I’m not sure either but one possible explanation is that the repository includes two different signed artifacts:
-
InReleaseis a combination of the message itself and a signature all in one file. -
Releaseis a raw release manifest which is signed by the detached signature inRelease.gpg.
I wonder if normal apt is using the Release/Release.gpg pair and so is working with the raw Release file and whatever line endings it naturally has, while debmirror is trying to use InRelease and getting into trouble because the message portion of that file has had its line endings changed as part of the signing process.
I’ve not confirmed whether that’s a correct theory but I am still working on figuring out where to send this feedback internally so that we can make sure that all of the signatures conform to the relevant RFC.