BADSIG error during `apt update` using apt-cache-ng

I received below error while running apt update using apt-cache-ng. I also used saltstack to run this command. The most suspicious thing is that the error disappeared without me doing anything. Any ideas what happened here? or how can I go about analyzing this?

2024-11-02 21:15:53,173 output:           ID: base-packages-refresh
2024-11-02 21:15:53,173 output:     Function: pkg.uptodate
2024-11-02 21:15:53,173 output:       Result: False
2024-11-02 21:15:53,173 output:      Comment: W: An error occurred during the signature verification. The repository is not updated and the previous index fil
es will be used. GPG error: http://HTTPS///deb.debian.org/debian-security bookworm-security InRelease: The following signatures were invalid: BADSIG 54404762B
BB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
2024-11-02 21:15:53,173 output:               E: Failed to fetch http://HTTPS///deb.debian.org/debian-security/dists/bookworm-security/InRelease  The followin
g signatures were invalid: BADSIG 54404762BBB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
2024-11-02 21:15:53,173 output:               E: Some index files failed to download. They have been ignored, or old ones used instead.
2024-11-02 21:15:53,173 output:      Started: 21:14:43.103642
2024-11-02 21:15:53,173 output:     Duration: 2437.602 ms
2024-11-02 21:15:53,173 output:      Changes:   
2024-11-02 21:15:53,173 output: ----------
2024-11-02 21:15:53,173 output:           ID: base-packages-installed
2024-11-02 21:15:53,173 output:     Function: pkg.installed
2024-11-02 21:15:53,173 output:       Result: False
2024-11-02 21:15:53,173 output:      Comment: An error was encountered while installing package(s): W: An error occurred during the signature verification. Th
e repository is not updated and the previous index files will be used. GPG error: http://HTTPS///deb.debian.org/debian-security bookworm-security InRelease: T
he following signatures were invalid: BADSIG 54404762BBB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
2024-11-02 21:15:53,173 output:               E: Failed to fetch http://HTTPS///deb.debian.org/debian-security/dists/bookworm-security/InRelease  The followin
g signatures were invalid: BADSIG 54404762BBB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
2024-11-02 21:15:53,173 output:               E: Some index files failed to download. They have been ignored, or old ones used instead.
2024-11-02 21:15:53,174 output:      Started: 21:14:45.604012
2024-11-02 21:15:53,174 output:     Duration: 1565.855 ms

1 Like

Maybe there was an error when downloading the file and it was corrupted.

1 Like

I am not sure if the error would say (11/bullseye) <ftpmaster@debian.org> if it’s a download error. Looks like the file is signed by invalid key.

The key in the error message is listed as sub key for debian 11 bullseye security pub key

https://lists.debian.org/debian-devel-announce/2021/01/msg00003.html


pub   rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
      AC53 0D52 0F2F 3269 F5E9  8313 A484 4904 4AAD 5C5D
uid           Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
sub   rsa4096 2021-01-17 [S] [expires: 2029-01-15]
      ED54 1312 A33F 1128 F10B  1C6C 5440 4762 BBB6 E853

The question is why did the apt request from debian 12 received a response signed by debian 11 sub pgp key?

Your /etc/apt/sources.list file likely has the Bullseye repository as an entry, so remove it and update using apt again.

1 Like

No it does not.

Okay, try reinstalling the Debian 12 template, then using your commands afterwards to see if the issue persists:

I mentioned in the OG post that the issue resolved without me doing anything.

The InRelease file for debian 12 security repository is signed by both debian 12 security key and debian 11 security key. This explains why the debian 12 update received a file signed by debian 11 security key.

https://security.debian.org/debian-security/dists/bookworm-security/InRelease