BADSIG return from GPG on archive.ubuntu.com

Thanks for this bugreport.

If you can reproduce the problem easily, can you please run:
"apt-get update -o Debug::pkgAcquire::Auth=true"
and attach the output here?

I'm not able to reproduce the problem here and I verified that the md5sum of
your key is correct.

(In reply to comment #1)
> Thanks for this bugreport.
>
> If you can reproduce the problem easily, can you please run:
> "apt-get update -o Debug::pkgAcquire::Auth=true"
> and attach the output here?
>
> I'm not able to reproduce the problem here and I verified that the md5sum of
> your key is correct.
>
Sure, here it is, albeit the command is run at a time when I'm fairly certain
that at the time my lists was synched with the repository, ie I had already
done an apt-get update that didn't checksum:
henry@ubuntu ~ $ sudo apt-get update -o Debug::pkgAcquire::Auth=true
Password:
Get:1 http://archive.ubuntu.com hoary Release.gpg [189B]
Get:2 http://archive.ubuntu.com hoary-security Release.gpg [189B]
99% [Working]Metaindex acquired, queueing gpg verification
(/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg,/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_hoary_Release)
Hit http://archive.ubuntu.com hoary Release
Ign http://archive.ubuntu.com hoary Release
98% [Waiting for headers]Metaindex acquired, queueing gpg verification
(/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg,/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_hoary-security_Release)
Hit http://archive.ubuntu.com hoary-security Release
Ign http://archive.ubuntu.com hoary-security Release
Hit http://archive.ubuntu.com hoary/main Packages
Hit http://archive.ubuntu.com hoary/restricted Packages
Hit http://archive.ubuntu.com hoary/universe Packages
Hit http://archive.ubuntu.com hoary-security/main Packages
Fetched 2B in 0s (3B/s)
Reading Package Lists... Done
W: GPG error: http://archive.ubuntu.com hoary Release: The following signatures
were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key
<email address hidden>
W: GPG error: http://archive.ubuntu.com hoary-security Release: The following
signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic
Signing Key <email address hidden>
W: You may want to run apt-get update to correct these problems
henry@ubuntu ~ $

I also tried manually verifying the signatures with gpg, although I'm not
familiar with gpg's output:

root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary_Release
gpg: WARNING: unsafe ownership on configuration file "/home/henry/.gnupg/gpg.conf"
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
        version 3, created 1103301252, md5len 5, sigclass 00
        digest algo 2, begin of digest 11 c4
        data: [160 bits]
        data: [159 bits]
gpg: Signature made Fri Dec 17 16:34:12 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary-...

Hi,

I am also getting the same error with the Synaptic Package Manager.

W: GPG error: http://archive.ubuntu.com hoary Release: The following signatures
were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key
<email address hidden>
W: GPG error: http://security.ubuntu.com hoary-security Release: The following
signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic
Signing Key <email address hidden>

regards,
Philip

Thanks for the additonal information. I'm unable to reproduce the problem here.
Can you please attach the output of "apt-get update -o Debug::pkgAcquire=true"
to the bugreport? Is there anything unusual about your setup? a proxy? a
non-intel architecture?

Can you also send me a copy of the:
archive.ubuntu.com_ubuntu_dists_hoary_Release
archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg
files in /var/lib/apt/lists/?

thanks,
 Michael

Created an attachment (id=920)
An APT repository package list

Created an attachment (id=921)
An APT repository package list's detached GPG signature

(In reply to comment #4)
> Thanks for the additonal information. I'm unable to reproduce the problem here.
> Can you please attach the output of "apt-get update -o Debug::pkgAcquire=true"
> to the bugreport? Is there anything unusual about your setup? a proxy? a
> non-intel architecture?
In fact I am using a non-caching HTTP proxy that uses authentication. The
software's name is Polipo, and I configured it via Acquire::http::Proxy in
/etc/apt/apt.conf. It has worked fine though, until recently.
Oh, and also, since the repository has been updated, I have a new debug output:

-- Excerpt begin

henry@ubuntu ~ $ sudo apt-get update -o Debug::pkgAcquire=true
Fetching http://archive.ubuntu.com/ubuntu/dists/hoary/Release.gpg
 to /var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg
Queue is: http:archive.ubuntu.com
Fetching http://archive.ubuntu.com/ubuntu/dists/hoary-security/Release.gpg
 to
/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg
 Queue is: http:archive.ubuntu.com
Get:1 http://archive.ubuntu.com hoary Release.gpg [189B]
Dequeuing
/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg
Dequeuing
/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg
Fetching http://archive.ubuntu.com/ubuntu/dists/hoary/Release
 to /var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release
 Queue is: http:archive.ubuntu.com
Get:2 http://archive.ubuntu.com hoary-security Release.gpg [189B]
Dequeuing
/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg
Dequeuing
/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg
Fetching http://archive.ubuntu.com/ubuntu/dists/hoary-security/Release
 to
/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release
 Queue is: http:archive.ubuntu.com
Get:3 http://archive.ubuntu.com hoary Release [16.5kB]
2% [3 Release 0/16.5kB 0%]Dequeuing
/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release
Dequeuing /var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release
Fetching
gpgv:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg
 to /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_hoary_Release
 Queue is: gpgv
99% [3 Release gpgv 16462] [Waiting for headers]Dequeuing
/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_hoary_Release
Fetching http://archive.ubuntu.com/ubuntu/dists/hoary/main/binary-i386/Packages.bz2
 to
/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_main_binary-i386_Packages
 Queue is: http:archive.ubuntu.com
Fetching
http://archive.ubuntu.com/ubuntu/dists/hoary/restricted/binary-i386/Packages.bz2
 to
/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_restricted_binary-i386_Packages
 Queue is: http:archive.ubuntu.com
Fetching
http://archive.ubuntu.com/ubuntu/dists/hoary/universe/binary-i386/Packages.bz2
 to
/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_universe_binary-i386_Packages
 Queue is: http:archive.ubuntu.com
Ign http://archive.ubuntu.com hoary Release
Get:4 http://archive.ubuntu.com hoary-security Re...

