[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#923668: apt update says "Signed file isn't valid", but apt-key verify passes

David Bremner <bremner@debian.org> writes:

> Julian Andres Klode <jak@debian.org> writes:
>>
>> The Release.gpg must be ASCII armored, as documented in:
>>
>>  https://wiki.debian.org/DebianRepository/Format#A.22Release.22_files
>>
>> Following the recent CVE, checks where added that the Release.gpg
>> contains only such signatures, to prevent hiding packages (or other
>> things for that matter) in there.
>
> OK, good to know there's an easy fix. Should the documentation for
> apt-key ("SUPPORTED KEYRING FILES") be updated? I'm not very happy with
> the wiki as the primary/only documentation.
>

Sorry, I was confused about what is required to be ascii
armoured. apt-key is presumably not relevant here.

d
Reply to: