[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: aptitude update "BADSIG" Error (getting silly now)

Florian Kulzer wrote:

On Mon, Mar 24, 2008 at 04:29:47 +0000, Nick Boyce wrote:
Just wondering whether anyone here understands the cause of the "BADSIG"
error from "aptitude update"
The usual suggested causes involve Debian mirrors in an inconsistent
state while updating, broken packages, or corruptions in the package
lists as a result of broken network connections.

Those are all the innocent explanations I can think of. More paranoid
explanations would go along the lines of someone trying to slip you
doctored packages via a man-in-the-middle attack. However, in your case
I think your proxy is the most likely culprit (see below).

Thanks very much for your very comprehensive answer - I understand it would be most unlikely for there to be a genuine signing problem on security.d.o, and I guess if an "inconsistent mirror" problem caused the same trouble for everybody then it would be addressed.

I'm inclined to agree with you about our proxy having a caching problem, and I like your suggestion of using 'wget' to flush the proxy's cache before the 'aptitude update'. It seems odd however, that such a problem could exist (big company, commercial web proxy), and be solvable by just repeating the download.

I will try the investigations you suggest :

You can put the IP addresses into your sources.list instead and check if
the error is tied to one particular server:

The next time when the problem appears, make a backup copy of
and check if the file has changed after you rerun "apt-get update"

But I'm away from the office at the moment, and this won't be for a couple of weeks.

Maybe the caching behavior of your proxy for these files
can be reconfigured.

The proxy itself is administered by a far-off group within our company and it would be difficult for me to get any investigation done for this particular problem - if there are no apparent caching problems for other usages then Debian would probably be blamed :(

If I can assemble more evidence I'll try to contact them though.

Does your nightly cronjob hit the server always at
exactly the same time?

Yes - 03:10(GMT) as I recall.

>> Anyway, what exactly seems to have been badly signed ?  The error
>> message doesn't really make sense :
>>> GPG error: http://security.debian.org etch/updates Release:
>>> The following signatures were invalid:
>>> BADSIG A70DAF536070D3A1 Debian Archive Automatic
>>> Signing Key (4.0/etch)
> The message means that a bad signature was detected, which was
> (supposedly) made with the key number A70DAF536070D3A1.

FWIW, I still think the message could be clearer about the name of the file whose signature failed to verify - thankfully you were able to tell me.

Thanks again.

Nick Boyce
Microsoft suggests that users "do not open or save Word files"

Reply to: