Re: aptitude update "BADSIG" Error (getting silly now)

To: debian-user@lists.debian.org
Subject: Re: aptitude update "BADSIG" Error (getting silly now)
From: Nick Boyce <nick@glimmer.demon.co.uk>
Date: Wed, 26 Mar 2008 03:10:06 +0000
Message-id: <[🔎] 47E9BE8E.7090203@glimmer.demon.co.uk>
In-reply-to: <[🔎] 20080324181622.GA7308@pc0197>
References: <[🔎] 47E72E3B.60104@glimmer.demon.co.uk> <[🔎] 20080324181622.GA7308@pc0197>

Florian Kulzer wrote:

On Mon, Mar 24, 2008 at 04:29:47 +0000, Nick Boyce wrote:

Just wondering whether anyone here understands the cause of the "BADSIG"
error from "aptitude update"

[...]

The usual suggested causes involve Debian mirrors in an inconsistent
state while updating, broken packages, or corruptions in the package
lists as a result of broken network connections.


Those are all the innocent explanations I can think of. More paranoid
explanations would go along the lines of someone trying to slip you
doctored packages via a man-in-the-middle attack. However, in your case
I think your proxy is the most likely culprit (see below).

Thanks very much for your very comprehensive answer - I understand itwould be most unlikely for there to be a genuine signing problem onsecurity.d.o, and I guess if an "inconsistent mirror" problem caused thesame trouble for everybody then it would be addressed.

I'm inclined to agree with you about our proxy having a caching problem,and I like your suggestion of using 'wget' to flush the proxy's cachebefore the 'aptitude update'. It seems odd however, that such a problemcould exist (big company, commercial web proxy), and be solvable by justrepeating the download.


I will try the investigations you suggest :

You can put the IP addresses into your sources.list instead and check if
the error is tied to one particular server:

The next time when the problem appears, make a backup copy of
/var/lib/apt/lists/security.debian.org_dists_etch_updates_Release.gpg
and check if the file has changed after you rerun "apt-get update"

But I'm away from the office at the moment, and this won't be for acouple of weeks.

Maybe the caching behavior of your proxy for these files
can be reconfigured.

The proxy itself is administered by a far-off group within our companyand it would be difficult for me to get any investigation done for thisparticular problem - if there are no apparent caching problems for otherusages then Debian would probably be blamed :(


If I can assemble more evidence I'll try to contact them though.

Does your nightly cronjob hit the server always at
exactly the same time?


Yes - 03:10(GMT) as I recall.

>> Anyway, what exactly seems to have been badly signed ?  The error
>> message doesn't really make sense :
>>
>>> GPG error: http://security.debian.org etch/updates Release:
>>> The following signatures were invalid:
>>> BADSIG A70DAF536070D3A1 Debian Archive Automatic
>>> Signing Key (4.0/etch)
>>
> The message means that a bad signature was detected, which was
> (supposedly) made with the key number A70DAF536070D3A1.

FWIW, I still think the message could be clearer about the name of thefile whose signature failed to verify - thankfully you were able to tell me.


Thanks again.

Nick Boyce
--
Microsoft suggests that users "do not open or save Word files"

Reply to:

References:
- aptitude update "BADSIG" Error (getting silly now)
  - From: Nick Boyce <nick@glimmer.demon.co.uk>
- Re: aptitude update "BADSIG" Error (getting silly now)
  - From: Florian Kulzer <florian.kulzer+debian@icfo.es>

Prev by Date: debian sdcc + pic16f877a help
Next by Date: Common home with multiboot
Previous by thread: Re: aptitude update "BADSIG" Error (getting silly now)
Next by thread: Window backgrounds
Index(es):
- Date
- Thread