We Want to Hear From You! What Do You Want to See on the Community? Tell us here!
Forum Discussion
OpenPGP signature verification failed with Debian Trixie.
Warning: OpenPGP signature verification failed: http://linux.dropbox.com/debian trixie Release: The following signatures were invalid: BADSIG FC918B335044912E Dropbox Automatic Signing Key <linux...
Hi Verwijs and Megan. I got the same error on a Debian Bookworm system when running `apt update`:
W: GPG error: http://linux.dropbox.com/debian bookworm Release: The following signatures were invalid: BADSIG FC918B335044912E Dropbox Automatic Signing Key <linux@dropbox.com>
E: The repository 'http://linux.dropbox.com/debian bookworm Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.Strangely enough, downloading and verifying the signature works fine (the downloaded public key is the same I had in my system keyring):
$ echo "Fetch latest release and signature"
$ wget -nv https://linux.dropboxstatic.com/debian/dists/bookworm/Release{,.gpg}
2025-06-04 09:58:45 URL:https://linux.dropboxstatic.com/debian/dists/bookworm/Release [6606/6606] -> "Release" [1]
2025-06-04 09:58:45 URL:https://linux.dropboxstatic.com/debian/dists/bookworm/Release.gpg [488/488] -> "Release.gpg" [1]
FINISHED --2025-06-04 09:58:45--
Total wall clock time: 1.0s
Downloaded: 2 files, 6.9K in 0s (51.8 MB/s)
$ echo "Fetch Dropbox repository public key"
$ wget -nv https://linux.dropbox.com/fedora/rpm-public-key.asc
2025-06-04 10:56:47 URL:https://linux.dropbox.com/fedora/rpm-public-key.asc [975/975] -> "rpm-public-key.asc" [1]
$ echo "Import the public key into a temporary keyring"
$ gpg --no-default-keyring --keyring dropbox-temp.kbx --trust-model always --import rpm-public-key.asc
gpg: key FC918B335044912E: public key "Dropbox Automatic Signing Key <linux@dropbox.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ echo "Verify the release file signature"
$ gpg --no-default-keyring --keyring dropbox-temp.kbx --verify Release.gpg Release
gpg: Signature made Fri 30 May 2025 04:08:45 PM -03
gpg: using RSA key 1C61A2656FB57B7E4DE0F4C1FC918B335044912E
gpg: Good signature from "Dropbox Automatic Signing Key <linux@dropbox.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1C61 A265 6FB5 7B7E 4DE0 F4C1 FC91 8B33 5044 912EIn my case, it seems the locally cached metadata for the Dropbox repo was stale, so I removed the files listed by this command.
$ find /var/lib/apt/lists -iname "linux.dropbox.com*"
/var/lib/apt/lists/linux.dropbox.com_debian_dists_bookworm_Release.gpg
/var/lib/apt/lists/linux.dropbox.com_debian_dists_bookworm_main_binary-amd64_Packages
/var/lib/apt/lists/linux.dropbox.com_debian_dists_bookworm_ReleaseThis forced apt to re-download the Release, Release.gpg and the Packages file.
Afterward, `apt update` runs properly and without errors.
