Florian Kulzer wrote:
On Mon, Mar 24, 2008 at 04:29:47 +0000, Nick Boyce wrote:
Just wondering whether anyone here understands the cause of the "BADSIG"
error from "aptitude update"
[...]
The usual suggested causes involve Debian mirrors in an inconsistent
state while updating, broken packages, or corruptions in the package
lists as a result of broken network connections.
Those are all the innocent explanations I can think of. More paranoid
explanations would go along the lines of someone trying to slip you
doctored packages via a man-in-the-middle attack. However, in your case
I think your proxy is the most likely culprit (see below).
Thanks very much for your very comprehensive answer - I understand it
would be most unlikely for there to be a genuine signing problem on
security.d.o, and I guess if an "inconsistent mirror" problem caused the
same trouble for everybody then it would be addressed.
I'm inclined to agree with you about our proxy having a caching problem,
and I like your suggestion of using 'wget' to flush the proxy's cache
before the 'aptitude update'. It seems odd however, that such a problem
could exist (big company, commercial web proxy), and be solvable by just
repeating the download.
I will try the investigations you suggest :
You can put the IP addresses into your sources.list instead and check if
the error is tied to one particular server:
The next time when the problem appears, make a backup copy of
/var/lib/apt/lists/security.debian.org_dists_etch_updates_Release.gpg
and check if the file has changed after you rerun "apt-get update"
But I'm away from the office at the moment, and this won't be for a
couple of weeks.
Maybe the caching behavior of your proxy for these files
can be reconfigured.
The proxy itself is administered by a far-off group within our company
and it would be difficult for me to get any investigation done for this
particular problem - if there are no apparent caching problems for other
usages then Debian would probably be blamed :(
If I can assemble more evidence I'll try to contact them though.
Does your nightly cronjob hit the server always at
exactly the same time?
Yes - 03:10(GMT) as I recall.
>> Anyway, what exactly seems to have been badly signed ? The error
>> message doesn't really make sense :
>>
>>> GPG error: http://security.debian.org etch/updates Release:
>>> The following signatures were invalid:
>>> BADSIG A70DAF536070D3A1 Debian Archive Automatic
>>> Signing Key (4.0/etch)
>>
> The message means that a bad signature was detected, which was
> (supposedly) made with the key number A70DAF536070D3A1.
FWIW, I still think the message could be clearer about the name of the
file whose signature failed to verify - thankfully you were able to tell me.
Thanks again.
Nick Boyce
--
Microsoft suggests that users "do not open or save Word files"
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
