Ubuntu
apt package

Bug #11259
Comment #2

Comment 2 for bug 11259

Revision history for this message

Henrý Þór Baldursson (henry-baldursson) wrote on 2004-12-21:

(In reply to comment #1)
> Thanks for this bugreport.
>
> If you can reproduce the problem easily, can you please run:
> "apt-get update -o Debug::pkgAcquire::Auth=true"
> and attach the output here?
>
> I'm not able to reproduce the problem here and I verified that the md5sum of
> your key is correct.
>
Sure, here it is, albeit the command is run at a time when I'm fairly certain
that at the time my lists was synched with the repository, ie I had already
done an apt-get update that didn't checksum:
henry@ubuntu ~ $ sudo apt-get update -o Debug::pkgAcquire::Auth=true
Password:
Get:1 http://archive.ubuntu.com hoary Release.gpg [189B]
Get:2 http://archive.ubuntu.com hoary-security Release.gpg [189B]
99% [Working]Metaindex acquired, queueing gpg verification
(/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg,/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_hoary_Release)
Hit http://archive.ubuntu.com hoary Release
Ign http://archive.ubuntu.com hoary Release
98% [Waiting for headers]Metaindex acquired, queueing gpg verification
(/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg,/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_hoary-security_Release)
Hit http://archive.ubuntu.com hoary-security Release
Ign http://archive.ubuntu.com hoary-security Release
Hit http://archive.ubuntu.com hoary/main Packages
Hit http://archive.ubuntu.com hoary/restricted Packages
Hit http://archive.ubuntu.com hoary/universe Packages
Hit http://archive.ubuntu.com hoary-security/main Packages
Fetched 2B in 0s (3B/s)
Reading Package Lists... Done
W: GPG error: http://archive.ubuntu.com hoary Release: The following signatures
were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key
<email address hidden>
W: GPG error: http://archive.ubuntu.com hoary-security Release: The following
signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic
Signing Key <email address hidden>
W: You may want to run apt-get update to correct these problems
henry@ubuntu ~ $

I also tried manually verifying the signatures with gpg, although I'm not
familiar with gpg's output:

root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary_Release
gpg: WARNING: unsafe ownership on configuration file "/home/henry/.gnupg/gpg.conf"
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
        version 3, created 1103301252, md5len 5, sigclass 00
        digest algo 2, begin of digest 11 c4
        data: [160 bits]
        data: [159 bits]
gpg: Signature made Fri Dec 17 16:34:12 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary-security_Release
gpg: WARNING: unsafe ownership on configuration file "/home/henry/.gnupg/gpg.conf"
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
        version 3, created 1103301253, md5len 5, sigclass 00
        digest algo 2, begin of digest 6f 3b
        data: [159 bits]
        data: [160 bits]
gpg: Signature made Fri Dec 17 16:34:13 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary-security_Release
gpg: WARNING: unsafe ownership on configuration file "/home/henry/.gnupg/gpg.conf"
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
        version 3, created 1103301253, md5len 5, sigclass 00
        digest algo 2, begin of digest 6f 3b
        data: [159 bits]
        data: [160 bits]
gpg: Signature made Fri Dec 17 16:34:13 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists #

Thanks for looking into this;
Henry.

(In reply to comment #1)
> Thanks for this bugreport. 
> 
> If you can reproduce the problem easily, can you please run:
> "apt-get update -o Debug::pkgAcquire::Auth=true"
> and attach the output here? 
> 
> I'm not able to reproduce the problem here and I verified that the md5sum of
> your key is correct.
> 
Sure, here it is, albeit the command is run at a time when I'm fairly certain
that at the time my lists was synched with the repository, ie I had already
done an apt-get update that didn't checksum:
henry@ubuntu ~ $ sudo apt-get update -o Debug::pkgAcquire::Auth=true
Password:
Get:1 http://archive.ubuntu.com hoary Release.gpg [189B]
Get:2 http://archive.ubuntu.com hoary-security Release.gpg [189B]
99% [Working]Metaindex acquired, queueing gpg verification
(/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg,/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_hoary_Release)
Hit http://archive.ubuntu.com hoary Release
Ign http://archive.ubuntu.com hoary Release
98% [Waiting for headers]Metaindex acquired, queueing gpg verification
(/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg,/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_hoary-security_Release)
Hit http://archive.ubuntu.com hoary-security Release
Ign http://archive.ubuntu.com hoary-security Release
Hit http://archive.ubuntu.com hoary/main Packages
Hit http://archive.ubuntu.com hoary/restricted Packages
Hit http://archive.ubuntu.com hoary/universe Packages
Hit http://archive.ubuntu.com hoary-security/main Packages
Fetched 2B in 0s (3B/s)
Reading Package Lists... Done
W: GPG error: http://archive.ubuntu.com hoary Release: The following signatures
were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key
<ftpmaster@ubuntu.com>
W: GPG error: http://archive.ubuntu.com hoary-security Release: The following
signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic
Signing Key <ftpmaster@ubuntu.com>
W: You may want to run apt-get update to correct these problems
henry@ubuntu ~ $

I also tried manually verifying the signatures with gpg, although I'm not
familiar with gpg's output:

root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary_Release
gpg: WARNING: unsafe ownership on configuration file "/home/henry/.gnupg/gpg.conf"
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
        version 3, created 1103301252, md5len 5, sigclass 00
        digest algo 2, begin of digest 11 c4
        data: [160 bits]
        data: [159 bits]
gpg: Signature made Fri Dec 17 16:34:12 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<ftpmaster@ubuntu.com>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary-security_Release
gpg: WARNING: unsafe ownership on configuration file "/home/henry/.gnupg/gpg.conf"
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
        version 3, created 1103301253, md5len 5, sigclass 00
        digest algo 2, begin of digest 6f 3b
        data: [159 bits]
        data: [160 bits]
gpg: Signature made Fri Dec 17 16:34:13 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<ftpmaster@ubuntu.com>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists # gpg --verbose --verbose --no-default-keyring
--keyring /etc/apt/trusted.gpg --verify
./partial/archive.ubuntu.com_ubuntu_dists_hoary-security_Release.gpg
./archive.ubuntu.com_ubuntu_dists_hoary-security_Release
gpg: WARNING: unsafe ownership on configuration file "/home/henry/.gnupg/gpg.conf"
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
:signature packet: algo 17, keyid 40976EAF437D05B5
        version 3, created 1103301253, md5len 5, sigclass 00
        digest algo 2, begin of digest 6f 3b
        data: [159 bits]
        data: [160 bits]
gpg: Signature made Fri Dec 17 16:34:13 2004 GMT using DSA key ID 437D05B5
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key
<ftpmaster@ubuntu.com>"
gpg: binary signature, digest algorithm SHA1
root@ubuntu /var/lib/apt/lists #

Thanks for looking into this;
Henry.

Ubuntuapt package

Comment 2 for bug 11259

Ubuntu
apt package