Hi, On Fri, Nov 08, 2019 at 03:26:43PM -0900, Joshua J. Kugler wrote: > InRelease: The following signatures were invalid: That error part is generated for two general types of problems: A signature which was bad or a signature which is worthless. You truncated the error message, so I can't be sure [aka: please include always the complete output], but given … > 347D7D44139452B2214B771EC0C819FFFFFB3557 … I assume it is the later. Worthless signatures are e.g. those made with (partly) broken hashing algorithms, like MD5 or SHA1. Depending on how and then you generated your signing key that might still be the default for you… The other cases would have a 'word' in front of a keyid like EXPSIG (expired signature), BADSIG or some such (gpg is complex). > That's obviously the key I signed it with, and that key is imported. So, if > it has the key imported, why is the signature (which appears correct) invalid? adding: -o Debug::Acquire::gpgv=1 to your apt update invocation will give out a few more details on how the signature(s) are parsed and categorized, so you should be able to verify my claim, even if it is even for debug output a bit arcane and dense, but these properties are inherited from gpg itself… I am not a reprepro user, so I can't tell you how to make it force gpg to use an algorithm like SHA256/SHA512, but updating your key to follow latest security advices might do the trick already. Even https://wiki.debian.org/DebianRepository/SetupWithReprepro has a few pointers on that topic. > PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A That is a mostly unrelated sidenote, but short keyids might be short and easy to type, but they don't reliably identify a key anymore. It isn't that hard to generate keys with arbitrary short ids – keyservers are littered by such keys. The strongset was duplicated entirely (with signatures and all) years ago for example. Good luck & best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature