PHWinfo - Afficher un message - signature invalid: BADSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006)

06/12/2006, 12h50

On Dec 6, 2006, at 3:43 AM, Florian Kulzer wrote:

> There seems to be some confusion between two different issues:
>
> 1) There is a new archive signing key for Etch. The Release files are
> currently signed with both the new and the old key. Apt is
> satisfied
> with the old signature, but it will alert you to the fact that
> there
> is an additional signature with a key that apt does not know. The
> error message is something like "unknown key" or "unknown
> signature"
> (I don't remember the exact wording right now). As others have
> already pointed out, installing the debian-archive-keyring will
> take
> care of this automatically, for now and for all new keys in the
> future.
>
> 2) The "invalid signature" error of gpg is something completely
> different. Apt knows the used keys but the Release files have
> incorrect signatures. In the worst-case scenario this means that
> someone has taken over the MIT site and tries to achieve world
> domination by putting doctored packages on people's computers. (The
> whole point of the archive signing is to protect you against this.
> If I manage to slip a manipulated package into your installation
> process then I can do more or less whatever I want on your machine
> since the installation scripts from this package will run with root
> privileges.)
>
> More likely, however, there is just a synchronization problem with
> the MIT mirror. You can get the "bad signature" error if you update
> while the mirror in the middle of its synchronization procedure. If
> you get this message all the time then you should send an email to
> the maintainer of the MIT mirror to make him/her aware of the
> problem.

Thanks Florian! This s.

Rick

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

06/12/2006, 12h50	#7
Rick Thomas Messages: n/a Hébergeur:	Re: signature invalid: BADSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006) On Dec 6, 2006, at 3:43 AM, Florian Kulzer wrote: > There seems to be some confusion between two different issues: > > 1) There is a new archive signing key for Etch. The Release files are > currently signed with both the new and the old key. Apt is > satisfied > with the old signature, but it will alert you to the fact that > there > is an additional signature with a key that apt does not know. The > error message is something like "unknown key" or "unknown > signature" > (I don't remember the exact wording right now). As others have > already pointed out, installing the debian-archive-keyring will > take > care of this automatically, for now and for all new keys in the > future. > > 2) The "invalid signature" error of gpg is something completely > different. Apt knows the used keys but the Release files have > incorrect signatures. In the worst-case scenario this means that > someone has taken over the MIT site and tries to achieve world > domination by putting doctored packages on people's computers. (The > whole point of the archive signing is to protect you against this. > If I manage to slip a manipulated package into your installation > process then I can do more or less whatever I want on your machine > since the installation scripts from this package will run with root > privileges.) > > More likely, however, there is just a synchronization problem with > the MIT mirror. You can get the "bad signature" error if you update > while the mirror in the middle of its synchronization procedure. If > you get this message all the time then you should send an email to > the maintainer of the MIT mirror to make him/her aware of the > problem. Thanks Florian! This s. Rick -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org