Signal-desktop: Installation on Linux fails ("Public key signature verification has failed", "... does not have a Release file.")

@dietmar I was just able to do an sudo apt-get update && sudo apt-get upgrade on my Ubuntu 18.04 machine to update to the latest linux version released yesterday. Perhaps it was a momentary blip?

@scottnonnenberg-signal Thanks for your reply. Indeed, on a different machine (running Debian jessie, i.e., oldstable) it works fine.

I assumed that I should see a listing when I browse to https://updates.signal.org/desktop/apt (similar to http://ftp.at.debian.org/debian/ for example) and since that gave a 404, I concluded the repository must be down or something. But the server just doesn't do directory listings, and I can confirm that I can download a Release file from https://updates.signal.org/desktop/apt/dists/xenial/Release

I'll remove the "apt repository down" part from the title of this issue.

However, I still don't know why it doesn't work on the first machine (Debian stretch, i.e., current stable) . apt-get update gives a little more details than apt update:

[...]
Err:11 https://updates.signal.org/desktop/apt xenial/main amd64 Packages
  gnutls_handshake() failed: Public key signature verification has failed.
[...]
Reading package lists... Done
W: The repository 'https://updates.signal.org/desktop/apt xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://updates.signal.org/desktop/apt/dists/xenial/main/binary-amd64/Packages  gnutls_handshake() failed: Public key signature verification has failed.
E: Some index files failed to download. They have been ignored, or old ones used instead.

I can download https://updates.signal.org/desktop/apt/dists/xenial/main/binary-amd64/Packages using wget or a browser, so the file is there, but for some reason the signature verification in apt-get fails.

The first step of the download instructions (adding the apt key) worked fine:

$ curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add -
OK

I also tried the following, but it didn't help:

sudo apt-get clean
sudo mv /var/lib/apt/lists /tmp
sudo mkdir -p /var/lib/apt/lists/partial
sudo apt-get clean
sudo apt-get update

Any pointers would be appreciated.

It does seem like your Debian Stretch machine is caching something somehow. Seems like you have already tried a number of techniques to force things to refresh. Sadly, I've got no other ideas, aside from completely undoing all of our install steps and trying again.

I tried the installation inside a fresh docker container running Debian stretch: It worked fine.

Apparently I have something weird going on on my machine. I'll close the issue now. I'll come back if I ever figure out what's going on.

I figured out the problem and was able to install signal-desktop successfully. It turned out that my system was in a weird state after upgrading from Debian jessie to stretch. So nothing was or is wrong with signal-desktop and I'm sorry for the noise.

In case someone runs into a similar problem, here's what had happened and how I fixed it:

Similar to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834724#15 I had an old package libgnutls-deb0-28 installed, which seemed to cause the above error. However, when I tried to remove it, it would have also removed half of all my packages, many of which seemed totally unrelated (similar to what was reported here: https://superuser.com/questions/1334780/git-clone-and-apt-error-gnutls-handshake-failed).

According to https://packages.debian.org/search?searchon=names&keywords=libgnutls-deb0-28 that package shouldn't even exist in stretch, but it turned out that I had librtmp1 version 2.4~20160119.gitfa8646dae-dmo3~bpo8+2 installed, which depended on libgnutls-deb0-28. That particular version of librtmp1 was left over from deb-multimedia (http://www.deb-multimedia.org/dists/oldstable-backports/main/binary-mips/package/librtmp1.php) which I had used while still on jessie. Because that version of librtmp1 was newer than the one in the official Debian repos for stretch, (version 2.4+20151223.gitfa8646d.1-1 according to https://packages.debian.org/stretch/librtmp1), it wasn't upgraded with apt-get upgrade or apt-get dist-upgrade.

So the solution was to downgrade librtmp1 to the version number from the official Debian repos:

apt-get install librtmp1=2.4+20151223.gitfa8646d.1-1+b1

After that I could remove libgnutls-deb0-28 without too many things removed together with it, like this:

apt-get remove libgnutls-deb0-28

With libgnutls-deb0-28 gone, the installation instructions for signal-desktop went through without problems.

what the hell... thanks a lot for your solution, got the same problem

I had to use a different version number. To anyone else with the same problem, pick your distro codename on this page then a version number:

https://packages.debian.org/buster/librtmp1

bhhiiui