Error when updating apt packages: “The following signatures were invalid: BADSIG …”


When executing apt update, the following error message is returned:
The following signatures were invalid: BADSIG <1234567890>


If you get this BADSIG error when executing apt update, the (quickest) solution is to purge and recreate your package lists in /var/lib/apt/lists/ as follows:

sudo -i
apt-get clean
cd /var/lib/apt
mv lists lists.old
mkdir -p lists/partial
apt-get clean
apt-get update

You should be able to update successfully now. The BADSIG error can occur when a repo’s signing key is changed and conflicts with the one you have cached, or your package lists have become corrupted, among other reasons; in short, the key that’s cached in your lists doesn’t match the release info for one reason or another.

If you’re using a caching proxy on your network like apt-cacher-ng/Squid to cache packages, and the BADSIG issue persists after the above process, a workaround is to adjust your proxy server configuration to avoid caching InRelease files (which contain the signature among the other release data) and allow clients to fetch them directly. For apt-cacher-ng, edit /etc/apt-cacher-ng/acng.conf on the ACNG server and add the following line:

#Don't cache InRelease files
DontCacheResolved: .*InRelease

Now restart the ACNG service: sudo systemctl restart apt-cacher-ng.service then try updating the client again.

Note: Many solutions found by a quick web search of the error message will say instead to add the public key in the output to your keyring via apt-key; do not do this without first verifying the key in question, or you may open yourself up to MITM, and it likely won’t solve the issue anyways – our error here is a BADSIG, not a NO_PUBKEY. If you’re getting a NO_PUBKEY error, then go ahead and add the key, but again, do verify it before blindly adding anything to your keyring.