3

I've inadvertently stepped into "update hell".

I updated a number of dependencies trying to install the Gerbera media server. In the process several existing services stopped running, including mariadb.

Then, when I tried to update/upgrade my mariadb install I hit the following error on the UKFast mirror I had been using:

apt-get update ... Err:4 http://mirrors.ukfast.co.uk/sites/mariadb/repo/10.3/debian jessie InRelease The following signatures were invalid: 199369E5404BD5FC7D2FE43BCBCB082A1BB943DB Reading package lists... Done

now, i've tried several recipes for updating GPG keys, including installing the debian-archive-keyring package. I also switched to a different mirror for mariadb, but still the same error:

GPG error: http://mirrors.coreix.net/mariadb/repo/10.2/debian jessie InRelease: The following signatures were invalid: 199369E5404BD5FC7D2FE43BCBCB082A1BB943DB

Searching the web for clues I'm beginning to think this is actually a problem with the way the mirror has their content signed, per this posting- Debian 9, APT, and "GPG error: ... InRelease: The following signatures were invalid:"

assuming this is the problem (the mirrors using obsolete SHA1 signatures), until the mirrors update their sigs, is there a way for me to persuade apt to process the package?

UPDATE

This seems to have been caused by my choosing an incorrect / unsupported combination of version names.

After trying a lot of combinations, I ended up using the following in /etc/sources.list.d/mariadb.list:

deb [arch=amd64,i386] http://mirrors.coreix.net/mariadb/repo/10.3/debian stretch main deb-src http://mirrors.coreix.net/mariadb/repo/10.3/debian stretch main

Now Stretch isn't my current version (I'm on Buster), but I'm guessing Stretch is the latest release supported by MariaDB.

I'm wondering of the key error was a red herring, but at least it works now, without any further updates to the release keys.

Thanks to those who responded with suggestions.

Improve this question
3
  • 1
    You can always ignore signatures, at least temporarily Commented Dec 24, 2018 at 22:59
  • 1
    Maybe temporarily switch to another mirror before allowing in packages with an invalid signature and wait until it's fixed. You should be able to change it in /etc/apt/sources.list. But you should back it up before changing. Commented Dec 24, 2018 at 23:09
  • You mention Debian 8. My question talked about Debian 9. You can clarify the question by editing in the version of APT that you have upgraded to. (-: Commented Dec 27, 2018 at 11:56

1 Answer 1

Reset to default
2

The key did change between Jessie and Stretch. For Stretch, you would use:

sudo apt-get install software-properties-common dirmngr sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xF1656F24C74CD1D8 sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://mirrors.coreix.net/mariadb/repo/10.3/debian stretch main'

For Jessie, you would use:

sudo apt-get install software-properties-common sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://mirrors.coreix.net/mariadb/repo/10.3/debian jessie main'

Our repositories for Debian "Sid" and the Ubuntu 16.04 and beyond "Xenial" use a new GPG signing key. As detailed in MDEV-9781, APT 1.2.7 (and later) prefers SHA2 GPG keys and now prints warnings when a repository is signed using a SHA1 key like our previous GPG key. We have created a new SHA2 key for use with these affected repositories.

Comment of the mariadb release manager:

Yes, there will be a Stretch repository eventually. It will use the same key we're now using for Sid.

See https://mariadb.com/kb/en/library/gpg/ as well as the repo configuration tool at https://downloads.mariadb.org/mariadb/repositories

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.