The "Clearsigned file isn't valid, got 'NOSPLIT'" error occurs when APT cannot validate the GPG signature on repository metadata (InRelease files). This is typically caused by incomplete downloads, network proxies modifying content, corrupted cache files, or authentication issues. Clearing the APT cache, switching mirrors, or checking network configuration usually resolves it.
This error indicates that APT's GPG signature verification failed when processing repository metadata. The "NOSPLIT" message specifically refers to how the clearsigned file is structured—APT expects the signature to be properly separated from the message content, but instead found an invalid or malformed format. The error message also hints at a possible authentication issue, suggesting that a network proxy or firewall might be intercepting and modifying the repository traffic before it reaches your system. This is common in corporate networks or behind HTTP proxies that require authentication.
The simplest first step is to remove all cached repository metadata and redownload it fresh:
sudo rm -rf /var/lib/apt/lists/*
sudo apt updateThis removes all locally cached copies of repository file lists. When you run apt update, APT will redownload the metadata from scratch, which often resolves signature validation issues caused by corrupted cache files.
Verify that your network connection is stable and check if you're behind a proxy that might be modifying traffic:
# Check basic connectivity
ping -c 1 archive.ubuntu.com
# Check current proxy settings (if any)
echo $http_proxy
echo $https_proxyIf you see proxy settings configured, verify they are correct. If behind a corporate proxy that requires authentication, you may need to configure APT to use authenticated proxy settings. Edit or create /etc/apt/apt.conf.d/proxy.conf:
Acquire::http::Proxy "http://username:[email protected]:8080/";
Acquire::https::Proxy "https://username:[email protected]:8080/";Replace username, password, proxy address, and port with your actual values.
The issue might be specific to your current mirror. Try switching to an alternative mirror:
# Backup your current sources
sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup
# Edit sources.list to use a different mirror
sudo nano /etc/apt/sources.listChange your current mirror URL (like archive.ubuntu.com or deb.debian.org) to a different one:
- Ubuntu: Try mirror.example.com or regional mirrors
- Debian: Try httpredir.debian.org or regional mirrors
After changing mirrors, clear cache and update:
sudo rm -rf /var/lib/apt/lists/*
sudo apt updateGPG signature validation depends on accurate time. If your system clock is significantly off, signature verification can fail:
# Check current time
date
# Sync time with NTP servers
sudo ntpdate -s time.nist.gov
# Or use timedatectl on modern systems:
sudo timedatectl set-ntp trueAn incorrect system clock can cause GPG signature verification to fail because signatures have time-validity windows. Ensure your time is synchronized with NTP servers.
Occasionally, the repository GPG keys themselves need updating. Update the keyring package:
# For Ubuntu/Debian
sudo apt install --reinstall ubuntu-keyring
# or
sudo apt install --reinstall debian-archive-keyring
# Update the local GPG keyring
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys YOUR_KEY_IDHowever, note that apt-key is deprecated in newer Debian/Ubuntu versions. For modern systems, verify keys are properly configured in /etc/apt/trusted.gpg.d/ or use the signed-by option in your sources.list entries.
The mirror itself might be temporarily corrupt or undergoing maintenance. Test connectivity and mirror health:
# Test connectivity to the mirror
curl -v https://archive.ubuntu.com/ubuntu/dists/jammy/InRelease 2>&1 | head -20
# Check if you're being redirected through a proxy
curl -I https://archive.ubuntu.com/ubuntu/If the mirror appears to be down or returning errors, wait a few minutes and retry. You can also switch to a different mirror temporarily while the main mirror recovers.
In some environments with problematic proxies, the HTTPS connection itself is being intercepted. For testing purposes, try switching to HTTP to isolate the issue:
# Edit sources.list
sudo nano /etc/apt/sources.list
# Change https:// to http:// for one line to test
# Example:
# deb http://archive.ubuntu.com/ubuntu jammy main
sudo apt updateNote: HTTP is less secure. If this resolves the issue, it confirms your problem is HTTPS-related, likely from a proxy. Switch to HTTP only as a permanent solution if absolutely necessary, or configure your proxy correctly. Then switch back to HTTPS once the proxy is properly configured.
Sometimes the error originates from a third-party PPA rather than official repositories. Identify and disable problematic sources:
# List all repository sources
cat /etc/apt/sources.list
ls -la /etc/apt/sources.list.d/
# Temporarily disable third-party PPAs to test
sudo mv /etc/apt/sources.list.d/ppa-name.list /etc/apt/sources.list.d/ppa-name.list.bak
# Clear cache and update
sudo rm -rf /var/lib/apt/lists/*
sudo apt updateIf update works after disabling a PPA, that PPA is the source of the issue. You can either remove it permanently or fix its configuration.
As a last resort, restore a clean APT configuration and perform a full cleanup:
# Restore sources.list from backup if available
sudo cp /etc/apt/sources.list.backup /etc/apt/sources.list
# Remove all cached data
sudo rm -rf /var/lib/apt/lists/*
sudo apt clean
sudo apt autoclean
# Clear the package cache
sudo rm -f /var/lib/apt/lists/partial/*
# Rebuild the cache from scratch
sudo apt updateThis removes all potentially corrupted files and rebuilds the package database from scratch. This approach resolves nearly all clearsigned validation issues.
NOSPLIT vs SPLIT Message Format: The NOSPLIT message format in clearsigned files refers to how the signature is embedded. APT expects a specific structure where the message body and cryptographic signature are properly delimited with GPG clearsign headers. If a proxy or intermediary removes or alters these headers, APT cannot parse the file correctly, resulting in this error.
Proxy and MITM Attacks: Corporate proxies, ISPs, and firewalls sometimes perform deep packet inspection on HTTPS traffic. If the proxy doesn't properly handle or re-sign the clearsigned content, the signature becomes invalid. Some proxies also perform transparent compression or modification of traffic, which breaks GPG signatures. The error message's hint about "network requiring authentication" suggests checking proxy settings first.
InRelease vs Release Files: Modern APT prefers InRelease files (combined message + signature in one file) over the older Release + Release.gpg pair. Some mirrors may still provide only the older format. If you're having persistent issues with InRelease, you can temporarily configure APT to use the Release/Release.gpg pair instead by modifying your sources.list.
Time Synchronization Critical: GPG signatures have validity windows based on system time. GPG will reject signatures made in the future (relative to your system clock) or outside the key's validity period. Use timedatectl show to check NTP status and ensure your system time is accurate to within a few seconds.
Debugging with apt-get: Use verbose output to get more detailed error information:
sudo apt update -o Debug::Acquire::gpg=1 2>&1 | grep -i errorThis shows which specific file failed verification and may reveal whether it's InRelease, Release.gpg, or another metadata file causing the issue.
dpkg: serious warning: files list file for package 'package-name' contains empty filename
How to fix "files list file contains empty filename" in APT
E: Sub-process /usr/bin/dpkg returned an error code (2)
How to fix "Sub-process /usr/bin/dpkg returned an error code (2)" in APT
dpkg-divert: error: rename involves overwriting 'path' with different file
How to fix dpkg-divert rename conflicts in APT
E: Sub-process /usr/bin/dpkg returned an error code (1) during kernel installation
How to fix "dpkg returned an error code (1)" in APT kernel installation
dpkg: dependency problems prevent configuration of triggers
dpkg: dependency problems prevent configuration of triggers in apt