How to handle "invalid signature" in apt-get

Question

Following an update to Focal, I had to revisit /etc/apt/sources* to update my third party repositories.

One of the reposities is for the Yorba PPA at: https://launchpad.net/~yorba/+archive/ubuntu/ppa

Unfortunately I am no longer able to update from that repository:

$ sudo apt-get update
[..truncated..]
W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures were invalid: 90B064CAE4CBA8A6C34F04D110975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Right so let's try and fix that problem - first remove the key I already had:

$ sudo rm -f /etc/apt/trusted.gpg.d/yorba_ubuntu_ppa.gpg
$ sudo apt-get update
[..truncated..]

W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 10975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Next, get the key again from the ubuntu key server:

$ sudo apt-key adv --recv-keys --keyserver keys.gnupg.net 10975893E549B1AC
Executing: /tmp/apt-key-gpghome.RKi7hJu0jl/gpg.1.sh --recv-keys --keyserver keys.gnupg.net 10975893E549B1AC
gpg: key 10975893E549B1AC: public key "Launchpad yorba" imported
gpg: Total number processed: 1
gpg:               imported: 1

All should be good to go now, right? Wrong. Same result as we started with:

$ sudo apt-get update
[..truncated..]
W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures were invalid: 90B064CAE4CBA8A6C34F04D110975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Anyone know what I'm doing wrong here? Is there something fundamentally wrong with that Yorba PPA?

-Michael

score 1 · Accepted Answer · answered May 16 '20 at 16:48

Is there something fundamentally wrong with that Yorba PPA?

Aside from it being an antique? ... No.

Well, that's exactly what's wrong here.

Note that signature itself is fine:

% gpg --no-default-keyring --keyring ./key.gpg --verify Release.gpg Release
gpg: Signature made Tue 31 Mar 2015 07:20:40 JST
gpg:                using RSA key 10975893E549B1AC
gpg: Good signature from "Launchpad yorba" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 90B0 64CA E4CB A8A6 C34F  04D1 1097 5893 E549 B1AC

But the way it was made is no longer fine:

% gpg --list-packets Release.gpg                                           
# off=0 ctb=88 tag=2 hlen=2 plen=156
:signature packet: algo 1, keyid 10975893E549B1AC
    version 4, created 1427754040, md5len 0, sigclass 0x00
    digest algo 2, begin of digest e2 e8
    hashed subpkt 2 len 4 (sig created 2015-03-30)
    subpkt 16 len 8 (issuer key ID 10975893E549B1AC)
    data: [1018 bits]

digest algo 2 is SHA-1, which is no longer consider secure, It's now an error to have Release signatures be made using SHA-1.

There's nothing new about this. It was already a warning in 16.04 (How to fix apt: Signature by key uses weak digest algorithm (SHA1)?):

# apt update
...
W: http://ppa.launchpad.net/yorba/ppa/ubuntu/dists/vivid/Release.gpg: Signature by key 90B064CAE4CBA8A6C34F04D110975893E549B1AC uses weak digest algorithm (SHA1)

And returned the same error in 18.04 as in 20.04.

Thank you for that explanation and the useful links to further information. I decided I didn't really need the repository after all (I think I had it because of Shotwell which I installed ages ago). — user1283068, May 16 '20 at 18:55
On a personal note, I think that apt-get is being incredibly unhelpful in its response. It could very easily have explained why the signature was invalid. Expecting end users to dig out something like this really is asking quite a lot I think. — user1283068, May 16 '20 at 18:58
It was plenty helpful when SHA-1 was originally deprecated. The warnings were enough that you'd be hard pressed to find an actively maintained repo which has the same issue. At this point in time, no one's really expecting anyone to be encountering something like this. — muru, May 17 '20 at 03:34
But I did. And apt was a stone wall when it could very easily have been a lot more informative. Anyway - let's not flog this horse, just me being grumpy I suppose. — user1283068, May 18 '20 at 09:43

score 0 · Answer 2 · answered May 16 '20 at 16:23

0

You can simply disable this PPA as it does not provide packages for your Ubuntu 20.04 LTS version.

Use

sudo add-apt-repository -r ppa:yorba/ppa

and then run sudo apt-get update followed by sudo apt-get upgrade as usual.

answered May 16 '20 at 16:23

N0rbert

99,918

I realise that. I've been using the vivid packages which have worked just fine under Eoan. I want to keep that PPA in my sources in case a new version is released there. Besides, this doesn't really answer my question about the errors I'm getting from apt, and how to fix them. – user1283068 May 16 '20 at 16:31

How to handle "invalid signature" in apt-get

2 Answers2

Linked