(In reply to comment #1)
> Thanks for this bugreport.
>
> If you can reproduce the problem easily, can you please run:
> "apt-get update -o Debug::pkgAcquire::Auth=true"
> and attach the output here?
>
> I'm not able to reproduce the problem here and I verified that the md5sum of
> your key is correct.
>
Sure, here it is, albeit the command is run at a time when I'm fairly certain
that at the time my lists was synched with the repository, ie I had already
done an apt-get update that didn't checksum:
henry@ubuntu ~ $ sudo apt-get update -o Debug::pkgAcquire::Auth=true
Password:
Get:1 http://archive.ubuntu.com hoary Release.gpg [189B]
Get:2 http://archive.ubuntu.com hoary-security Release.gpg [189B]
99% [Working]Metaindex acquired, queueing gpg verification
(/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg,/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_hoary_Release)
Hit http://archive.ubuntu.com hoary Release
Ign http://archive.ubuntu.com hoary Release
98% [Waiting for headers]Metaindex acquired, queueing gpg verification
(/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg,/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_hoary-security_Release)
Hit http://archive.ubuntu.com hoary-security Release
Ign http://archive.ubuntu.com hoary-security Release
Hit http://archive.ubuntu.com hoary/main Packages
Hit http://archive.ubuntu.com hoary/restricted Packages
Hit http://archive.ubuntu.com hoary/universe Packages
Hit http://archive.ubuntu.com hoary-security/main Packages
Fetched 2B in 0s (3B/s)
Reading Package Lists... Done
W: GPG error: http://archive.ubuntu.com hoary Release: The following signatures
were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key
<email address hidden>
W: GPG error: http://archive.ubuntu.com hoary-security Release: The following
signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic
Signing Key <email address hidden>
W: You may want to run apt-get update to correct these problems
henry@ubuntu ~ $
I also tried manually verifying the signatures with gpg, although I'm not
familiar with gpg's output:
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary_Release
gpg: WARNING: unsafe ownership on configuration file "/home/henry/.gnupg/gpg.conf"
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
version 3, created 1103301252, md5len 5, sigclass 00
digest algo 2, begin of digest 11 c4
data: [160 bits]
data: [159 bits]
gpg: Signature made Fri Dec 17 16:34:12 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary-security_Release
gpg: WARNING: unsafe ownership on configuration file "/home/henry/.gnupg/gpg.conf"
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
version 3, created 1103301253, md5len 5, sigclass 00
digest algo 2, begin of digest 6f 3b
data: [159 bits]
data: [160 bits]
gpg: Signature made Fri Dec 17 16:34:13 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary-security_Release
gpg: WARNING: unsafe ownership on configuration file "/home/henry/.gnupg/gpg.conf"
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
version 3, created 1103301253, md5len 5, sigclass 00
digest algo 2, begin of digest 6f 3b
data: [159 bits]
data: [160 bits]
gpg: Signature made Fri Dec 17 16:34:13 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists #
(In reply to comment #1) pkgAcquire: :Auth=true" pkgAcquire: :Auth=true archive. ubuntu. com hoary Release.gpg [189B] archive. ubuntu. com hoary-security Release.gpg [189B] apt/lists/ partial/ archive. ubuntu. com_ubuntu_ dists_hoary_ Release. gpg,/var/ lib/apt/ lists/archive. ubuntu. com_ubuntu_ dists_hoary_ Release) archive. ubuntu. com hoary Release archive. ubuntu. com hoary Release apt/lists/ partial/ archive. ubuntu. com_ubuntu_ dists_hoary- security_ Release. gpg,/var/ lib/apt/ lists/archive. ubuntu. com_ubuntu_ dists_hoary- security_ Release) archive. ubuntu. com hoary-security Release archive. ubuntu. com hoary-security Release archive. ubuntu. com hoary/main Packages archive. ubuntu. com hoary/restricted Packages archive. ubuntu. com hoary/universe Packages archive. ubuntu. com hoary-security/main Packages archive. ubuntu. com hoary Release: The following signatures archive. ubuntu. com hoary-security Release: The following
> Thanks for this bugreport.
>
> If you can reproduce the problem easily, can you please run:
> "apt-get update -o Debug::
> and attach the output here?
>
> I'm not able to reproduce the problem here and I verified that the md5sum of
> your key is correct.
>
Sure, here it is, albeit the command is run at a time when I'm fairly certain
that at the time my lists was synched with the repository, ie I had already
done an apt-get update that didn't checksum:
henry@ubuntu ~ $ sudo apt-get update -o Debug::
Password:
Get:1 http://
Get:2 http://
99% [Working]Metaindex acquired, queueing gpg verification
(/var/lib/
Hit http://
Ign http://
98% [Waiting for headers]Metaindex acquired, queueing gpg verification
(/var/lib/
Hit http://
Ign http://
Hit http://
Hit http://
Hit http://
Hit http://
Fetched 2B in 0s (3B/s)
Reading Package Lists... Done
W: GPG error: http://
were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key
<email address hidden>
W: GPG error: http://
signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic
Signing Key <email address hidden>
W: You may want to run apt-get update to correct these problems
henry@ubuntu ~ $
I also tried manually verifying the signatures with gpg, although I'm not
familiar with gpg's output:
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default- keyring trusted. gpg --verify archive. ubuntu. com_ubuntu_ dists_hoary_ Release. gpg ubuntu. com_ubuntu_ dists_hoary_ Release henry/. gnupg/gpg. conf" keyring trusted. gpg --verify archive. ubuntu. com_ubuntu_ dists_hoary- security_ Release. gpg ubuntu. com_ubuntu_ dists_hoary- security_ Release henry/. gnupg/gpg. conf" keyring trusted. gpg --verify archive. ubuntu. com_ubuntu_ dists_hoary- security_ Release. gpg ubuntu. com_ubuntu_ dists_hoary- security_ Release henry/. gnupg/gpg. conf"
--keyring /etc/apt/
./partial/
./archive.
gpg: WARNING: unsafe ownership on configuration file "/home/
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
version 3, created 1103301252, md5len 5, sigclass 00
digest algo 2, begin of digest 11 c4
data: [160 bits]
data: [159 bits]
gpg: Signature made Fri Dec 17 16:34:12 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-
--keyring /etc/apt/
./partial/
./archive.
gpg: WARNING: unsafe ownership on configuration file "/home/
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
version 3, created 1103301253, md5len 5, sigclass 00
digest algo 2, begin of digest 6f 3b
data: [159 bits]
data: [160 bits]
gpg: Signature made Fri Dec 17 16:34:13 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-
--keyring /etc/apt/
./partial/
./archive.
gpg: WARNING: unsafe ownership on configuration file "/home/
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
version 3, created 1103301253, md5len 5, sigclass 00
digest algo 2, begin of digest 6f 3b
data: [159 bits]
data: [160 bits]
gpg: Signature made Fri Dec 17 16:34:13 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists #
Thanks for looking into this;
Henry.