Yet another: apt-get key validation problem

haertig · 11-21-2006, 08:17 PM

Not problems with apt-get recently, until just now.

Today I started out getting three "missing key" errors on apt-get update (all three referencing A70DAF536070D3A1) and one "BADSIG" error (referencing 010908312D230C5F). So I addressed the missing key errors first:

Code:

# gpg --keyserver wwwkeys.eu.pgp.net --recv-keys A70DAF536070D3A1 && \
gpg --armor --export A70DAF536070D3A1 | apt-key add -
gpg: requesting key 6070D3A1 from hkp server wwwkeys.eu.pgp.net
gpg: key 6070D3A1: public key "Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
OK
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024R/1DB114E0 2004-01-15 [expired: 2005-01-27]
uid                  Debian Archive Automatic Signing Key (2004) <ftpmaster@debian.org>

pub   1024D/4F368D5D 2005-01-31 [expired: 2006-01-31]
uid                  Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>

pub   1024D/B5F5BBED 2005-04-24
uid                  Debian AMD64 Archive Key <debian-amd64@lists.debian.org>
sub   2048g/34FC6FE5 2005-04-24

pub   1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
uid                  Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>

pub   1024D/1F41B907 1999-10-03
uid                  Christian Marillat <marillat@debian.org>
uid                  Christian Marillat <marillat@free.fr>
sub   1536g/C28DCC42 1999-10-03
sub   1024D/5D3877A7 2002-08-26

pub   1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
uid                  Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>

So it looks like it successfully added the "Debian(4.0/etch)" key.

Tried the apt-get again, the missing key errors were gone (expected), and I still had the following BADSIG error (totally expected at this point):

Quote:

W: GPG error: http://mirrors.kernel.org unstable Release: The following signatures were invalid: BADSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>

OK, the BADSIG error is still there as expected (although I don't know why it just popped up all of a sudden). You can see that key in the original "apt-key list" listing above. This key has been working for quite a while, so why the BADSIG now?

Next I tried going after that BADSIG problem with a refresh-keys:

Code:

# gpg --keyserver wwwkeys.eu.pgp.net --refresh-keys && \
gpg --armor --export 010908312D230C5F | apt-key add -
gpg: refreshing 5 keys from hkp://wwwkeys.eu.pgp.net
gpg: requesting key 2D230C5F from hkp server wwwkeys.eu.pgp.net
gpg: requesting key 1F41B907 from hkp server wwwkeys.eu.pgp.net
gpg: requesting key F0D6B1E0 from hkp server wwwkeys.eu.pgp.net
gpg: requesting key 0A8AF5B8 from hkp server wwwkeys.eu.pgp.net
gpg: requesting key 6070D3A1 from hkp server wwwkeys.eu.pgp.net
gpg: key 2D230C5F: "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" 6 new signatures
gpgkeys: key F6BB1E9367C95074EB956F2C6DF25AB50A8AF5B8 not found on keyserver
gpg: key 1F41B907: "Christian Marillat <marillat@debian.org>" 28 new signatures
gpg: key F0D6B1E0: "TrueCrypt Foundation <info@truecrypt-foundation.org>" 9 new signatures
gpg: key 6070D3A1: "Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>" not changed
gpg: Total number processed: 4
gpg:              unchanged: 1
gpg:         new signatures: 43
gpg: no ultimately trusted keys found
OK

OK, so it appears to have added six new signatures to the "Debian(2006)" key.

Tried the apt-get again (this time expecting things to work), but encountered the same error. Tried it again (I know, usually a stupid thing to do!) and the error went away. Huh? Tried apt-get again, and the BADSIG error is back.

What gives? Is there something I'm missing???

---

I'm getting these errors intermittantly. Here are three apt-get's in a row, done within seconds of each other, with nothing else in between. The first one succeeded, the middle one failed, and then the third one succeeded!

Code:

