[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: signature invalid: BADSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006)

On Tue, Dec 05, 2006 at 20:42:21 -0500, Rick Thomas wrote:
> On Dec 2, 2006, at 6:12 PM, Rick Thomas wrote:
> >Does anybody know why I'm getting this message when I do "aptitude  
> >update"
> >
> >>W: GPG error: http://mirrors.usc.edu etch Release: The following  
> >>signatures were invalid: BADSIG 010908312D230C5F Debian Archive  
> >>Automatic Signing Key (2006) <ftpmaster@debian.xxx>
> >
> >A couple of days ago, I was getting the same message, but from  
> >debian.lcs.mit.edu, instead of mirrors.usc.edu.  Both sites are in  
> >my sources.list file.
> Mathieu Malaterre wrote:
> >Have you tried installing:
> >
> >http://packages.debian.org/unstable/misc/debian-archive-keyring
> The error message has moved back to debian.lcs.mit.edu.  It's gone  
> from mirrors.usc.edu for the time being.  By removing the mit site  
> from my sources.list file I was able to do "aptitude update &&  
> aptitude dist-upgrade" which updated the debian-archive-keyring  
> package to the November 22, 2006 version.  But when I put the mit  
> site back in, the error was still there.
> Anybody got any ideas?

There seems to be some confusion between two different issues:

1) There is a new archive signing key for Etch. The Release files are
   currently signed with both the new and the old key. Apt is satisfied
   with the old signature, but it will alert you to the fact that there
   is an additional signature with a key that apt does not know. The
   error message is something like "unknown key" or "unknown signature"
   (I don't remember the exact wording right now). As others have
   already pointed out, installing the debian-archive-keyring will take
   care of this automatically, for now and for all new keys in the

2) The "invalid signature" error of gpg is something completely
   different. Apt knows the used keys but the Release files have
   incorrect signatures. In the worst-case scenario this means that
   someone has taken over the MIT site and tries to achieve world
   domination by putting doctored packages on people's computers. (The
   whole point of the archive signing is to protect you against this.
   If I manage to slip a manipulated package into your installation
   process then I can do more or less whatever I want on your machine
   since the installation scripts from this package will run with root

   More likely, however, there is just a synchronization problem with
   the MIT mirror. You can get the "bad signature" error if you update
   while the mirror in the middle of its synchronization procedure. If
   you get this message all the time then you should send an email to
   the maintainer of the MIT mirror to make him/her aware of the


Reply to: