Announcement

Collapse
No announcement yet.

GPGbad signature error message from apt-get update - hacker attempt or what?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    GPGbad signature error message from apt-get update - hacker attempt or what?

    When I try to do a
    Code:
    sudo apt-get update
    these days, in the end of my reply list from the various repositories, I get the following message

    Code:
    W: GPG error: http://no.archive.ubuntu.com oneiric Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
    W: GPG error: http://archive.canonical.com oneiric Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
    1. Anyone else receive these messages? my system was a fresh install in 11.04 upgraded to 11.10. Is this a sign that someone is trying to hack ubuntu's or my apt?
    2. What do they really mean, the signatures were changed since new or something?
    3. Can I do something safe to fix this?

    #2
    From the Askubuntu: http://askubuntu.com/questions/1877/...sig-gpg-errors
    Have you tried ?

    - How to Ask a Question on the Internet and Get It Answered
    - How To Ask Questions The Smart Way

    Comment


      #3
      I did not find the answer at aksubuntu satisfying - let me explain:
      1. we have a system in place to verify that only authorised software from our repo comes into our computers
      2. system stops some software from coming into the computer because it has the wrong signature
      3. fix is to tell the system to accept the wrong signature and proceed as if it the right signature.

      or I am stupid or that is just the way to make any such system completely worthless?

      There must be a way to update the system with the right signatures which does not simply accept the ones that are the wrong ones as the new right ones

      Comment


        #4
        launchpad bug actually 2010 vintage going on to 2011 and then just a developer commenting that it isnt a bug if just does not work for some reason it is a bug if it can be reproduced.
        https://bugs.launchpad.net/ubuntu/+s...pt/+bug/574886
        For my part I think that is not a nice attitude towards users and usability, and it serves to discredit the open source development model. If it causes user problems, the software may require "improved features" if that is what you call fixing.

        Comment


          #5
          Personally, I would never install software which didn't have a valid GPG signature.
          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
          – John F. Kennedy, February 26, 1962.

          Comment


            #6
            workaround found

            From what I have read, there are some problems caused by a timeout when running apt-get update.

            I have found a workaround on ubuntuforums, posted by Dino 99 in this thread (#2)

            Code:
            sudo apt-get clean
            cd /var/lib/apt
            sudo mv lists lists.old
            sudo mkdir -p lists/partial
            sudo apt-get clean
            sudo apt-get update
            The workaround removes packages apt has available using apt-get clean, then moves the package lists to a .old file. Next step, creates a directory called lists/partial in /var/lib/apt - can someone please explain this to me? Finally, apt-get clean again (why?) and then apt-get update.

            There two steps here that I do not understand, but it appears to be done without compromising the apt security framework.
            Last edited by heinkel_111; Apr 09, 2012, 04:57 AM. Reason: adding info on potential cause of problems

            Comment


              #7
              My guess is that you are somehow still using the original Natty 11.04 signatures against the more recent repositories holding Oneric 11.10 packages.
              And more than likely you've upgraded to 11.10 from 11.04 by changing your /etc/sources list entries from natty to read oneric.
              *If* this is the case, and the previous repository is changed or is closed, the accompanying key obviously becomes invalid.
              Or perhaps you have inadvertently deleted the newer repositories by mistake thinking that they were duplicates?
              You should post up a list of your repositories so those of us here still on 11.10 can kindly do a cross check against what they have as a currently working set.
              Kubuntu 12.04 - Acer Aspire 5750G

              "I don't make a great deal of money, but I'm ok with that 'cause I don't hurt a lot of people in the process either"

              Comment


                #8
                In the past I have done a lot of upgrades using the substitution of distro version names in /etc/apt/sources.list and then sudo apt-get dist-upgrade, and as such, your guess may not be a bad one. However, I believe this time I did upgrade with the standard kubuntu upgrade tools (memory is failing - is there a text file somewhere to tell me if I did?)

                My idea is that my list of repositories will be different from many other forum users because language is part of the url. That way my repositories have a different url from what english-installing users get. Here's my sources.list

                Code:
                # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
                # newer versions of the distribution.
                deb http://no.archive.ubuntu.com/ubuntu/ oneiric main restricted
                deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric main restricted
                
                ## Major bug fix updates produced after the final release of the
                ## distribution.
                deb http://no.archive.ubuntu.com/ubuntu/ oneiric-updates main restricted
                deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric-updates main restricted
                
                ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
                ## team. Also, please note that software in universe WILL NOT receive any
                ## review or updates from the Ubuntu security team.
                deb http://no.archive.ubuntu.com/ubuntu/ oneiric universe
                deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric universe
                deb http://no.archive.ubuntu.com/ubuntu/ oneiric-updates universe
                deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric-updates universe
                
                ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu 
                ## team, and may not be under a free licence. Please satisfy yourself as to 
                ## your rights to use the software. Also, please note that software in 
                ## multiverse WILL NOT receive any review or updates from the Ubuntu
                ## security team.
                deb http://no.archive.ubuntu.com/ubuntu/ oneiric multiverse
                deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric multiverse
                deb http://no.archive.ubuntu.com/ubuntu/ oneiric-updates multiverse
                deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric-updates multiverse
                
                ## Uncomment the following two lines to add software from the 'backports'
                ## repository.
                ## N.B. software from this repository may not have been tested as
                ## extensively as that contained in the main release, although it includes
                ## newer versions of some applications which may provide useful features.
                ## Also, please note that software in backports WILL NOT receive any review
                ## or updates from the Ubuntu security team.
                # deb http://no.archive.ubuntu.com/ubuntu/ oneiric-backports main restricted
                 universe multiverse
                # deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric-backports main restri
                cted universe multiverse                                                    
                                                                                            
                deb http://security.ubuntu.com/ubuntu oneiric-security main restricted      
                deb-src http://security.ubuntu.com/ubuntu oneiric-security main restricted  
                deb http://security.ubuntu.com/ubuntu oneiric-security universe             
                deb-src http://security.ubuntu.com/ubuntu oneiric-security universe         
                deb http://security.ubuntu.com/ubuntu oneiric-security multiverse           
                deb-src http://security.ubuntu.com/ubuntu oneiric-security multiverse       
                                                                                            
                ## Uncomment the following two lines to add software from Canonical's       
                ## 'partner' repository.                                                    
                ## This software is not part of Ubuntu, but is offered by Canonical and the 
                ## respective vendors as a service to Ubuntu users.
                deb http://archive.canonical.com/ubuntu oneiric partner
                deb-src http://archive.canonical.com/ubuntu oneiric partner
                
                ## This software is not part of Ubuntu, but is offered by third-party
                ## developers who want to ship their latest software.
                deb http://extras.ubuntu.com/ubuntu oneiric main
                deb-src http://extras.ubuntu.com/ubuntu oneiric main
                deb http://packages.medibuntu.org/ oneiric free non-free
                deb-src http://packages.medibuntu.org/ oneiric free non-free

                Comment

                Working...
                X