Hi, I have the same problems and I think a can describe the problem a bit more closely now. The problem is the conditional request of APT towards the apt-cacher-ng. The conditional request can be simulated by curl for example. The problem is, that APT doesn't need to fetch the InRelease file, because it is not newer than its already stored (/var/lib/apt/lists/...), but in time between the apt-cacher-ng started to fetch some chunks of the InRelease file and it is storing it to its cache file. But as long as it realize the requestor (APT) no longer needs the data, send RST on connection to its backend mirror and left incomplete data in cache file. This can be repeated several times and apt-cacher-ng fetches and stores more and more of InRelease file, until it is complete.
My hypothesis: if the InRelease file have changed, the apt-cacher-ng doesn't realize, the data changed and continue in refetching the InRelease file resulting in inconsistent file and failed GPG signature finally. The InRelease file is then built by apt-cacher-ng from chunks of different versions of this file from backend mirror. Short experimenting can demonstrate the potential problem. I have configured deb:/srv/cache/apt-cacher-ng/debrep/dists/bookworm# cat /etc/apt-cacher-ng/local.conf CacheDir: /srv/cache/apt-cacher-ng Port: 9999 Remap-hwraidrep: /hwraid ; https://hwraid.le-vert.net/debian/ Remap-debsecrep: /security ; https://security.debian.org/debian-security/ Remap-debsecrep: /debian-security ; https://security.debian.org/debian-security/ LocalDirs: debian-icz /srv/debian-icz deb:/srv/cache/apt-cacher-ng/debrep/dists/bookworm# rm InRelease* deb:/srv/cache/apt-cacher-ng/debrep/dists/bookworm# apt update Get:1 http://deb:9999/debian-icz icz-bookworm InRelease [3,938 B] Hit:2 http://deb:9999/debian bookworm InRelease Hit:3 http://deb:9999/debian bookworm-updates InRelease Hit:4 http://deb:9999/debian bookworm-backports InRelease Hit:5 http://deb:9999/security bookworm-security InRelease Fetched 3,938 B in 1s (3,860 B/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. deb:/srv/cache/apt-cacher-ng/debrep/dists/bookworm# ll InRelease* -rw-r--r-- 1 apt-cacher-ng apt-cacher-ng 10519 Mar 26 18:21 InRelease -rw-r--r-- 1 apt-cacher-ng apt-cacher-ng 166 Mar 26 18:21 InRelease.head deb:/srv/cache/apt-cacher-ng/debrep/dists/bookworm# cat InRelease.head HTTP/1.1 200 OK Content-Length: 151073 Last-Modified: Sat, 15 Mar 2025 09:18:33 GMT X-Original-Source: http://ftp.cz.debian.org/debian/dists/bookworm/InRelease deb:/srv/cache/apt-cacher-ng/debrep/dists/bookworm# rm InRelease* deb:/srv/cache/apt-cacher-ng/debrep/dists/bookworm# for x in {1..20}; do curl --header 'If-Modified-Since: Sat, 15 Mar 2025 09:18:33 GMT' http://localhost:9999/debian/dists/bookworm/InRelease; stat -c "%10s %n" InRelease; done 2431 InRelease 12896 InRelease 22012 InRelease 35172 InRelease 41592 InRelease 52056 InRelease 65217 InRelease 70290 InRelease 74015 InRelease 80436 InRelease 89553 InRelease 100018 InRelease 113178 InRelease 119598 InRelease 130062 InRelease 131090 InRelease 141554 InRelease 150671 InRelease 151073 InRelease 151073 InRelease deb:/srv/cache/apt-cacher-ng/debrep/dists/bookworm# gpg --verify --keyring /usr/share/keyrings/debian-archive-keyring.gpg InRelease gpg: Signature made Sat 15 Mar 2025 10:10:27 AM CET gpg: using RSA key A7236886F3CCCAAD148A27F80E98404D386FA1D9 gpg: Good signature from "Debian Archive Automatic Signing Key (11/bullseye) <ftpmas...@debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1F89 983E 0081 FDE0 18F3 CC96 73A4 F27B 8DD4 7936 Subkey fingerprint: A723 6886 F3CC CAAD 148A 27F8 0E98 404D 386F A1D9 gpg: Signature made Sat 15 Mar 2025 10:10:28 AM CET gpg: using RSA key 4CB50190207B4758A3F73A796ED0E7B82643E131 gpg: Good signature from "Debian Archive Automatic Signing Key (12/bookworm) <ftpmas...@debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B8B8 0B5B 623E AB6A D877 5C45 B7C5 D7D6 3509 47F8 Subkey fingerprint: 4CB5 0190 207B 4758 A3F7 3A79 6ED0 E7B8 2643 E131 gpg: Signature made Sat 15 Mar 2025 10:13:02 AM CET gpg: using EDDSA key 4D64FEC119C2029067D6E791F8D2585B8783D481 gpg: Good signature from "Debian Stable Release Key (12/bookworm) <debian-rele...@lists.debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4D64 FEC1 19C2 0290 67D6 E791 F8D2 585B 8783 D481 In this case, the GPG signarute is OK, because the InRelease file was static in upstream mirror. I have strong suspicion, that apt-cacher-ng doesn't detect the upstream file change in this partially stored file. I don't inspect the code. -- Zito
