Artifactory fails verifying the signatures of signed repository files in /var/lib/apt/lists throws BAD signature error while testing. It is reproducible in 6.19 as well.The signature of the InRelease file is causing this BAD signature.
Artifactory 6.19 introduced support for the InRelease metadata file for Debian repositories. This seems to be broken. https://github.com/AdoptOpenJDK/openjdk-installer/issues/235
Same behavior tested on 7.6.
apt-get update or apt-get install does not report any errors.
Reproduction Steps
1) wget -qO - RESTRICTED_URL1| sudo apt-key add -
2) sudo add-apt-repository --yes RESTRICTED_URL2| bionic main
3) sudo apt update
4) apt-key adv --verify RESTRICTED_PATH
Output
Executing: /tmp/apt-key-gpghome.RIvVEJjtXN/gpg.1.sh --verify RESTRICTED_PATH
gpg: Signature made Wed Jul 22 00:22:38 2020 UTC
gpg: using RSA key RESTRICTED_RSA
gpg: BAD signature from "saiun (df) <saiu@jfrog.com>" [unknown]