Question about repository signing

To: deity@lists.debian.org
Subject: Question about repository signing
From: "Joshua J. Kugler" <joshua@azariah.com>
Date: Fri, 08 Nov 2019 15:26:43 -0900
Message-id: <[🔎] 13120953.fuEvBn5Apq@hosanna>

If there is a better place to ask this, please point me there.

I'm trying to create a repo (with reprepro) and sign it. I'm signing it with a 
key with signature FFFFB3557, as listed by gpg -K.

reprepro returns no errors, and its output seems quite happy.

On the system accessing the new repository, `apt-key list` shows a key 
imported with signature FFFB 3557. However, when I run apt-get update, I get

InRelease: The following signatures were invalid: 
347D7D44139452B2214B771EC0C819FFFFFB3557

That's obviously the key I signed it with, and that key is imported.  So, if 
it has the key imported, why is the signature (which appears correct) invalid? 

My commands look like this:

export REPREPRO_BASE_DIR="/path/to/my/repository/"
echo ${passphrase} | reprepro --ask-passphrase includedeb mydist path/to/f.deb

What is the best way to go about troubleshooting this? Pointers to docs 
welcome.

j

-- 
Joshua J. Kugler - Fairbanks, Alaska - joshua@azariah.com
Azariah Enterprises - Programming and Website Design
PGP Key: http://pgp.mit.edu/  ID 0x73B13B6A

Reply to:

Follow-Ups:
- Re: Question about repository signing
  - From: David Kalnischkies <david@kalnischkies.de>

Prev by Date: acknowledge and confirm
Next by Date: Bug#944124: apt fails to verify certificate when using https and ocsp stapling
Previous by thread: acknowledge and confirm
Next by thread: Re: Question about repository signing
Index(es):
- Date
- Thread