Invalid GPG signature - what to do about it?

Yasaburou · 23 August 2024 02:41

Hi all, I recently ran sudo apt update and from what I can tell there is an invalid signature for a repo related to OBS and my OneDrive app. I don't remember adding this repo manually but maybe it was added by an install script I ran. I found this thread with a similar issue, where users suggested simply removing the repo in question. If I remove the repo, will there be issues with updating these softwares in the future? And if removing the repo is safe, how can I do it?

ed@Slungi:~$ sudo apt update
[sudo] password for ed:           
Hit:1 http://security.ubuntu.com/ubuntu jammy-security InRelease               
Hit:2 http://archive.ubuntu.com/ubuntu jammy InRelease                         
Get:3 http://cn.archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]     
Hit:4 http://cn.archive.ubuntu.com/ubuntu jammy-backports InRelease            
Hit:5 https://packages.zorinos.com/stable jammy InRelease                      
Hit:6 https://packages.zorinos.com/patches jammy InRelease          
Hit:7 https://ppa.launchpadcontent.net/graphics-drivers/ppa/ubuntu jammy InRelease
Hit:8 https://packages.zorinos.com/apps jammy InRelease             
Hit:9 https://ppa.launchpadcontent.net/lucioc/sayonara/ubuntu jammy InRelease
Hit:10 https://packages.zorinos.com/drivers jammy InRelease         
Get:11 https://download.opensuse.org/repositories/home:/npreining:/debian-ubuntu-onedrive/xUbuntu_22.04 ./ InRelease [1,604 B]
Hit:12 https://ppa.launchpadcontent.net/zorinos/apps/ubuntu jammy InRelease
Err:11 https://download.opensuse.org/repositories/home:/npreining:/debian-ubuntu-onedrive/xUbuntu_22.04 ./ InRelease
  The following signatures were invalid: EXPKEYSIG B8AC39B0876D807E home:npreining OBS Project <home:npreining@build.opensuse.org>
Hit:13 https://ppa.launchpadcontent.net/zorinos/drivers/ubuntu jammy InRelease
Hit:14 https://ppa.launchpadcontent.net/zorinos/patches/ubuntu jammy InRelease
Hit:15 https://ppa.launchpadcontent.net/zorinos/stable/ubuntu jammy InRelease
Fetched 130 kB in 3s (41.9 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
9 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://download.opensuse.org/repositories/home:/npreining:/debian-ubuntu-onedrive/xUbuntu_22.04 ./ InRelease: The following signatures were invalid: EXPKEYSIG B8AC39B0876D807E home:npreining OBS Project <home:npreining@build.opensuse.org>
W: Failed to fetch https://download.opensuse.org/repositories/home:/npreining:/debian-ubuntu-onedrive/xUbuntu_22.04/./InRelease  The following signatures were invalid: EXPKEYSIG B8AC39B0876D807E home:npreining OBS Project <home:npreining@build.opensuse.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.
ed@Slungi:~$

zenzen · 23 August 2024 07:02

If you still have that script, or know where to find it, we can check what it did in your system. You can use something like pastebin to share plain text; just copy and paste. If the script is too large and exceeds pastebin's limit, you can use something like ffsend (choose an instance here) or Wormhole, instead.

Removing the repository effectively makes the system forget where to go look for updates, so yes, that would be a problem. However, when the GPG key is missing or invalid, it won't download anything from that location anyway.
Your options are to either replace the repository, the GPG key, or both. In either case, you need to know where you got it from in the first place, since that's where they usually include information about how to install it again.
If I had to do it myself I would use this, but please double check yourself:

github.com

abraunegg/onedrive/blob/master/docs/ubuntu-package-install.md#distribution-ubuntu-2204

# Installation of 'onedrive' package on Debian and Ubuntu

This document outlines the steps for installing the 'onedrive' client on Debian, Ubuntu, and their derivatives using the OpenSuSE Build Service Packages.

> [!CAUTION]
> This information is specifically for the following platforms and distributions:
> * Debian
> * Deepin
> * Elementary OS
> * Kali Linux
> * Lubuntu
> * Linux Mint
> * Pop!_OS
> * Peppermint OS
> * Raspbian | Raspberry Pi OS
> * Ubuntu | Kubuntu | Xubuntu | Ubuntu Mate
> * Zorin OS
>
> Although packages for the 'onedrive' client are available through distribution repositories, it is strongly advised against installing them. These distribution-provided packages are outdated, unsupported, and contain bugs and issues that have already been resolved in newer versions. They should not be used.

This file has been truncated. show original

But before you attempt that, you need to remove the current reference to the repository as well as the GPG key. Most likely, you can find the repository in a dedicated file under /etc/apt/sources.list.d. The GPG key will also be in its own dedicated file, either under /etc/apt/keyrings, /etc/apt/trusted.gpg.d or /usr/share/keyrings.

Once you have found those files, delete them. Then, follow the instructions from the link above to re-install the repository.

jennyjaamesss · 24 August 2024 07:02

Hello guys!

If you remove the repo, you will not receive future updates, which may be a problem if you rely on it for newer versions of OBS or OneDrive. However, if the signature issue is causing difficulties and you don't recall accessing that particular repo, deleting it may be a safer option.
To remove the repo, you can find it listed in your sources by running:

sudo nano /etc/apt/sources.list.d/your-repo-list-file.list

Just comment out or delete the line related to the OBS/OneDrive repo, save, and then run sudo apt update again.

If you do need the repo later, you can always add it back with a fresh key.

I hope this will help you!

zenzen · 24 August 2024 14:41

Just to clarify, OBS in this context refers to OpenSUSE's Open Build Service, not Open Broadcaster Project.

Yasaburou · 25 August 2024 07:36

Thanks a lot, this solved the issue. In this case the GPG key was under /usr/share/keyrings.

system · 23 November 2024 07:37

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.