I have PXE boot 99% working on my Raspberry Pi 5 SBCs - everything except apt-get update works. My environment is TFTP server on TrueNAS Scale with 2 NFS shares, one for tftpboot and one for the root filesystems. DHCP setting 66 hands out the TFTP IP address without issue.
New extra info: I've found this isn't an issue purely on Raspberry Pi OS. If I use DietPi, also based on Debian, the same thing happens:
Err:15 https://dietpi.com/apt bookworm InRelease
At least one invalid signature was encountered.
The process to get the root filesystem files is:
- Booting the pi5 from new SD card
- Go through the initial install
- rsync /boot/firmware and / to the shares above (there are no ISO files involved in this like some PXE solutions use). rsync was run with
--permsand I have verified the permissions on the destination are the same as the source.
However, when the pi5 boots from PXE, apt-get update won't run and throws the following errors:
me@raspberrypi:~ $
me@raspberrypi:~ $ sudo apt-get update
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:3 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Err:1 http://deb.debian.org/debian bookworm InRelease
At least one invalid signature was encountered.
Err:2 http://deb.debian.org/debian-security bookworm-security InRelease
At least one invalid signature was encountered.
Err:3 http://deb.debian.org/debian bookworm-updates InRelease
At least one invalid signature was encountered.
Get:4 http://archive.raspberrypi.com/debian bookworm InRelease [39.3 kB]
Err:4 http://archive.raspberrypi.com/debian bookworm InRelease
At least one invalid signature was encountered.
Reading package lists... Done
W: GPG error: http://deb.debian.org/debian bookworm InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.raspberrypi.com/debian bookworm InRelease: At least one invalid signature was encountered.
E: The repository 'http://archive.raspberrypi.com/debian bookworm InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
me@raspberrypi:~ $
Allow insecure and unauthenticated repos gets further but still fails with errors such as:
W: GPG error: http://deb.debian.org/debian bookworm InRelease: At least one invalid signature was encountered.
W: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
The apt example below installs nginx but note the line saying:
WARNING: The following packages cannot be authenticated!
nginx-common nginx
Here's the full output:
me@raspberrypi:~ $ sudo apt-get install nginx
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
nginx-common
Suggested packages:
fcgiwrap nginx-doc ssl-cert
The following NEW packages will be installed:
nginx nginx-common
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 606 kB of archives.
After this operation, 1,708 kB of additional disk space will be used.
Do you want to continue? [Y/n]
WARNING: The following packages cannot be authenticated!
nginx-common nginx
Install these packages without verification? [y/N] y
Get:1 http://deb.debian.org/debian bookworm/main arm64 nginx-common all 1.22.1-9 [112 kB]
Get:2 http://deb.debian.org/debian bookworm/main arm64 nginx arm64 1.22.1-9 [494 kB]
Fetched 606 kB in 1s (541 kB/s)
Preconfiguring packages ...
Selecting previously unselected package nginx-common.
(Reading database ... 78339 files and directories currently installed.)
Preparing to unpack .../nginx-common_1.22.1-9_all.deb ...
Unpacking nginx-common (1.22.1-9) ...
Selecting previously unselected package nginx.
Preparing to unpack .../nginx_1.22.1-9_arm64.deb ...
Unpacking nginx (1.22.1-9) ...
Setting up nginx-common (1.22.1-9) ...
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /lib/systemd/system/nginx.service.
Setting up nginx (1.22.1-9) ...
Upgrading binary: nginx.
Processing triggers for man-db (2.11.2-2) ...
me@raspberrypi:~ $
The suggests to me that it's not a filesystem permissions issue, otherwise new packages couldn't be installed. After a reboot nginx is still there and running fine so filesystem persistence is also working OK.
Note I can add new repos e.g. Docker repo following the official installation instructions.
This isn't a Docker issue as lots of other search results suggest; the Docker repo isn't and wasn't ever installed on this system other than for the test above. There's plenty of disk space available so it isn't that, either.
What can be causing this? Temporarily using an empty apt sources.list and sources.list.d allows apt to run without throwing errors, as expected. After adding a new repo and running sudo apt-get update everything is fine so it's definitely related to the existing repos from the SD card install. Restoring the copied files mentioned above brings the error straight back.
I've searched quite a bit and found a couple of identical errors but their solutions don't work here e.g.
