Invalid package signature on Debian Stretch

Dear list,

I’m trying to install obyspy on a Debian stretch system. This fails with warnings about invalid signatures, which puzzles me, because I imported the key as described in the manual:

  1. I included this repository to my /etc/apt/sources.list:

# Obspy
deb stretch main

  1. I downloaded and imported the key:
$ wget --quiet -O -   sudo apt-key add -
  1. I tried to update the repository, which fails:

$ sudo apt-get update
W: GPG error: stretch InRelease: The following signatures were invalid: AB88DF222C40D448E99F0F07054D40E834811F05
W: The repository ' stretch InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.

Now I wonder, whether I missed something, or whether there is maybe a problem with the signature of the package for debian stretch?

Thanks!
Wasja

Dear all,

I did the same some months ago in my raspberrypi 2B running raspbian stretch, and I have the same warnings, but obspy is running fine!

Regards
Mario

S'està citant Wasja Bloch <wasja@gfz-potsdam.de>:

Hi Wasja,

thanks for letting me know. After some digging I found that the
signatures were all OK, but Debian nowadays enforces stronger hashing
algorithms for the signatures on the repository metadata.

See https://github.com/obspy/obspy/issues/2037 for details.

In any case, the warning on newer Debian/Ubuntu should be gone now.

cheers,
T