Why are the proposed BADSIG (on apt-get update) fixes secure?

Posted by EvanED on Ask Ubuntu See other posts from Ask Ubuntu or by EvanED
Published on 2012-09-03T03:48:47Z Indexed on 2012/09/04 3:49 UTC
Read the original article Hit count: 207

Filed under:

I'm running apt-get update, and I see errors like

W: GPG error: http://us.archive.ubuntu.com precise Release: 
The following signatures were invalid: 
BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <[email protected]>

It's not hard to find instructions on how to fix these problems, for instance by asking for the new keys with apt-key adv --recv-keys or rebuilding the cache; so I'm not asking about how to fix these.

But why is this the right thing to do? Why is "oh, I need new keys? Cool, go get new keys" not just defeating the purpose of having a signed repository in the first place? Are the keys signed by a master key that apt-key checks? Should we be doing some additional validation to ensure that we're getting legitimate keys?

© Ask Ubuntu or respective owner

Related posts about apt