Apt-get update > Error: Signature no longer valid?

cypherpunk · August 18, 2017, 5:53pm

Hi,

when I do an apt-get update I get the following error message:

An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://apt.z.cash jessie Release: Die folgenden Signaturen waren ungültig: F1E214037E94E950BA8577B263C4A2169C1B2FA2

Seems that the signature is not valid anymore?

Do you have this problem too? Any idea what I can do to fix it?

juhub · August 18, 2017, 6:19pm

the sign is valid
pub 4096R/9C1B2FA2 2016-10-18 [expires: 2018-10-18]

Did you try to re-import it?
wget -qO - https://apt.z.cash/zcash.asc | sudo apt-key add -

tuxer · August 18, 2017, 11:43pm

I was getting the same thing initially.
I tried re-adding the key but that didn’t change anything.
Then I did:

sudo apt-get clean
sudo rm -rf /var/lib/apt/lists/* && sudo mkdir -p /var/lib/apt/lists

Now I get a slightly different thing when doing:

sudo apt-get update

Reading package lists... Done                                            
W: GPG error: https://apt.z.cash jessie Release: The following signatures were invalid: F1E214037E94E950BA8577B263C4A2169C1B2FA2
E: The repository 'https://apt.z.cash jessie Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

cypherpunk · August 19, 2017, 5:38am

Thank you guys for your feedback.

@jubub: Yes, I re-imported the key, but no improvement.

Based on the message of tuxer I now think there might be a problem with the repository itself. The message “The repository is not signet” is pretty clear… Thats really strange…

bitcartel · August 19, 2017, 7:48am

Hi, what version of gpg are you using? Can you paste the output of --version? Thanks.

cypherpunk · August 19, 2017, 8:22am

Hi, the output is:

gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta

I’m running Debian GNU/Linux 9.1 (stretch) with all updates installed.

Thank you.

cypherpunk · August 19, 2017, 8:30am

Ps.: In the sources.list I’m still pointing to Jessie, this is the entry:
deb [arch=amd64] https://apt.z.cash/ jessie main

Should I change it to stretch?
deb [arch=amd64] https://apt.z.cash/ stretch main

tuxer · August 21, 2017, 7:33pm

In my case it’s what comes by default on Xubuntu:

gpg (GnuPG) 2.1.15
libgcrypt 1.7.6-beta

cypherpunk · August 25, 2017, 9:06am

Hmm, seems that is a known issue: Invalid Signature on Debian Binaries for 1.0.10 · Issue #2472 · zcash/zcash · GitHub

tuxer · August 28, 2017, 7:41pm

Thx @cypherpunk, now I’ll be following the GitHub page to check on updates on the issue…