I’m encountering invalid signatures on JFrog 's InRelease
files:
gpg -v --no-default-keyring --keyring /usr/share/keyrings/openziti.gpg --verify jammy/InRelease
gpg: armor header: Hash: SHA256
gpg: armor header: Version: BCPG v1.68
gpg: original file name=''
gpg: Signature made Mon 10 Jul 2023 11:00:07 AM PDT
gpg: using RSA key DE3623EF08C996E5
gpg: using pgp trust model
gpg: BAD signature from "OpenZiti Developers <developers@openziti.org>" [unknown]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072
On systems that prefer InRelease
, apt update
fails with error:
apt update
Hit:1 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Get:3 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease [109 kB]
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:5 https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease [4264 B]
Err:5 https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DE3623EF08C996E5
Reading package lists... Done
W: GPG error: https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DE3623EF08C996E5
E: The repository 'https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
I have verified that public key DE3623EF08C996E5
is stored on the keyring /usr/share/keyrings/openziti.gpg
and usable. The Release
files verify without incident:
gpg -v --no-default-keyring --keyring /usr/share/keyrings/openziti.gpg --verify jammy/Release.gpg jammy/Release
gpg: armor header: Version: BCPG v1.68
gpg: Signature made Mon 10 Jul 2023 11:00:08 AM PDT
gpg: using RSA key DE3623EF08C996E5
gpg: using pgp trust model
gpg: Good signature from "OpenZiti Developers <developers@openziti.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 34CB CF18 427D 8814 B5BD BB0D DE36 23EF 08C9 96E5
gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072
I’ve experimented and verified other archive’s InRelease
files using the above approach.