(In the example below I play around with my own OBS project, but the problem also occurs with Winterfell or any other project.)
The output of apt update itself is not really specific:
Ign:4 http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ InRelease (...) Get:6 http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release [1058 B] Get:7 http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release.gpg [481 B] Err:7 http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release.gpg The following signatures were invalid: 79D86A05FDE6C9FB4E43A6C5830C2BCF446D5A45 (...) W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release: The following signatures were invalid: 79D86A05FDE6C9FB4E43A6C5830C2BCF446D5A45 W: Failed to fetch http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0/./Release.gpg The following signatures were invalid: 79D86A05FDE6C9FB4E43A6C5830C2BCF446D5A45 W: Some index files failed to download. They have been ignored, or old ones used instead.
However, I'm reasonably certain that this error occurs because APT refuses to accept SHA1 signatures for repositories. See https://wiki.debian.org/Teams/Apt/Sha1Removal and the following output:
$ wget http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0/Release.gpg --2018-04-02 13:05:16-- http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0/Release.gpg Resolving obs.kolabsys.com (obs.kolabsys.com)... 95.128.36.7 Connecting to obs.kolabsys.com (obs.kolabsys.com)|95.128.36.7|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 481 [application/pgp-encrypted] Saving to: ‘Release.gpg’ Release.gpg 100%[===================>] 481 --.-KB/s in 0s 2018-04-02 13:05:16 (24.6 MB/s) - ‘Release.gpg’ saved [481/481] $ pgpdump Release.gpg Old: Signature Packet(tag 2)(277 bytes) Ver 3 - old Hash material(5 bytes): Sig type - Signature of a binary document(0x00). Creation time - Mon Apr 2 12:09:12 CEST 2018 Key ID - 0x830C2BCF446D5A45 Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - SHA1(hash 2) Hash left 2 bytes - 02 d5 RSA m^d mod n(2047 bits) - ... -> PKCS-1
So I guess the OBS repositories should be signed with SHA256 (or better) instead of SHA1.