ftp.au.debian.org/debian/ bullseye-updates main contrib non-free

apt update looks like:

Get:1 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Err:1 http://security.debian.org/debian-security bullseye-security InRelease
At least one invalid signature was encountered.
Get:2 http://ftp.au.debian.org/debian bullseye InRelease [113 kB]
Get:3 http://ftp.au.debian.org/debian bullseye-updates InRelease [40.1 kB]
Err:2 http://ftp.au.debian.org/debian bullseye InRelease
At least one invalid signature was encountered.
Err:3 http://ftp.au.debian.org/debian bullseye-updates InRelease
At least one invalid signature was encountered.
Fetched 153 kB in 0s (448 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
1416 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org/debian-security bullseye-security InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian bullseye InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.au.debian.org/debian bullseye-updates InRelease: At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/bullseye/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://security.debian.org/debian-security/dists/bullseye-security/InRelease At least one invalid signature was encountered.
W: Failed to fetch http://ftp.au.debian.org/debian/dists/bullseye-updates/InRelease At least one invalid signature was encountered.
W: Some index files failed to download. They have been ignored, or old ones used instead.

Changing security.debian.org to ftp.au.debian.org added this:

Err:3 http://ftp.au.debian.org/debian-security bullseye-security Release
404 Not Found [IP: 150.203.164.37 80]

Changing http to https (for ftp.au.debian.org) gives TLS certificate errors:

Could not handshake: Error in the certificate verification

Changing ftp.au.debian.org to deb.debian.org still had the signature errors.

Here's what I think the preferred sources.list should be:

deb https://deb.debian.org/debian/ bullseye main contrib non-free
deb-src https://deb.debian.org/debian/ bullseye main contrib non-free
deb https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb-src https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb https://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb-src https://deb.debian.org/debian/ bullseye-updates main contrib non-free

(but I want to keep using ftp.au.debian.org if I can)

But the apt update output is still bad:

Get:1 https://deb.debian.org/debian bullseye InRelease [113 kB]
Err:1 https://deb.debian.org/debian bullseye InRelease
At least one invalid signature was encountered.
Get:2 https://deb.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Err:2 https://deb.debian.org/debian-security bullseye-security InRelease
At least one invalid signature was encountered.
Get:3 https://deb.debian.org/debian bullseye-updates InRelease [40.1 kB]
Err:3 https://deb.debian.org/debian bullseye-updates InRelease
At least one invalid signature was encountered.
Reading package lists... Done
W: GPG error: https://deb.debian.org/debian bullseye InRelease: At least one invalid signature was encountered.
E: The repository 'https://deb.debian.org/debian bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://deb.debian.org/debian-security bullseye-security InRelease: At least one invalid signature was encountered.
E: The repository 'https://deb.debian.org/debian-security bullseye-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://deb.debian.org/debian bullseye-updates InRelease: At least one invalid signature was encountered.
E: The repository 'https://deb.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I just noticed that the bullseye items in sources.list
had "contrib non-free" which the buster details didn't
include. I removed them and tried again but it didn't
help.

This is a pure debian stable system.

apt-forktracer reported nothing when I started.
Now it reports 1682 packages.

The time on the VM is correct.

The VM disk isn't full (86% used, 950MB free).

Any idea what I can do to fix this?

Thanks for your time,
raf

Reply to:

Follow-Ups:
- Re: debian11 early - apt-get update - At least one invalid signature was encountered
  - From: john doe <johndoe65534@mail.com>

Prev by Date: Re: PSA: 'apt-get update' new-Debian-release error fix
Next by Date: Internal server error 500 for bugs.debian.org pkgreport of apt-listchanges
Previous by thread: Re: PSA: 'apt-get update' new-Debian-release error fix
Next by thread: Re: debian11 early - apt-get update - At least one invalid signature was encountered
Index(es):
- Date
- Thread