[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: signature invalid: BADSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006)

On Thu, Dec 07, 2006 at 08:10:45 +0900, Miles Bader wrote:
> Florian Kulzer writes:
> >    More likely, however, there is just a synchronization problem with
> >    the MIT mirror. You can get the "bad signature" error if you update
> >    while the mirror in the middle of its synchronization procedure. If
> >    you get this message all the time then you should send an email to
> >    the maintainer of the MIT mirror to make him/her aware of the
> >    problem. 
> 
> I seem to see these messages quite regularly, no matter which mirror I
> use.  Typically switching a different mirror fixes things.
> 
> Unfortunately the presence of several different but sort-of-similar
> errors, like the keyring stuff, is kind of confusing, I'm never quite
> sure _where_ the problem is really coming from.  [But it's been
> happening regualrly for at least like 6 months or so.]

The relevant files are downloaded to this location:

$ ls /var/lib/apt/lists/*_Release*
/var/lib/apt/lists/ftp.nl.debian.org_debian_dists_testing_Release
/var/lib/apt/lists/ftp.nl.debian.org_debian_dists_testing_Release.gpg

[ snip: more of the same for the other entries in my sources.list ]

There should be one signature file "*_Release.gpg" for every "*_Release"
file. The Release file has hashes which can be used to check the content
of the packages and the .gpg file has the signature(s) which can be used
to verify the content of the Release file. (You can have a look at these
files with "less", they are plain ASCII texts.)

If the mirror does not have a .gpg file for a Release file you will get
a "missing signature" error message.

If you catch the mirror at the wrong moment it might just have
synchronized to the new Release file but still have the old .gpg file
(or the other way round). In that case the signature can obviously not
match the Release file and you will get the "invalid signature" error.
However, this should be very rare if the mirror is working correctly.
One explanation for your problem might be that you are going through a
proxy which is not kept up-to-date properly. You could post which
mirrors you use, then others can tell you if they have the same issues.

Finally, if you get an "invalid signature" error you can check the
problematic Release file yourself. For the above example this would look
like this:

$ cd /var/lib/apt/lists/
$ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --verify ftp.nl.debian.org_debian_dists_testing_Release{.gpg,}
gpg: Signature made Wed 06 Dec 2006 09:08:42 CET using DSA key ID 2D230C5F
gpg: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@xxxxxx.xxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0847 50FC 01A6 D388 A643  D869 0109 0831 2D23 0C5F
gpg: Signature made Wed 06 Dec 2006 09:08:42 CET using DSA key ID 6070D3A1
gpg: Good signature from "Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@xxxxxx.xxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A999 51DA F9BB 569B DB50  AD90 A70D AF53 6070 D3A1

(I obfuscated the email addresses in the gpg output. The curly braces at
 the end of the gpg line are just a trick to avoid typing the
 "*_Release" part twice.)

-- 
Regards,
          Florian
Reply to: