[Bug 1649097] Re: any source package signature is not valid

Seth Arnold 1649097 at bugs.launchpad.net
Tue Dec 13 19:49:59 UTC 2016 

Vyacheslav, as long as your APT is properly configured, sources
downloaded with apt-get source are trusted via the same mechanism used
for binary packages.

If you attempt to download modified contents you'll get error messages
like this:

$ apt-get source dash
Reading package lists... Done
NOTICE: 'dash' packaging is maintained in the 'Git' version control system at:
http://smarden.org/git/dash.git/
Please use:
git clone http://smarden.org/git/dash.git/
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 299 kB of source archives.
Get:1 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (dsc) [1,882 B]
Get:2 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (tar) [223 kB]
Get:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff) [73.8 kB]
Err:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff)
  Hash Sum mismatch
Fetched 299 kB in 0s (10.4 MB/s)
E: Failed to fetch http://mirrors.kernel.org/ubuntu/pool/main/d/dash/dash_0.5.8-2.3ubuntu1.diff.gz  Hash Sum mismatch

E: Failed to fetch some archives.


If you want to additionally verify the signature in the .dsc file for whichever developer uploaded the package to the build servers, you can do so:

sarnold at hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc 
gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT
gpg:                using RSA key BD7EAA60778FA6F5
gpg: Can't check signature: public key not found
sarnold at hunt:/tmp$ gpg --recv-key BD7EAA60778FA6F5
gpg: requesting key BD7EAA60778FA6F5 from hkp server keys.gnupg.net
gpg: key BD7EAA60778FA6F5: public key "Matthias Klose <doko at debian.org>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:  24  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  24  signed:  19  trust: 20-, 0q, 0n, 4m, 0f, 0u
gpg: next trustdb check due at 2016-12-31
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
sarnold at hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc 
gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT
gpg:                using RSA key BD7EAA60778FA6F5
gpg: Good signature from "Matthias Klose <doko at debian.org>"
gpg:                 aka "Matthias Klose <doko at ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D565 71B8 8A8B BAF1 40BF  63D6 BD7E AA60 778F A6F5
sarnold at hunt:/tmp$ 

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1649097

Title:
  any source package signature is not valid

Status in apt package in Ubuntu:
  New

Bug description:
  In short:

  The GPG key 105BE7F7, with that 'linux' source package is signed,
  revoked on 08/16/16 (4 months ago!)


  How to reproduce:

  $ apt-get source linux-image-$(uname -r)
  ...
  Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic'
  ...
  Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 4.4.0-53.74 (tar) [133 MB]
  ...
  gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7
  gpgv: Can't check signature: public key not found
  dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc
  ...

  ### if you add this key:

  $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7
  $ apt-key list
  ...
  pub   4096R/105BE7F7 2011-09-06
  uid                  Brad Figg <brad.figg at canonical.com>
  sub   4096R/F336E4D5 2011-09-06

  pub   4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16]
  uid                  Brad Figg <brad.figg at canonical.com>

  ### THE KEY IS REVOKED 4 MONTHS AGO!

  ### Additional info:
  $ lsb_release -rd
  Description:	Ubuntu 16.04.1 LTS
  Release:	16.04

  ### My unmodified /etc/apt/sources.list in attachment.
  ### Note, /etc/apt/sources.list.d/ directory is empty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions

More information about the foundations-bugs mailing list