Re: apt-get invalid signature again

To: "Andrew M.A. Cater" <amacater@galactic.demon.co.uk>
Cc: debian-user@lists.debian.org, Ross Boylan <RossBoylan@stanfordalumni.org>
Subject: Re: apt-get invalid signature again
From: Ross Boylan <RossBoylan@stanfordalumni.org>
Date: Sat, 28 Jan 2006 18:04:48 -0800
Message-id: <[🔎] 20060129020448.GB3242@wheat.betterworld.us>
Mail-followup-to: "Andrew M.A. Cater" <amacater@galactic.demon.co.uk>, debian-user@lists.debian.org, Ross Boylan <RossBoylan@stanfordalumni.org>
In-reply-to: <[🔎] 20060128234304.GA4226@galactic.demon.co.uk>
References: <[🔎] 20060128181533.GA3242@wheat.betterworld.us> <[🔎] 20060128234304.GA4226@galactic.demon.co.uk>

On Sat, Jan 28, 2006 at 11:43:04PM +0000, Andrew M.A. Cater wrote:
> On Sat, Jan 28, 2006 at 10:15:33AM -0800, Ross Boylan wrote:
> > Starting last night I see
> > W: GPG error: http://localhost sarge/updates Release: The following signatures were invalid: BADSIG F1D53D8C4F368D5D Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>
> > 
> > Anyone know what's up?  I don't see messages about this latest
> > occurrence.
> > 
> > I'm a little frustrated how frequently this seems to happen; all these
> > false positives (I'm assuming that's what the latest is) undercut the
> > value of the security system.
> > 
> 	apt-get install debian-archive-keyring
> 
> 	apt-key update
> 
> and you should be OK. You may also want to look at the Debian Secure-APT
> HOWTO on the Debian wiki at wiki.debian.org
> 
> As somebody said, this is because you haven't got the 2006 key
> installed. This should only happen once a year or so: the fact
> that secure apt was only really introduced in September/October
> means that we've seemingly hit teething problems twice in six months :)

I already have 2005 and 2006 keys installed.  I installed
debian-archive-keyring, but neither the error nor the output of
apt-key list changes.  The relevant entries from the latter are
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024R/1DB114E0 2004-01-15 [expired: 2005-01-27]
uid                  Debian Archive Automatic Signing Key (2004) <ftpmaster@debian.org>

pub   1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]
uid                  Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>

pub   1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
uid                  Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>


I had a feeling the secure repository might have separate keys, but I
can't see any sign this is the case on the security wiki or
http://security.debian.org.

I'm not sure if the identifying string in the error messages should
match one of the ones above.  The warning refers to F1D53D8C4F368D5D,
which isn't even the same number of digits as shown above.  Further,
it concerns the 2005 key, which I have and which is valid for a few
more days.

I'm running apt 0.6.43.1 on a mixed testing/unstable system.
I remember I ran into a key that was bad on one of the machines that
responds to debian.org requests; maybe this is similar?  Or perhaps
some glitch introduced by apt-cacher?

Ross

Reply to:

References:
- apt-get invalid signature again
  - From: Ross Boylan <RossBoylan@stanfordalumni.org>
- Re: apt-get invalid signature again
  - From: amacater@galactic.demon.co.uk (Andrew M.A. Cater)

Prev by Date: Re: Sharing a directory
Next by Date: Re: apt-get invalid signature again
Previous by thread: Re: apt-get invalid signature again
Next by thread: Re: apt-get invalid signature again
Index(es):
- Date
- Thread