While testing Nexus 3.84.0-03 Community Edition on our test server, we noticed that our hosted apt repository is no longer working as expected. While we can still upload packages as expected, the download from such a repo fails due to a bad signature:
$ dpkg-deb --build corp-apt-test
dpkg-deb: building package 'corp-apt-test' in 'corp-apt-test.deb'.
$ curl -fsSL -u "$NEXUS_USERNAME:$NEXUS_PASSWORD" -H "Content-Type: multipart/form-data" --data-binary "@./corp-apt-test.deb" "$NEXUS_BASE_URL/repository/integration-test-apt-hosted-jammy/"
$ gpg --dearmor <apt-integration-test.asc | tee /etc/apt/keyrings/integration-test-hosted.gpg > /dev/null
$ echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/integration-test-hosted.gpg] $NEXUS_BASE_URL/repository/integration-test-apt-hosted-jammy jammy main" > /etc/apt/sources.list.d/nexus-hosted.list
$ apt-get update -o APT::Update::Error-Mode=any
Hit:1 http://apt.corp.com/daily/ubuntu jammy InRelease
Hit:2 http://apt.corp.com/daily/ubuntu jammy-updates InRelease
Hit:3 http://apt.corp.com/daily/ubuntu jammy-security InRelease
Ign:4 https://nexus-test.corp.com/repository/integration-test-apt-hosted-jammy jammy InRelease
Hit:5 https://nexus-test.corp.com/repository/integration-test-apt-proxy-adoptium-jammy jammy InRelease
Get:6 https://nexus-test.corp.com/repository/integration-test-apt-hosted-jammy jammy Release [622 B]
Get:7 https://nexus-test.corp.com/repository/integration-test-apt-hosted-jammy jammy Release.gpg [217 B]
Ign:7 https://nexus-test.corp.com/repository/integration-test-apt-hosted-jammy jammy Release.gpg
Reading package lists...
W: GPG error: https://nexus-test.corp.com/repository/integration-test-apt-hosted-jammy jammy Release: The following signatures were invalid: BADSIG 2B2657DE310832FF Nexus Integration Test <infra@corp.com>
E: The repository 'https://nexus-test.corp.com/repository/integration-test-apt-hosted-jammy jammy Release' is not signed.
After this, I reverted the instance back to 3.83.2-01 (also restoring the H2 db in the process), and it worked as expected again:
$ dpkg-deb --build corp-apt-test
dpkg-deb: building package 'corp-apt-test' in 'corp-apt-test.deb'.
$ curl -fsSL -u "$NEXUS_USERNAME:$NEXUS_PASSWORD" -H "Content-Type: multipart/form-data" --data-binary "@./corp-apt-test.deb" "$NEXUS_BASE_URL/repository/integration-test-apt-hosted-jammy/"
$ gpg --dearmor <apt-integration-test.asc | tee /etc/apt/keyrings/integration-test-hosted.gpg > /dev/null
$ echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/integration-test-hosted.gpg] $NEXUS_BASE_URL/repository/integration-test-apt-hosted-jammy jammy main" > /etc/apt/sources.list.d/nexus-hosted.list
$ apt-get update -o APT::Update::Error-Mode=any
Hit:1 http://apt.corp.com/daily/ubuntu jammy InRelease
Hit:2 http://apt.corp.com/daily/ubuntu jammy-updates InRelease
Hit:3 http://apt.corp.com/daily/ubuntu jammy-security InRelease
Get:4 https://nexus-test.corp.com/repository/integration-test-apt-hosted-jammy jammy InRelease [950 B]
Hit:5 https://nexus-test.corp.com/repository/integration-test-apt-proxy-adoptium-jammy jammy InRelease
Get:6 https://nexus-test.corp.com/repository/integration-test-apt-hosted-jammy jammy/main all Packages [30.7 kB]
Fetched 31.6 kB in 1s (23.0 kB/s)
Reading package lists...
W: Invalid 'Date' entry in Release file /var/lib/apt/lists/partial/nexus-test.corp.com_repository_integration-test-apt-hosted-jammy_dists_jammy_InRelease
$ DEBIAN_FRONTEND=noninteractive apt-get install -y corp-apt-test
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
htop libnl-3-200 libnl-genl-3-200
Suggested packages:
lm-sensors lsof strace
The following NEW packages will be installed:
htop corp-apt-test libnl-3-200 libnl-genl-3-200
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 200 kB of archives.
After this operation, 589 kB of additional disk space will be used.
Get:1 http://apt.corp.com/daily/ubuntu jammy/main amd64 libnl-3-200 amd64 3.5.0-0.1 [59.1 kB]
Get:2 http://apt.corp.com/daily/ubuntu jammy/main amd64 libnl-genl-3-200 amd64 3.5.0-0.1 [12.4 kB]
Get:3 http://apt.corp.com/daily/ubuntu jammy/main amd64 htop amd64 3.0.5-7build2 [128 kB]
Get:4 https://nexus-test.corp.com/repository/integration-test-apt-hosted-jammy jammy/main all corp-apt-test all 1.0.917 [542 B]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 200 kB in 0s (2,224 kB/s)
Selecting previously unselected package libnl-3-200:amd64.
(Reading database ... 12843 files and directories currently installed.)
Preparing to unpack .../libnl-3-200_3.5.0-0.1_amd64.deb ...
Unpacking libnl-3-200:amd64 (3.5.0-0.1) ...
Selecting previously unselected package libnl-genl-3-200:amd64.
Preparing to unpack .../libnl-genl-3-200_3.5.0-0.1_amd64.deb ...
Unpacking libnl-genl-3-200:amd64 (3.5.0-0.1) ...
Selecting previously unselected package htop.
Preparing to unpack .../htop_3.0.5-7build2_amd64.deb ...
Unpacking htop (3.0.5-7build2) ...
Selecting previously unselected package corp-apt-test.
Preparing to unpack .../corp-apt-test_1.0.917_all.deb ...
Unpacking corp-apt-test (1.0.917) ...
Setting up libnl-3-200:amd64 (3.5.0-0.1) ...
Setting up libnl-genl-3-200:amd64 (3.5.0-0.1) ...
Setting up htop (3.0.5-7build2) ...
Setting up corp-apt-test (1.0.917) ...
Processing triggers for libc-bin (2.35-0ubuntu3.10) ...
$ grep "Hello" /etc/corp-apt-test
Hello!
After upgrading again, the same error happens. I compared the key in the admin interface with our production instance, and even copied it to our test instance again, but to no avail.
I found the following log line in nexus.log of the test instance, our prod instance does not log this line, so hopefully it’s a good starting point:
2025-09-16 06:13:50,091+0200 WARN [qtp2142209372-373] *UNKNOWN org.sonatype.nexus.repository.view.handlers.ExceptionHandler - Invalid content: GET /dists/jammy/InRelease: org.sonatype.nexus.repository.InvalidContentException: Detected content type [text/plain], but expected [application/pgp-encrypted, application/pgp]: /dists/jammy/Release.gpg
The key can still be accessed via http (https://nexus-test.corp.com/repository/integration-test-apt-hosted-jammy/dists/jammy/Release.gpg and https://nexus.corp.com/repository/integration-test-apt-hosted-jammy/dists/jammy/Release.gpg, respectively), but they both report a Content-Type of text/plain.
Additional environment information, if necessary: Both instances are behind an nginx reverse proxy, and use a forward proxy (with an exception for *.corp.com) for accessing the internet.
Any help would be appreciated.