note, this is also seen in Debian releases as well (bookworm, bullseye, buster).
We did mess up the keys for Ubuntu in around some time in the beginning of May, while adding packages for noble, but it has been fixed.
Please check, sunzi
note, this is also seen in Debian releases as well (bookworm, bullseye, buster).
OK, then it's probably not related to what I've just mentioned, since Debian was not affected.
This may then be related to the fact that we have moved away from reprepro, and now are using some custom scripts. Regular apt use cases seem to work fine though.
What exactly are you doing, sunzi?
Exact commands for me to try and reproduce.
Yes, I did notice the another issue mentioning this, however the issue persists for me. I have downloaded the latest key from here:
https://repo.zabbix.com/zabbix-official-repo-apr2024.gpg
This is the output of my latest attempt to update my local repo using debmirror:
Mirroring to /data/mirror/zabbix/ubuntu from http://repo.zabbix.com/zabbix/6.0/ubuntu/ Arches: amd64 Dists: jammy,bionic,focal Sections: main Pdiff mode: use Will clean up after mirroring. Dry run. Attempting to get lock ... Getting meta files ... http://repo.zabbix.com/zabbix/6.0/ubuntu/dists/jammy/Release => [ 0%] Getting: dists/jammy/Release... #** GET http://repo.zabbix.com/zabbix/6.0/ubuntu/dists/jammy/Release ==> 200 OK 200 OK ok http://repo.zabbix.com/zabbix/6.0/ubuntu/dists/jammy/InRelease => [ 0%] Getting: dists/jammy/InRelease... #** GET http://repo.zabbix.com/zabbix/6.0/ubuntu/dists/jammy/InRelease ==> 200 OK 200 OK ok http://repo.zabbix.com/zabbix/6.0/ubuntu/dists/jammy/Release.gpg => [ 0%] Getting: dists/jammy/Release.gpg... #** GET http://repo.zabbix.com/zabbix/6.0/ubuntu/dists/jammy/Release.gpg ==> 200 OK 200 OK ok [GNUPG:] UNEXPECTED 0 gpgv: verify signatures failed: Unexpected error .temp/.tmp/dists/jammy/Release.gpg signature does not verify. [GNUPG:] NEWSIG [email protected] [GNUPG:] KEY_CONSIDERED A1848F5352D022B9471D83D0082AB56BA14FE591 0 [GNUPG:] SIG_ID RMuV3gFRKxfFB7JymNCPn3TDQyo 2024-05-02 1714646877 [GNUPG:] KEY_CONSIDERED A1848F5352D022B9471D83D0082AB56BA14FE591 0 [GNUPG:] GOODSIG 082AB56BA14FE591 Zabbix LLC <[email protected]> [GNUPG:] VALIDSIG A1848F5352D022B9471D83D0082AB56BA14FE591 2024-05-02 1714646877 0 4 0 1 10 01 A1848F5352D022B9471D83D0082AB56BA14FE591 [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23 gpgv: Signature made Thu 02 May 2024 06:47:57 AM EDT gpgv: using RSA key A1848F5352D022B9471D83D0082AB56BA14FE591 gpgv: issuer "[email protected]" gpgv: Good signature from "Zabbix LLC <[email protected]>"
Here are my current keys:
pub rsa4096 2024-04-30 [SC] [expires: 2034-04-28] 4C3D6F2CC75F5146754FC374D913219AB5333005 uid [ unknown] Zabbix LLC (Apr 2024) <[email protected]> sub rsa4096 2024-04-30 [E] [expires: 2034-04-28] pub dsa1024 2012-10-28 [SC] FBABD5FB20255ECAB22EE194D13D58E479EA5ED4 uid [ unknown] Zabbix SIA <[email protected]> sub elg1024 2012-10-28 [E] pub rsa2048 2016-07-15 [SC] A1848F5352D022B9471D83D0082AB56BA14FE591 uid [ unknown] Zabbix LLC <[email protected]> sub rsa2048 2016-07-15 [E]
command:
debmirror --config-file=u_zabbix.conf
config file:
$mirrordir="/data/mirror/zabbix/ubuntu"; $verbose=1; $progress=1; $debug=1; $host="repo.zabbix.com"; $remoteroot="/zabbix/6.0/ubuntu"; $download_method="http"; @dists="jammy,bionic,focal"; @sections="main"; @arches="amd64"; $omit_suite_symlinks=1; $skippackages=0; @rsync_extra="none"; $i18n=0; $getcontents=1; $do_source=0; $ignore_release_gpg=0; $ignore_release=0; $post_cleanup=1; $timeout=300; $dry_run=1; $diff_mode="use"; 1;
Please let me know if I can provide any further details and thank you for reviewing.
The https://repo.zabbix.com/zabbix-official-repo-apr2024.gpg is only for noble at the moment, but we plan to use it for all of 7.0, when that comes out.
I'll have a look at how debmirror behaves, and get back to you.
Thanks again for reviewing it is much appreciated.
The issue is not with the repo public key but because Release.gpg files don't contain a signature. Therefore, there is nothing to verify. Either keep InRelease only or fix Release(.gpg).
What u923 wrote is totally right. The Release & Release.gpg files are redundant when InRelease exists. But if you provide Release & Release.gpg files, the Release.gpg file must contain the signature of the Release file. Right now it contains the public key of the signing key.
I just realized, that we have not received any updates since May 2024. Are you planning to fix the Release.gpg file soon or do we have to patch our mirror scripts?
You are correct, Endres, regarding Release.gpg file. I'll update out repo files.
ETA Tomorrow morning.
Regenerated affected repo metadata. Should work now.
Thanks for the quick reaction. Yes it works now 
However, for the zabbix-tools repo the Release.gpg file is still the public key, not the signature.
However, for the zabbix-tools repo the Release.gpg file is still the public key, not the signature.
Done.
Yes, everything looks good now. Thank you very much 
Thank you!!
It looks like the repository for Zabbix 6.0 broke again on August 13th. Same problem: The Release.gpg file contains the public key not the signature: https://repo.zabbix.com/zabbix/6.0/debian/dists/bookworm/Release.gpg
Sorry about that.
Check now.
No problem. It works again, thanks