Bug#923668: apt update says "Signed file isn't valid", but apt-key verify passes
David Bremner <bremner@debian.org> writes:
> Julian Andres Klode <jak@debian.org> writes:
>>
>> The Release.gpg must be ASCII armored, as documented in:
>>
>> https://wiki.debian.org/DebianRepository/Format#A.22Release.22_files
>>
>> Following the recent CVE, checks where added that the Release.gpg
>> contains only such signatures, to prevent hiding packages (or other
>> things for that matter) in there.
>
> OK, good to know there's an easy fix. Should the documentation for
> apt-key ("SUPPORTED KEYRING FILES") be updated? I'm not very happy with
> the wiki as the primary/only documentation.
>
Sorry, I was confused about what is required to be ascii
armoured. apt-key is presumably not relevant here.
d
Reply to: