GPGbad signature error message from apt-get update - hacker attempt or what?

[heinkel_111]

When I try to do a

Code:

sudo apt-get update

these days, in the end of my reply list from the various repositories, I get the following message

Code:

W: GPG error: http://no.archive.ubuntu.com oneiric Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
W: GPG error: http://archive.canonical.com oneiric Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>

1. Anyone else receive these messages? my system was a fresh install in 11.04 upgraded to 11.10. Is this a sign that someone is trying to hack ubuntu's or my apt?
2. What do they really mean, the signatures were changed since new or something?
3. Can I do something safe to fix this?

[OneLine]

From the Askubuntu: http://askubuntu.com/questions/1877/...sig-gpg-errors

[heinkel_111]

I did not find the answer at aksubuntu satisfying - let me explain:
1. we have a system in place to verify that only authorised software from our repo comes into our computers
2. system stops some software from coming into the computer because it has the wrong signature
3. fix is to tell the system to accept the wrong signature and proceed as if it the right signature.

or I am stupid or that is just the way to make any such system completely worthless?

There must be a way to update the system with the right signatures which does not simply accept the ones that are the wrong ones as the new right ones

[heinkel_111]

launchpad bug actually 2010 vintage going on to 2011 and then just a developer commenting that it isnt a bug if just does not work for some reason it is a bug if it can be reproduced.
https://bugs.launchpad.net/ubuntu/+s...pt/+bug/574886
For my part I think that is not a nice attitude towards users and usability, and it serves to discredit the open source development model. If it causes user problems, the software may require "improved features" if that is what you call fixing.

[GreyGeek]

Personally, I would never install software which didn't have a valid GPG signature.

[heinkel_111]

From what I have read, there are some problems caused by a timeout when running apt-get update.

I have found a workaround on ubuntuforums, posted by Dino 99 in this thread (#2)

Code:

sudo apt-get clean
cd /var/lib/apt
sudo mv lists lists.old
sudo mkdir -p lists/partial
sudo apt-get clean
sudo apt-get update

The workaround removes packages apt has available using apt-get clean, then moves the package lists to a .old file. Next step, creates a directory called lists/partial in /var/lib/apt - can someone please explain this to me? Finally, apt-get clean again (why?) and then apt-get update.

There two steps here that I do not understand, but it appears to be done without compromising the apt security framework.

[bra|10n]

My guess is that you are somehow still using the original Natty 11.04 signatures against the more recent repositories holding Oneric 11.10 packages.
And more than likely you've upgraded to 11.10 from 11.04 by changing your /etc/sources list entries from natty to read oneric.
*If* this is the case, and the previous repository is changed or is closed, the accompanying key obviously becomes invalid.
Or perhaps you have inadvertently deleted the newer repositories by mistake thinking that they were duplicates?
You should post up a list of your repositories so those of us here still on 11.10 can kindly do a cross check against what they have as a currently working set.

[heinkel_111]

In the past I have done a lot of upgrades using the substitution of distro version names in /etc/apt/sources.list and then sudo apt-get dist-upgrade, and as such, your guess may not be a bad one. However, I believe this time I did upgrade with the standard kubuntu upgrade tools (memory is failing - is there a text file somewhere to tell me if I did?)

My idea is that my list of repositories will be different from many other forum users because language is part of the url. That way my repositories have a different url from what english-installing users get. Here's my sources.list

Code:

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://no.archive.ubuntu.com/ubuntu/ oneiric main restricted
deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://no.archive.ubuntu.com/ubuntu/ oneiric-updates main restricted
deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://no.archive.ubuntu.com/ubuntu/ oneiric universe
deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric universe
deb http://no.archive.ubuntu.com/ubuntu/ oneiric-updates universe
deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu 
## team, and may not be under a free licence. Please satisfy yourself as to 
## your rights to use the software. Also, please note that software in 
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://no.archive.ubuntu.com/ubuntu/ oneiric multiverse
deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric multiverse
deb http://no.archive.ubuntu.com/ubuntu/ oneiric-updates multiverse
deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric-updates multiverse

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://no.archive.ubuntu.com/ubuntu/ oneiric-backports main restricted
 universe multiverse
# deb-src http://no.archive.ubuntu.com/ubuntu/ oneiric-backports main restri
cted universe multiverse                                                    
                                                                            
deb http://security.ubuntu.com/ubuntu oneiric-security main restricted      
deb-src http://security.ubuntu.com/ubuntu oneiric-security main restricted  
deb http://security.ubuntu.com/ubuntu oneiric-security universe             
deb-src http://security.ubuntu.com/ubuntu oneiric-security universe         
deb http://security.ubuntu.com/ubuntu oneiric-security multiverse           
deb-src http://security.ubuntu.com/ubuntu oneiric-security multiverse       
                                                                            
## Uncomment the following two lines to add software from Canonical's       
## 'partner' repository.                                                    
## This software is not part of Ubuntu, but is offered by Canonical and the 
## respective vendors as a service to Ubuntu users.
deb http://archive.canonical.com/ubuntu oneiric partner
deb-src http://archive.canonical.com/ubuntu oneiric partner

## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu oneiric main
deb-src http://extras.ubuntu.com/ubuntu oneiric main
deb http://packages.medibuntu.org/ oneiric free non-free
deb-src http://packages.medibuntu.org/ oneiric free non-free