Bug#923668: apt update says "Signed file isn't valid", but apt-key verify passes

[David Bremner <bremner@debian.org>]

Julian Andres Klode <jak@debian.org> writes:
>
> The Release.gpg must be ASCII armored, as documented in:
>
>  https://wiki.debian.org/DebianRepository/Format#A.22Release.22_files
>
> Following the recent CVE, checks where added that the Release.gpg
> contains only such signatures, to prevent hiding packages (or other
> things for that matter) in there.

OK, good to know there's an easy fix. Should the documentation for
apt-key ("SUPPORTED KEYRING FILES") be updated? I'm not very happy with
the wiki as the primary/only documentation.

cheers,

d