BADSIG error during `apt update` using apt-cache-ng

red-pepper-pesto · November 3, 2024, 4:22pm

I received below error while running apt update using apt-cache-ng. I also used saltstack to run this command. The most suspicious thing is that the error disappeared without me doing anything. Any ideas what happened here? or how can I go about analyzing this?

2024-11-02 21:15:53,173 output:           ID: base-packages-refresh
2024-11-02 21:15:53,173 output:     Function: pkg.uptodate
2024-11-02 21:15:53,173 output:       Result: False
2024-11-02 21:15:53,173 output:      Comment: W: An error occurred during the signature verification. The repository is not updated and the previous index fil
es will be used. GPG error: http://HTTPS///deb.debian.org/debian-security bookworm-security InRelease: The following signatures were invalid: BADSIG 54404762B
BB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
2024-11-02 21:15:53,173 output:               E: Failed to fetch http://HTTPS///deb.debian.org/debian-security/dists/bookworm-security/InRelease  The followin
g signatures were invalid: BADSIG 54404762BBB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
2024-11-02 21:15:53,173 output:               E: Some index files failed to download. They have been ignored, or old ones used instead.
2024-11-02 21:15:53,173 output:      Started: 21:14:43.103642
2024-11-02 21:15:53,173 output:     Duration: 2437.602 ms
2024-11-02 21:15:53,173 output:      Changes:   
2024-11-02 21:15:53,173 output: ----------
2024-11-02 21:15:53,173 output:           ID: base-packages-installed
2024-11-02 21:15:53,173 output:     Function: pkg.installed
2024-11-02 21:15:53,173 output:       Result: False
2024-11-02 21:15:53,173 output:      Comment: An error was encountered while installing package(s): W: An error occurred during the signature verification. Th
e repository is not updated and the previous index files will be used. GPG error: http://HTTPS///deb.debian.org/debian-security bookworm-security InRelease: T
he following signatures were invalid: BADSIG 54404762BBB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
2024-11-02 21:15:53,173 output:               E: Failed to fetch http://HTTPS///deb.debian.org/debian-security/dists/bookworm-security/InRelease  The followin
g signatures were invalid: BADSIG 54404762BBB6E853 Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
2024-11-02 21:15:53,173 output:               E: Some index files failed to download. They have been ignored, or old ones used instead.
2024-11-02 21:15:53,174 output:      Started: 21:14:45.604012
2024-11-02 21:15:53,174 output:     Duration: 1565.855 ms

apparatus · November 3, 2024, 4:30pm

Maybe there was an error when downloading the file and it was corrupted.

red-pepper-pesto · November 3, 2024, 4:37pm

I am not sure if the error would say (11/bullseye) <ftpmaster@debian.org> if it’s a download error. Looks like the file is signed by invalid key.

red-pepper-pesto · November 3, 2024, 7:58pm

The key in the error message is listed as sub key for debian 11 bullseye security pub key

https://lists.debian.org/debian-devel-announce/2021/01/msg00003.html


pub   rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
      AC53 0D52 0F2F 3269 F5E9  8313 A484 4904 4AAD 5C5D
uid           Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
sub   rsa4096 2021-01-17 [S] [expires: 2029-01-15]
      ED54 1312 A33F 1128 F10B  1C6C 5440 4762 BBB6 E853

The question is why did the apt request from debian 12 received a response signed by debian 11 sub pgp key?

FranklyFlawless · November 4, 2024, 10:28am

Your /etc/apt/sources.list file likely has the Bullseye repository as an entry, so remove it and update using apt again.

red-pepper-pesto · November 4, 2024, 12:58pm

No it does not.

FranklyFlawless · November 4, 2024, 1:13pm

Okay, try reinstalling the Debian 12 template, then using your commands afterwards to see if the issue persists:

red-pepper-pesto · November 4, 2024, 11:37pm

I mentioned in the OG post that the issue resolved without me doing anything.

red-pepper-pesto · November 4, 2024, 11:41pm

The InRelease file for debian 12 security repository is signed by both debian 12 security key and debian 11 security key. This explains why the debian 12 update received a file signed by debian 11 security key.

https://security.debian.org/debian-security/dists/bookworm-security/InRelease