Package: apt Version: 2.1.18 Severity: important Hi,
I maintain the extrepo package[1], a tool to manage external (i.e., third-party, non-Debian) repositories. As part of that, the extrepo-data repository on salsa[2] manages metadata for repositories. In a GitLab CI job, I validate that the repositories do not contain anything that is not valid before accepting them to the metadata repository. One of the checks is to validate the InRelease file. Currently, there are two merge requests open[3] for repositories on which my script fails while trying to verify the InRelease file. It turns out that these repositories return data for the InRelease file -- i.e., a file that has checksums and is signed by some tool -- but the signature is invalid. The repository also has a Release/Release.gpg pair, where the signature *is* valid. Apt should probably produce a warning (if not an error) on such repositories; it currently does not seem to do that. [1] https://packages.debian.org/extrepo [2] https://salsa.debian.org/extrepo-team/extrepo-data [3] https://salsa.debian.org/extrepo-team/extrepo-data/-/merge_requests/65 and .../66