APT invalid signatures

Question

I have been building a new Ubuntu instance using Cubic to create a custom ISO. This has worked well in the past, but for some reason after being loaded to the chroot environment I am unable to update apt due to multiple errors for invalid signatures.

root@mine:/etc/apt# apt update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Err:1 http://security.ubuntu.com/ubuntu xenial-security InRelease                                                  
  At least one invalid signature was encountered.
Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease                                                            
Err:2 http://archive.ubuntu.com/ubuntu xenial InRelease                                                            
  At least one invalid signature was encountered.
Get:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]                                           
Err:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease                                                    
  At least one invalid signature was encountered.
Fetched 204 kB in 18s (10.8 kB/s)                                                                                  
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.ubuntu.com/ubuntu xenial-security InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.ubuntu.com/ubuntu xenial InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.ubuntu.com/ubuntu xenial-updates InRelease: At least one invalid signature was encountered.
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial/InRelease 
At least one invalid signature was encountered.
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease  At least one invalid signature was encountered.
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease  At least one invalid signature was encountered.
W: Some index files failed to download. They have been ignored, or old ones used instead.
root@mine:/etc/apt# apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu xenial InRelease                  
Get:2 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]              
Err:1 http://archive.ubuntu.com/ubuntu xenial InRelease                                         
  At least one invalid signature was encountered.
Err:2 http://archive.ubuntu.com/ubuntu xenial-updates InRelease                                                    
  At least one invalid signature was encountered.
Get:3 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]                                         
Err:3 http://security.ubuntu.com/ubuntu xenial-security InRelease                                                  
  At least one invalid signature was encountered.
Fetched 204 kB in 17s (11.4 kB/s)                                                                                  
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.ubuntu.com/ubuntu xenial InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.ubuntu.com/ubuntu xenial-updates InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.ubuntu.com/ubuntu xenial-security InRelease: At least one invalid signature was encountered.
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial/InRelease  At least one invalid signature was encountered.
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease  At least one invalid signature was encountered.
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease  At least one invalid signature was encountered.
W: Some index files failed to download. They have been ignored, or old ones used instead.

I have tried a number of methods to fix this, I suspect it is because of something being done by cubic when forming the squashfs system that is breaking the GPG keyring.

Running apt-key list shows:

root@mine:/etc/apt# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
uid                  Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub   2048g/79164387 2004-09-12

pub   4096R/C0B21F32 2012-05-11
uid                  Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>

pub   4096R/EFE21092 2012-05-11
uid                  Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

pub   1024D/FBB75451 2004-12-30
uid                  Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>

And apt-key update shows:

root@mine:/etc/apt# apt-key update
gpg: WARNING: unsafe ownership on homedir `/tmp/tmp.VI7PlJB3k0'
gpg: WARNING: unsafe ownership on homedir `/tmp/tmp.VI7PlJB3k0'
gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>" not changed
gpg: key FBB75451: "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" not changed
gpg: key C0B21F32: "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>" not changed
gpg: key EFE21092: "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" not changed
gpg: Total number processed: 4
gpg:              unchanged: 4
gpg: WARNING: unsafe ownership on homedir `/tmp/tmp.VI7PlJB3k0'
gpg: WARNING: unsafe ownership on homedir `/tmp/tmp.VI7PlJB3k0'
gpg: WARNING: unsafe ownership on homedir `/tmp/tmp.VI7PlJB3k0'
gpg: WARNING: unsafe ownership on homedir `/tmp/tmp.VI7PlJB3k0'
root@mine:/etc/apt#

Any ideas on how to fix this? I have tried running apt clean with no change, along with importing a known working sources.list and even trusted.gpg files. Permissions on /etc/apt/sources.list.d/ and /etc/apt/trusted.gpg.d/ are readable worldwide so apt should be able to read the keys.

This is a clean build, the ISO used by cubic has been tested in a VM with no issues so it would appear to be a cubic problem but I am not sure what cubic could have done to cause this or how to try and fix it in chroot myself.

Any suggestions/advice would be greatly appreciated.

Maxy

I am behind a proxy, however running the same commands on my VM built from the same ISO has no issues, all on the same computer and network connection. — J. Walker, Feb 22 '18 at 02:54
Have you tried manually fetching http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease and inspecting the contents? (Or of the other files for which invalid signatures are reported?) — muru, Feb 22 '18 at 02:56
I have grabbed the security InRelease and the contents look fine to me, but I am not very experienced at this level to know what I would be looking for. There is a gpg key in the file but I can't understand why apt is saying the signatures are invalid when they work on other instances. — J. Walker, Feb 22 '18 at 03:19
Does this answer your question? apt update throws signature error in Ubuntu 20.04 container on arm — kenorb, Jun 09 '21 at 23:34

score 1 · Answer 1 · edited Oct 17 '18 at 21:36

I am facing the same problem. I am not sure what is the cause but I found an ugly hack around it. It requires that your host system is the same as the system which you are trying to modify with Cubic. Simply extract the image with cubic and then run apt-get update on your host system. Replace the /var/lib/apt/lists folder on the extracted iso with /var/lib/apt/lists folder from your host system. I think that the problem lies somewhere in the fact that you are browsing the image with Cubic as root and you are missing some GPG config stuff... but just guessing. Hope it helps.

APT invalid signatures

1 Answers1