[Bug 1163745] [NEW] GPG error: http://security.ubuntu.com quantal-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>

Digulla-hepe 1163745 at bugs.launchpad.net
Wed Apr 3 07:32:46 UTC 2013


*** This bug is a security vulnerability ***

Public security bug reported:

When running "apt-get update", I see these warnings:

Reading package lists... Error!
W: GPG error: http://security.ubuntu.com quantal-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
W: GPG error: http://ch.archive.ubuntu.com quantal-updates Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>

Following the advice on http://askubuntu.com/questions/131601/how-to-overcome-signature-verification-error
I deleted the lists and updated again but the error persists.

I also tried to add the key:

> apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /tmp/tmp.MhtBtqxmAw --trustdb-name /etc/apt//trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5
gpg: requesting key 437D05B5 from hkp server keyserver.ubuntu.com
gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

So the key seems to be installed already and it seems to be correct.

What should I do next?

PS: I flagged this as security vulnerability since it prevents me from
installing security updates.

** Affects: apt (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1163745

Title:
  GPG error: http://security.ubuntu.com quantal-security Release: The
  following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu
  Archive Automatic Signing Key <ftpmaster at ubuntu.com>

Status in “apt” package in Ubuntu:
  New

Bug description:
  When running "apt-get update", I see these warnings:

  Reading package lists... Error!
  W: GPG error: http://security.ubuntu.com quantal-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
  W: GPG error: http://ch.archive.ubuntu.com quantal-updates Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>

  Following the advice on http://askubuntu.com/questions/131601/how-to-overcome-signature-verification-error
  I deleted the lists and updated again but the error persists.

  I also tried to add the key:

  > apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5
  Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /tmp/tmp.MhtBtqxmAw --trustdb-name /etc/apt//trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5
  gpg: requesting key 437D05B5 from hkp server keyserver.ubuntu.com
  gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>" not changed
  gpg: Total number processed: 1
  gpg:              unchanged: 1

  So the key seems to be installed already and it seems to be correct.

  What should I do next?

  PS: I flagged this as security vulnerability since it prevents me from
  installing security updates.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1163745/+subscriptions




More information about the foundations-bugs mailing list