[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#703146: apt: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze)?

On Sat, Mar 16, 2013 at 11:24:38AM +0100, David Kalnischkies wrote:
> Hi Steven,
Hi David and Steven,
 
> could you please try again?
> 
> This is very likely a temporary mirror hiccup while it is syncing.
> 
> With disabling InRelease we get all the Release vs. Release.gpg mismatches
> back, which look/are more critical than the (In)Release vs. Packages & Co.
> mismatches. There are various ideas to make syncs more atomic, but none
> is foolproof - and need "provider" support as APT is only a "consumer" here.

I can reproduce this here:
"""
$ sudo LANG=C debootstrap --verbose --arch=i386 sid sid-chroot
...
$ sudo chroot sid-chroot
root@bod:/# ls -l /var/lib/apt/lists/
total 30028
-rw-r--r-- 1 root root   236078 Mar 17 02:22
ftp.us.debian.org_debian_dists_sid_Release
-rw-r--r-- 1 root root 30506862 Mar 17 02:02
ftp.us.debian.org_debian_dists_sid_main_binary-i386_Packages
drwxr-xr-x 2 root root     4096 Mar 17 09:21 partial

root@bod:/# apt-get update
Get:1 http://ftp.us.debian.org sid Release.gpg [836 B]
Hit http://ftp.us.debian.org sid Release
Ign http://ftp.us.debian.org sid Release
Get:2 http://ftp.us.debian.org sid/main i386 Packages/DiffIndex [7876
B]
Get:3 http://ftp.us.debian.org sid/main Translation-en [4112 kB]
Fetched 4120 kB in 9s (436 kB/s)                                               
Reading package lists... Done
W: GPG error: http://ftp.us.debian.org sid Release: The following
signatures were invalid: BADSIG AED4B06F473041FA Debian Archive
Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
"""

And indeed, there is something funny going on, looking at:
# head /var/lib/apt/lists/ftp.us.debian.org_debian_dists_sid_Release
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Origin: Debian
...

shows that its actually the InRelease file after the apt-get update
which of course does not verify against the Release.gpg.

It looks like debootstrap is putting it here, I just re-ran
debootstrap and indeed, the file put there in the chroot is called
"_Release" but its actually the "_InRelease" file. Apt-get update will
send a if-modified-since header to the remote server and get a
"not-modified" so leaves the Release file alone but the downloaded
Release.gpg does not match.

Renaming the downloaded _Release file to _InRelease fixes the
issue. This bug in debootstrap was masked by the previous apt that was
downloding a new InRelease and not touch the already present Release
file - but now that InRelease support is disabled its triggered.

Cheers,
 Michael
Reply to: