Does anybody know why I'm getting this message when I do "aptitude
update"

> W: GPG error: http://mirrors.usc.edu etch Release: The following
> signatures were invalid: BADSIG 010908312D230C5F Debian Archive
> Automatic Signing Key (2006) <ftpmaster@debian.org>

A couple of days ago, I was getting the same message, but from
debian.lcs.mit.edu, instead of mirrors.usc.edu. Both sites are in my
sources.list file.

Thanks!

Rick


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Have you tried installing:

http://packages.debian.org/unstable/...rchive-keyring

HTH
-M

On 12/2/06, Rick Thomas <rbthomas55@pobox.com> wrote:
>
> Does anybody know why I'm getting this message when I do "aptitude
> update"
>
> > W: GPG error: http://mirrors.usc.edu etch Release: The following
> > signatures were invalid: BADSIG 010908312D230C5F Debian Archive
> > Automatic Signing Key (2006) <ftpmaster@debian.org>
>
> A couple of days ago, I was getting the same message, but from
> debian.lcs.mit.edu, instead of mirrors.usc.edu. Both sites are in my
> sources.list file.
>
> Thanks!
>
> Rick
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>


--
Mathieu


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Well... It certainly looks like I've got it installed...

However, the version that's available from the "etch" mirrors (and
installed on my machine) doesn't seem to be the same as that on the
website that Mathieu mentions. Is it just that it hasn't migrated to
"testing" from "unstable" yet? Will all this clear itself up when it
gets migrated?

In the mean time, why have things signed by it been allowed to get
into the "testing" archive?


> rick@macswell:~$ aptitude show debian-archive-keyring
> Package: debian-archive-keyring
> State: installed
> Automatically installed: no
> Version: 2006.01.18
> Priority: important
> Section: misc
> Maintainer: Michael Vogt <mvo@debian.org>
> Uncompressed Size: 53.2k
> Depends: gnupg (>= 1.0.6-4)
> Description: GnuPG archive keys of the Debian archive
> The Debian project digitally signs its Release files. This package
> contains the
> archive keys used for that.
>
> rick@macswell:~$



On Dec 2, 2006, at 8:04 PM, Mathieu Malaterre wrote:

> Have you tried installing:
>
> http://packages.debian.org/unstable/...rchive-keyring
>
> HTH
> -M
>
> On 12/2/06, Rick Thomas <rbthomas55@pobox.com> wrote:
>>
>> Does anybody know why I'm getting this message when I do "aptitude
>> update"
>>
>> > W: GPG error: http://mirrors.usc.edu etch Release: The following
>> > signatures were invalid: BADSIG 010908312D230C5F Debian Archive
>> > Automatic Signing Key (2006) <ftpmaster@debian.org>
>>
>> A couple of days ago, I was getting the same message, but from
>> debian.lcs.mit.edu, instead of mirrors.usc.edu. Both sites are in my
>> sources.list file.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Dec 2, 2006, at 6:12 PM, Rick Thomas wrote:

>
> Does anybody know why I'm getting this message when I do "aptitude
> update"
>
>> W: GPG error: http://mirrors.usc.edu etch Release: The following
>> signatures were invalid: BADSIG 010908312D230C5F Debian Archive
>> Automatic Signing Key (2006) <ftpmaster@debian.org>
>
> A couple of days ago, I was getting the same message, but from
> debian.lcs.mit.edu, instead of mirrors.usc.edu. Both sites are in
> my sources.list file.

mathieu.malaterre@gmail.com wrote:

> Have you tried installing:
>
> http://packages.debian.org/unstable/...rchive-keyring



The error message has moved back to debian.lcs.mit.edu. It's gone
from mirrors.usc.edu for the time being. By removing the mit site
from my sources.list file I was able to do "aptitude update &&
aptitude dist-upgrade" which updated the debian-archive-keyring
package to the November 22, 2006 version. But when I put the mit
site back in, the error was still there.

Anybody got any ideas?

Rick


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sat, Dec 02, 2006 at 06:12:49PM -0500, Rick Thomas wrote:
>
> Does anybody know why I'm getting this message when I do "aptitude
> update"
>
> >W: GPG error: http://mirrors.usc.edu etch Release: The following
> >signatures were invalid: BADSIG 010908312D230C5F Debian Archive
> >Automatic Signing Key (2006) <ftpmaster@debian.org>
>
> A couple of days ago, I was getting the same message, but from
> debian.lcs.mit.edu, instead of mirrors.usc.edu. Both sites are in my
> sources.list file.
>

Please use Google. There are probably thousands of hits discussion this
very problem.

Regards,

-Roberto

--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFciqJ5SXWIKfIlGQRAtZPAJoDcHkZZfP+XWLy5onVa7 7YaCwA4gCgg8z+
I6JtZREhIO9d+QKa0U+5/F0=
=5b5/
-----END PGP SIGNATURE-----

On Tue, Dec 05, 2006 at 20:42:21 -0500, Rick Thomas wrote:
>
> On Dec 2, 2006, at 6:12 PM, Rick Thomas wrote:
>
> >Does anybody know why I'm getting this message when I do "aptitude
> >update"
> >
> >>W: GPG error: http://mirrors.usc.edu etch Release: The following
> >>signatures were invalid: BADSIG 010908312D230C5F Debian Archive
> >>Automatic Signing Key (2006) <ftpmaster@debian.xxx>
> >
> >A couple of days ago, I was getting the same message, but from
> >debian.lcs.mit.edu, instead of mirrors.usc.edu. Both sites are in
> >my sources.list file.
>
> Mathieu Malaterre wrote:
>
> >Have you tried installing:
> >
> >http://packages.debian.org/unstable/...rchive-keyring
>
> The error message has moved back to debian.lcs.mit.edu. It's gone
> from mirrors.usc.edu for the time being. By removing the mit site
> from my sources.list file I was able to do "aptitude update &&
> aptitude dist-upgrade" which updated the debian-archive-keyring
> package to the November 22, 2006 version. But when I put the mit
> site back in, the error was still there.
>
> Anybody got any ideas?

There seems to be some confusion between two different issues:

1) There is a new archive signing key for Etch. The Release files are
currently signed with both the new and the old key. Apt is satisfied
with the old signature, but it will alert you to the fact that there
is an additional signature with a key that apt does not know. The
error message is something like "unknown key" or "unknown signature"
(I don't remember the exact wording right now). As others have
already pointed out, installing the debian-archive-keyring will take
care of this automatically, for now and for all new keys in the
future.

2) The "invalid signature" error of gpg is something completely
different. Apt knows the used keys but the Release files have
incorrect signatures. In the worst-case scenario this means that
someone has taken over the MIT site and tries to achieve world
domination by putting doctored packages on people's computers. (The
whole point of the archive signing is to protect you against this.
If I manage to slip a manipulated package into your installation
process then I can do more or less whatever I want on your machine
since the installation scripts from this package will run with root
privileges.)

More likely, however, there is just a synchronization problem with
the MIT mirror. You can get the "bad signature" error if you update
while the mirror in the middle of its synchronization procedure. If
you get this message all the time then you should send an email to
the maintainer of the MIT mirror to make him/her aware of the
problem.

--
Regards,
Florian


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Dec 6, 2006, at 3:43 AM, Florian Kulzer wrote:

> There seems to be some confusion between two different issues:
>
> 1) There is a new archive signing key for Etch. The Release files are
> currently signed with both the new and the old key. Apt is
> satisfied
> with the old signature, but it will alert you to the fact that
> there
> is an additional signature with a key that apt does not know. The
> error message is something like "unknown key" or "unknown
> signature"
> (I don't remember the exact wording right now). As others have
> already pointed out, installing the debian-archive-keyring will
> take
> care of this automatically, for now and for all new keys in the
> future.
>
> 2) The "invalid signature" error of gpg is something completely
> different. Apt knows the used keys but the Release files have
> incorrect signatures. In the worst-case scenario this means that
> someone has taken over the MIT site and tries to achieve world
> domination by putting doctored packages on people's computers. (The
> whole point of the archive signing is to protect you against this.
> If I manage to slip a manipulated package into your installation
> process then I can do more or less whatever I want on your machine
> since the installation scripts from this package will run with root
> privileges.)
>
> More likely, however, there is just a synchronization problem with
> the MIT mirror. You can get the "bad signature" error if you update
> while the mirror in the middle of its synchronization procedure. If
> you get this message all the time then you should send an email to
> the maintainer of the MIT mirror to make him/her aware of the
> problem.

Thanks Florian! This s.

Rick



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Florian Kulzer <florian@molphys.leidenuniv.nl> writes:
> More likely, however, there is just a synchronization problem with
> the MIT mirror. You can get the "bad signature" error if you update
> while the mirror in the middle of its synchronization procedure. If
> you get this message all the time then you should send an email to
> the maintainer of the MIT mirror to make him/her aware of the
> problem.

I seem to see these messages quite regularly, no matter which mirror I
use. Typically switching a different mirror fixes things.

Unfortunately the presence of several different but sort-of-similar
errors, like the keyring stuff, is kind of confusing, I'm never quite
sure _where_ the problem is really coming from. [But it's been
happening regualrly for at least like 6 months or so.]

-Miles

--
The car has become... an article of dress without which we feel uncertain,
unclad, and incomplete. [Marshall McLuhan, Understanding Media, 1964]


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Thu, Dec 07, 2006 at 08:10:45 +0900, Miles Bader wrote:
> Florian Kulzer writes:
> > More likely, however, there is just a synchronization problem with
> > the MIT mirror. You can get the "bad signature" error if you update
> > while the mirror in the middle of its synchronization procedure. If
> > you get this message all the time then you should send an email to
> > the maintainer of the MIT mirror to make him/her aware of the
> > problem.
>
> I seem to see these messages quite regularly, no matter which mirror I
> use. Typically switching a different mirror fixes things.
>
> Unfortunately the presence of several different but sort-of-similar
> errors, like the keyring stuff, is kind of confusing, I'm never quite
> sure _where_ the problem is really coming from. [But it's been
> happening regualrly for at least like 6 months or so.]

The relevant files are downloaded to this location:

$ ls /var/lib/apt/lists/*_Release*
/var/lib/apt/lists/ftp.nl.debian.org_debian_dists_testing_Release
/var/lib/apt/lists/ftp.nl.debian.org_debian_dists_testing_Release.gpg

[ snip: more of the same for the other entries in my sources.list ]

There should be one signature file "*_Release.gpg" for every "*_Release"
file. The Release file has hashes which can be used to check the content
of the packages and the .gpg file has the signature(s) which can be used
to verify the content of the Release file. (You can have a look at these
files with "less", they are plain ASCII texts.)

If the mirror does not have a .gpg file for a Release file you will get
a "missing signature" error message.

If you catch the mirror at the wrong moment it might just have
synchronized to the new Release file but still have the old .gpg file
(or the other way round). In that case the signature can obviously not
match the Release file and you will get the "invalid signature" error.
However, this should be very rare if the mirror is working correctly.
One explanation for your problem might be that you are going through a
proxy which is not kept up-to-date properly. You could post which
mirrors you use, then others can tell you if they have the same issues.

Finally, if you get an "invalid signature" error you can check the
problematic Release file yourself. For the above example this would look
like this:

$ cd /var/lib/apt/lists/
$ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --verify ftp.nl.debian.org_debian_dists_testing_Release{.gp g,}
gpg: Signature made Wed 06 Dec 2006 09:08:42 CET using DSA key ID 2D230C5F
gpg: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@xxxxxx.xxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F
gpg: Signature made Wed 06 Dec 2006 09:08:42 CET using DSA key ID 6070D3A1
gpg: Good signature from "Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@xxxxxx.xxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A999 51DA F9BB 569B DB50 AD90 A70D AF53 6070 D3A1

(I obfuscated the email addresses in the gpg output. The curly braces at
the end of the gpg line are just a trick to avoid typing the
"*_Release" part twice.)

--
Regards,
Florian


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org