# apt-get update
Ign file: debs/ Release.gpg
Ign file: debs/ Release
Ign file: debs/ Packages
Get:1 http://security.debian.org stable/updates Release.gpg [189B]
Get:2 http://ftp.debian.org unstable Release.gpg [378B]
Get:3 http://mirrors.kernel.org unstable Release.gpg [378B]
Get:4 http://ftp.us.debian.org unstable Release.gpg [378B]
Hit http://security.debian.org stable/updates Release
Hit http://ftp.debian.org unstable Release
Hit http://mirrors.kernel.org unstable Release
Hit http://ftp.us.debian.org unstable Release
Ign http://security.debian.org stable/updates/main Packages
Hit http://ftp.debian.org unstable/main Packages
Hit http://mirrors.kernel.org unstable/main Packages
Hit http://ftp.us.debian.org unstable/main Packages
Hit http://security.debian.org stable/updates/main Packages
Hit http://ftp.debian.org unstable/main Sources
Hit http://mirrors.kernel.org unstable/main Sources
Hit http://ftp.us.debian.org unstable/main Sources
Fetched 381B in 1s (342B/s)
Reading package lists... Done
# apt-get update
Ign file: debs/ Release.gpg
Ign file: debs/ Release
Ign file: debs/ Packages
Get:1 http://mirrors.kernel.org unstable Release.gpg [378B]
Get:2 http://ftp.debian.org unstable Release.gpg [378B]
Get:3 http://ftp.us.debian.org unstable Release.gpg [378B]
Get:4 http://security.debian.org stable/updates Release.gpg [189B]
Hit http://mirrors.kernel.org unstable Release
Ign http://mirrors.kernel.org unstable Release
Hit http://ftp.debian.org unstable Release
Hit http://ftp.us.debian.org unstable Release
Hit http://security.debian.org stable/updates Release
Hit http://mirrors.kernel.org unstable/main Packages
Hit http://ftp.debian.org unstable/main Packages
Hit http://ftp.us.debian.org unstable/main Packages
Ign http://security.debian.org stable/updates/main Packages
Hit http://mirrors.kernel.org unstable/main Sources
Hit http://ftp.debian.org unstable/main Sources
Hit http://ftp.us.debian.org unstable/main Sources
Hit http://security.debian.org stable/updates/main Packages
Fetched 381B in 0s (498B/s)
Reading package lists... Done
W: GPG error: http://mirrors.kernel.org unstable Release: The following signatures were invalid: BADSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>
W: You may want to run apt-get update to correct these problems
# apt-get update
Ign file: debs/ Release.gpg
Ign file: debs/ Release
Ign file: debs/ Packages
Get:1 http://mirrors.kernel.org unstable Release.gpg [378B]
Hit http://mirrors.kernel.org unstable Release
Get:2 http://ftp.us.debian.org unstable Release.gpg [378B]
Get:3 http://ftp.debian.org unstable Release.gpg [378B]
Get:4 http://security.debian.org stable/updates Release.gpg [189B]
Hit http://mirrors.kernel.org unstable/main Packages
Hit http://mirrors.kernel.org unstable/main Sources
Hit http://ftp.us.debian.org unstable Release
Hit http://ftp.debian.org unstable Release
Hit http://security.debian.org stable/updates Release
Hit http://ftp.us.debian.org unstable/main Packages
Hit http://ftp.debian.org unstable/main Packages
Ign http://security.debian.org stable/updates/main Packages
Hit http://ftp.us.debian.org unstable/main Sources
Hit http://ftp.debian.org unstable/main Sources
Hit http://security.debian.org stable/updates/main Packages
Fetched 381B in 1s (275B/s)
Reading package lists... Done

rickh · 11-21-2006, 08:46 PM

Normally ...

gpg --keyserver wwwkeys.eu.pgp.net --recv-keys XXXXXXXXXXXXXXXX && apt-key add /root/.gnupg/pubring.gpg && apt-get update

... will fix it. Substitute the missing key for XXXXXXXXXXXXXXXX

haertig · 11-21-2006, 10:18 PM

Quote:

Originally Posted by rickh

Normally ... will fix it.

That usually works for missing keys. However, my current problem is not a missing key. I have the key, but it is giving me a BADSIG error intermittantly. That "intermittant" part is the real bugger!

farslayer · 11-21-2006, 10:58 PM

Wonder if they are doing round-robin DNS load balancing on the server... is it every _other_ time you run update you get the bad sig ? if so it looks like there may be a problem on ONE of the servers they are using but not the other..

just a theory..

hrm but with local DNS cache I guess you r machine wouldn't be resolving the address every time...

Throw that theory out the window.. hrm..

haertig · 11-22-2006, 09:41 AM

Quote:

Originally Posted by farslayer

Throw that theory out the window.. hrm..

Actually, that's a very good theory. Could definitely be some load balancing issue causing the intermittancy (whether DNS round robin or other). It's not an exact "every other" failure pattern either. I had a one good, two bad, two good pattern last night after posting the last time.

I just tried again now. Five successful attempts in a row. No failures. So maybe whatever it was, it was intermittant on the server end ... and is now fixed. We'll see as time goes on. This has been only a minor problem, not really a "problem" ... more of just something to say "huh?" about.