Invalid package signature on Debian Stretch

Dear list,

I’m trying to install obyspy on a Debian stretch system. This fails with warnings about invalid signatures, which puzzles me, because I imported the key as described in the manual:

  1. I included this repository to my /etc/apt/sources.list:

# Obspy
deb stretch main

  1. I downloaded and imported the key:
$ wget --quiet -O -   sudo apt-key add -
  1. I tried to update the repository, which fails:

$ sudo apt-get update
W: GPG error: stretch InRelease: The following signatures were invalid: AB88DF222C40D448E99F0F07054D40E834811F05
W: The repository ' stretch InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.

Now I wonder, whether I missed something, or whether there is maybe a problem with the signature of the package for debian stretch?


Dear all,

I did the same some months ago in my raspberrypi 2B running raspbian stretch, and I have the same warnings, but obspy is running fine!


S'està citant Wasja Bloch <>:

Hi Wasja,

thanks for letting me know. After some digging I found that the
signatures were all OK, but Debian nowadays enforces stronger hashing
algorithms for the signatures on the repository metadata.

See for details.

In any case, the warning on newer Debian/Ubuntu should be gone now.