Thanks for this additional information.
When I verify the signature of the attached Release.gpg file (with
gpg --verify --keyring /etc/apt/trusted.gpg Release.gpg Release), I get the output:

gpg: Signature made Fr 17 Dez 2004 17:34:12 CET using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"

The date (17.12) is way too old. The signature should be only some hours old. I
would
love to know if your problem goes away if you tell apt not to use the proxy (if
possible).

thanks,
 Michael

(In reply to comment #8)
> The date (17.12) is way too old. The signature should be only some hours old. I
> would
> love to know if your problem goes away if you tell apt not to use the proxy (if
> possible).
Yeah, I've tried that with the same results. However, I got to thinking about one
thing which is why the detached .gpg signatures are located in partial/ anyway?
That might be proxy related. Since the proxy software I use is not very advanced,
it is conceivable it might just close its socket to the client without
completing the
HTTP protocol under some circumstances. So then we come to what I think apt's
problem
is. Apt might see the .gpg file as being partially complete and try to finish
downloading it, and since it's usually the same or similar size it'd either get
a nil
download or failure. At the very least apt should delete any detached signatures it
sees in partial/, since the files aren't timestamped, they are not static, and
they're too small to warrant partial downloads.

The file is left behind in partial/ so that it can be used to easily debug
failures (as you did here).

Hi,

I was able to resolve the error by removing the files from partial directory and
reloading the lists. I am using the synaptic (apt) over a caching proxy.

regards,
Philip

We could just delete any partial downloaded signature file in partial/ before
trying to fetch a new one.

I'm unsure if this is enough to work-around broken caches as apt will move the a
Release.gpg file in lists/ into lists/partial before it starts the fetching.

If a file is found in partial, apt will send a HTTP range request with the
missing range and a If-Range: header with the mtime of the file. Apt also sends
a "Cache-Control: max-age=0" by default for index files (such as Release.gpg).
This should force the cache to revalidate it's entry. So in theory even for old
files in partial/ a cache should return the correct file.

Did you problems go away complettely after you removed the Release.gpg file from
the partial directory? If so, I think we should apply the workaround to removed
any Release.gpg files in partial/ before trying to fetch the new ones.

thanks,
 Michael

to #11 From Philip Joseph:

1. does removing the files in partial solve your problem permanently?
2. what proxy do you use?

thanks,
 Michael

Today again I had the same problem as the internet connection was slow. After I
got the warning, I removed the *.gpg from partial and reloaded the lists. This
fixed the issue.

1) It looks like removing the files from partial and reloading the lists fixes
the issue.
2) I think we have a ISA (Internet Security and Acceleration Server, Windows)
proxy server. (Not very sure as I work for a large comapny and it is maintained
by seperate group.)

(In reply to comment #12)
> Did you problems go away complettely after you removed the Release.gpg file from
> the partial directory? If so, I think we should apply the workaround to removed
> any Release.gpg files in partial/ before trying to fetch the new ones.
No, the problem re-emerges every once in a while. Cleaning partial/ helps as a
quick fix there, though.

(In reply to comment #15)
> (In reply to comment #12)
> > Did you problems go away complettely after you removed the Release.gpg file from
> > the partial directory? If so, I think we should apply the workaround to removed
> > any Release.gpg files in partial/ before trying to fetch the new ones.
> No, the problem re-emerges every once in a while. Cleaning partial/ helps as a
> quick fix there, though.

I uploaded a version of apt that tries to workaround your problem. Please check:
http://people.ubuntulinux.org/~mvo/apt/apt-proxy-fix/

and tell me if it permanently fixes your problem.

thanks,
 Michael

I installed the updated packages and tried it. It seems to be working. First
time, it gave the badsig warning and had files in the partial dir. Retrying did
not give the badsig warning and there were no files in the partial.

Thanks,
Philip

Merged into apt 0.6.29 and uploaded to hoary

(In reply to comment #16)
> I uploaded a version of apt that tries to workaround your problem. Please check:
> http://people.ubuntulinux.org/~mvo/apt/apt-proxy-fix/
>
> and tell me if it permanently fixes your problem.
It seems to work. Don't know if it will be permanent, though :)

But for now, I'll close the bug.

I see apt and apt-utils 0.6.29 have been released. Is this patch a part of that
release?

Thanks for the work :)

(In reply to comment #19)
> I see apt and apt-utils 0.6.29 have been released. Is this patch a part of that
> release?

Yes, as can be seen from the changelog (/usr/share/doc/apt/changelog.gz)