Ubuntu
apt package

GPG error: http://security.ubuntu.com quantal-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

Bug #1163745 reported by Digulla-hepe
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
New
Undecided
Unassigned

Bug Description

When running "apt-get update", I see these warnings:

Reading package lists... Error!
W: GPG error: http://security.ubuntu.com quantal-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
W: GPG error: http://ch.archive.ubuntu.com quantal-updates Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

Following the advice on http://askubuntu.com/questions/131601/how-to-overcome-signature-verification-error
I deleted the lists and updated again but the error persists.

I also tried to add the key:

> apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /tmp/tmp.MhtBtqxmAw --trustdb-name /etc/apt//trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5
gpg: requesting key 437D05B5 from hkp server keyserver.ubuntu.com
gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <email address hidden>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

So the key seems to be installed already and it seems to be correct.

What should I do next?

PS: I flagged this as security vulnerability since it prevents me from installing security updates.

Digulla-hepe (digulla-hepe)
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Public Security → Public
Revision history for this message
Digulla-hepe (digulla-hepe) wrote :

You have 100% sure that the signatures on the Ubuntu servers haven't been tampered with?

If the signatures on your server are correct, how can I find out in which step of the chain they were corrupted?

Revision history for this message
Digulla-hepe (digulla-hepe) wrote :

I found that by disabling the company wide cache settings, the error goes away. But the files in the cache look good :-/ Is there a way to see what specifically the tool doesn't like? Is there a debug mode or something?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.