APT repository InRelease files corrupted?

michel.decima · December 13, 2023, 10:41am

APT repository InRelease files appear corrupted, gpp signature verification fails :

$ curl -s https://apt.releases.hashicorp.com/gpg | gpg --import
gpg: key AA16FCBCA621E701: public key “HashiCorp Security (HashiCorp Package Signing) security+packaging@hashicorp.com” imported
gpg: Total number processed: 1
gpg: imported: 1

$ curl -s https://apt.releases.hashicorp.com/dists/bookworm/InRelease | gpg --verify
gpg: Signature made Wed Dec 13 02:24:31 2023 UTC
gpg: using RSA key AA16FCBCA621E701
gpg: BAD signature from “HashiCorp Security (HashiCorp Package Signing) security+packaging@hashicorp.com” [unknown]

$ curl -s https://apt.releases.hashicorp.com/dists/jammy/InRelease | gpg --verify
gpg: Signature made Wed Dec 13 01:37:36 2023 UTC
gpg: using RSA key AA16FCBCA621E701
gpg: BAD signature from “HashiCorp Security (HashiCorp Package Signing) security+packaging@hashicorp.com” [unknown]

drencrom · January 18, 2024, 8:54pm

I can confirm this issue at least with respect to the jammy repo. The Release file is correctly signed by the Release.gpg file but the InRelease file that includes the Release file and the signature in the same file shows an invalid signature.
This was already acknowledged in the forum last year by @apparentlymart
Standard apt seems to work fine but mirroring systems like reprepro and debmirror fail.
Can this be checked?