Why are the proposed BADSIG (on apt-get update) fixes secure?

Posted by EvanED on Ask Ubuntu See other posts from Ask Ubuntu or by EvanED
Published on 2012-09-03T03:48:47Z Indexed on 2012/09/04 3:49 UTC
Read the original article Hit count: 176

Filed under:

apt

I'm running apt-get update, and I see errors like

W: GPG error: http://us.archive.ubuntu.com precise Release: 
The following signatures were invalid: 
BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <[email protected]>

It's not hard to find instructions on how to fix these problems, for instance by asking for the new keys with apt-key adv --recv-keys or rebuilding the cache; so I'm not asking about how to fix these.

But why is this the right thing to do? Why is "oh, I need new keys? Cool, go get new keys" not just defeating the purpose of having a signed repository in the first place? Are the keys signed by a master key that apt-key checks? Should we be doing some additional validation to ensure that we're getting legitimate keys?

Related posts about apt

How to remove a package entirely?

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Hi I'm quite new to Linux, but before using it I was hearing that Windows programs, after uninstallation, leaves a lot of remains on the hard disc, and Linux removes all. I'm using Ubuntu 10.04. To uninstall packages I'm using sudo apt-get autoremove application_name or sudo aptitude purge application_name… >>> More
apt-get install fails due to dependency issues but apt-get -f install won't fix it

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I've just installed Ubuntu 12.04 and was about to manually install Rawstudio with the packages from SourceForge repo, but I've been stuck with dependency issues and I am short on apt command lines to sort this out. Here's the report I'v got : installArchives() failed: dpkg: dependency problems… >>> More
APT: Hold packages back from updates without APT Pin

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I know about pinning packages with APT; that's not what I want to do. Other questions have been answered with either using pinning or by using pins temporarily. I don't want to do this... What I want to do is keep packages back the same way the kernel has been: # apt-get upgrade Reading package… >>> More
Problem bash completion apt-get 12.10

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I've got an annoying problem with completion and sudo apt-get. To give an example: $ sudo apt-get in[Tab][Tab] in intel_bios_reader includeres intel_disable_clock_gating indicator-multiload intel_dpio_read info intel_dpio_write infobrowser… >>> More
apt-get update error after removing apt-key

as seen on Server Fault - Search for 'Server Fault'
After Running apt-get update on ubuntu 10.04 server, I found this issue, Can any help me to solve this issue. Before this I had remove apt-key. Where can I get this apt-key to add it again. apt-get update Get:1 http://security.ubuntu.com lucid-security Release.gpg [198B] Ign http://security.ubuntu… >>> More

Developer IT

Why are the proposed BADSIG (on apt-get update) fixes secure? - Developer IT

Why are the proposed BADSIG (on apt-get update) fixes secure?

apt

Related posts about apt

How to remove a package entirely?

apt-get install fails due to dependency issues but apt-get -f install won't fix it

APT: Hold packages back from updates without APT Pin

Problem bash completion apt-get 12.10

apt-get update error after removing apt-key

Categories cloud