APT GPG signature invalid

Ubuntu 18.04 Server

Using the virtualmin-universal repository results in:

# apt-get update
Ign:16 http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release.gpg
Reading package lists... Done   
W: GPG error: http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release: The following signatures were invalid: 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9
E: The repository 'http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

This is due to the signing key still using SHA1 despite many years of warnings to upgrade the signing algorithm and promises in forum posts by staff to upgrade since at least 2016.

A response of “downgrade your local apt security” is not an acceptable answer (Acquire::AllowDowngradeToInsecureRepositories=true).

There is no reason the Release file cannot be signed by both weak and strong keys and both signatures put in the Release.gpg files.

pub   dsa1024 2005-07-11 [SC]
      31D2 B188 72EA F68E FB81  F81D E8DD 3FA0 A0BD BCF9
uid           [ unknown] Virtualmin, Inc. <security@virtualmin.com>
sub   elg2048 2005-07-11 [E]

pub   rsa4096 2017-05-01 [SC] [expires: 2024-04-29]
      E36F 0664 7D8E BD2B E364  2BCE D9F9 0107 60D6 2A6B
uid           [ unknown] Virtualmin, Inc. (Package signing key for Virtualmin 6) <security@virtualmin.com>
sub   rsa4096 2017-05-01 [E] [expires: 2024-04-29]

You’re using the old repositories. Use the /vm/6 repos, instead. It has a new signing key. If you search the forums, you’ll find several posts about it, including instructions.

We cannot change the signing key on the old repos without breaking all installations.

Edit: And, as for this:

We never promised to change the signing key on existing repositories, and have no intention to do so. Use new repos. If you’d like to link to the post that you believe “promised to fix it”, I will edit it to make it more clear that there will never be a “fix” to the old repos…because that’s not possible without breakage (edit 2: I guess your multiple key suggestion would work, but the old repos are deprecated and will be going away eventually, I don’t want to waste more time on it…the old repos haven’t been used for installs for several years).

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.