Thanks for the bug report. This isn't as dire as it looks:
APT's security model is based on signed InRelease files that have sha256sums of all archive contents. In this case, the InRelease file will have a sha256sum for one of the Sources files, and that file will have a sha256sum for the linux source package files: Checksums-Sha256: 5c1141401c8f3468b2d5f71906aea181a8f7c9e195c4cc3252a085962bbf4f4d 9611 linux_4.4.0-53.74.dsc 730e75919b5d30a9bc934ccb300eaedfdf44994ca9ee1d07a46901c46c221357 132860730 linux_4.4.0.orig.tar.gz 5ad7a47f2bcb66858f26fb539e39e07724c676a8eca84239c850fa87c2900b0e 12162206 linux_4.4.0-53.74.diff.gz If these sha256sums don't match what was downloaded, apt itself would throw an error. All these files are in /var/lib/apt/lists/ . The .dsc file is signed by whoever uploads the package for building to our buildfarm. Developers' keys change all the time. It's still useful to have the .dsc file to see what the builders saw, regardless if the signature on the file is from an expired key or not. Now, where things get really interesting: You've used a 32 bit keyid to download the key from the keyservers. 32 bit keyids are not safe to use in this manner because it's relatively simple to generate keys with colliding 32 bit keyids. This was done for all keys in the 'strongly connected set' a few years ago, including Brad's key. When someone uploaded all these keys to the SKS keyservers, it was insanely confusing. So, the group that generated all the colliding keys generated revocation certificates for all the keys and uploaded them all, to kill them. So, your command to download the key by 32 bit keyid downloaded _two_ keys -- Brad's real key, "11D6 ADA3 D9E8 3D93 ACBD 837F 0C7B 589B 105B E7F7", is not revoked: $ gpg --check-sigs "11D6 ADA3 D9E8 3D93 ACBD 837F 0C7B 589B 105B E7F7" pub 4096R/0C7B589B105BE7F7 2011-09-06 uid Brad Figg <brad.f...@canonical.com> sig! 052F367018D5C3D8 2012-01-09 John Johansen <j...@jjmx.net> sig! 5759F35001AA4A64 2011-12-10 Steve Langasek <steve.langa...@canonical.com> sig! 3D76C845FA1447CA 2011-09-06 Tim Gardner (4K key) <tim.gard...@canonical.com> sig! 8972F4DFDC6DC026 2011-12-09 Kees Cook <k...@outflux.net> sig! 2F099E8D005E81F4 2011-12-09 Steve Beattie <st...@nxnw.org> sig-3 0C7B589B105BE7F7 2011-09-06 Brad Figg <brad.f...@canonical.com> sig!3 0C7B589B105BE7F7 2011-09-06 Brad Figg <brad.f...@canonical.com> sub 4096R/E79D7BDFF336E4D5 2011-09-06 sig! 0C7B589B105BE7F7 2011-09-06 Brad Figg <brad.f...@canonical.com> 1 bad signature 14 signatures not checked due to missing keys My output may look different from yours because I added this to my ~/.gnupg/gpg.conf file: keyid-format long For more information, see https://evil32.com/ Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1649097 Title: 'linux' source package signature is not valid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
