| blackhole54 |
12-19-2007 10:41 PM |
Quote:
Originally Posted by lawrence_lee_lee
(Post 2996518)
Is something horrible happening?
|
Maybe. Or rather, something horrible may have just been prevented.
The signature checking is in place to prevent something horrible from happening. Here is a technical explanation of "secure apt," which is a mechanism to make sure the files you download haven't been maliciously altered.
I'll try to summarize, glossing over most of the technical stuff. Quoting from the above link:
Quote:
A Debian archive contains a Release file, which is updated each time any of the packages in the archive change. Among other things, the Release file contains some MD5 sums of other files in the archive.
|
By comparing the MD5sums of downloaded files with those contained in the Release file, the authenticity of the downloaded files can be verified. (Not quite true, but that is a technical security discussion that I won't attemp here.) But that assumes that the Release file itself has not been tampered with. For that reason, the Release file is digitally signed with a gpg signature. (GPG is similar to Pretty Good Privacy (PGP)).
Your error message says something didn't match up here. It could be that something malicious has been attempted (but thwarted). More likely, it is an innocent mistake. But you should proceed as if it is malicious. (Err on the side of caution.)
If this is the first time you have seen this message, I would suggest that you just wait a day or two and see if it goes away by itself. Otherewise, I suggest you do a search over at UbuntuForums.org and see if there is already a discussion going on this. If this is a standard repository, you are probably not the only one getting this message. |
