• Type: Bug
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: 6.1.0, 5.11.1, 6.3.3
    • Fix Version/s: None
    • Component/s: Debian
    • Labels:
    • Environment:

      Single artifactory host.

    • Sprint:
      Pam - Sprint 1, Pam - Sprint 2


      What: From the Debian Repository Format Specification (

      "Servers shall provide the InRelease file, and might provide a Release files and its signed counterparts with at least the following keys:

      • Suite and/or Codename
      • Architectures
      • Components
      • Date
      • SHA256

      Still having a unsigned Release file and MD5Sum is currently highly recommended."

      Why: We currently use Debian repositories with a large number of automated clients. We've confirmed with a solutions architect that it's possible for Debian index files to be out of sync for brief periods (a few ms - read 'non atomic update'). This means that a debian Release.gpg signature file might be out of sync with the Release index file for brief periods, causing clients to display errors due to inconsistent metadata, such as:

      • 'GPG error: trusty Release: The following signatures were invalid: BADSIG <FINGERPRINT HERE> Foo Team (Foo's Repo Key) <>
      • 'WARNING: untrusted versions of the following packages will be installed!'

      The Debian way of solving this problem is to include the release index, with inline gpg signature (i.e. InRelease file) to eliminate the possibility that Release (Index) and Release.gpg (Index Signature) do not match.


      InRelease files are equivalent to Release files with the exception that they contain an inline GPG signature, whereas validating Release files requires downloading a separate Release.gpg file. Having the signature in line avoids race conditions when downloading.




            • Assignee:
              dmarkus David Markus
            • Votes:
              6 Vote for this issue
              12 Start watching this issue


              • Created: