After digging a little, there are a few possible causes. Depending on where you are located and/or where this server is running, the possibilities range from misconfiguration of the Debian mirror that your server is connecting to; a misconfigured (local) proxy mangling your traffic; a malicious attack (DNS poisoning); your ISP snooping on you (and mangling your traffic) or perhaps even a repressive regime interfering with the network traffic!

TBH, I'd expect that it's simply a flaky, misconfigured mirror, but the fact that it's not just the normal Debian repo, but also the security repo does raise my suspicions... Regardless of my suspicions, let's run with Hanlon's razor for now.

Actually, I just did a IP lookup of the 2 IPs that I can see in your screenshot (151.101.250.132 & 199.232.120.132) and they both belong to Fastly - which is who provides Debian CDN. They are also in the US (which doesn't really count as a "repressive regime by my books! - although perhaps you are using a VPN?!). It doesn't totally rule out a malicious actor, but it seems clear that it's not targeted, nor is it anything from your local network. And most likely it's just a buggy config or some corruption on the server side (or perhaps on yours?).

For what it's worth, I just tried hardcoding those IP addresses into my hosts file and tried updating. It worked fine for me. So I suspect that it was broken, but it's since been fixed.

Regardless, I suggest clearing your apt cache, rebooting your server and trying again. I.e.:

apt clean
reboot

Then retry the 'apt update'. If it still fails, double check the IP addresses from your previous screenshot against the new run. If they're the same (they shouldn't be) then we could try hardcoding IP addresses (to known good ones) in your /etc/hosts file.

Please let me know how you go. If it's still an issue, please post back.

I can 100% confirm that the InRelease files from 151.101.250.132 are definitely signed. If the copies you're getting aren't, then they're being tampered with! Simple as that...

To be clean, that doesn't necessarily mean someone/something malicious, but the files you are getting are not the ones from the Debian server.

One thing that might work around that is using https instead of http. I.e. change the deb.debian.org URLs in /etc/apt/sources.list.d/sources.list & /etc/apt/sources.list.d/security.sources.list. Be careful not to do that fro the TurnKey repos (archive.turnkeylinux.org) as they don't have proper https certs so they will fail. The lack of https availability for the TurnKey repo shouldn't be an issue though, as they don't appear to be raising any issues.

Here's a command to do the URL update for you:

sed -i "\|debian.org| s|http:|https:|" /etc/apt/sources.list.d/*.list

If it still doesn't work, then you will need to do some sleuthing and/or complaining. If you are behind a proxy (somewhat common in corporate settings) then you'll need to tweak the config (or get in touch with someone who can). If you aren't behind a proxy, then I suggest getting in touch with your ISP and get them to stop doing whatever it is they're doing. A third option (which may or may not work if you're behind a local proxy) is to use a VPN (i.e. configure your TurnKey server to use incoming internet via a VPN). If your server is available publicly, then Setting that up so it works properly may be tricky. I've never done it before myself, so unfortunately I can't offer any advice...

If you manage to work it out, please let us know.