I'm running apt-get update, and I see errors like W: GPG error: http://us.archive.ubuntu.com precise Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <[email protected]> It's not hard to find instructions on how to fix these problems, for instance by asking for the new keys with apt-key adv --recv-keys or rebuilding the cache; so I'm not asking about how to fix these. But why is this the right thing to do? Why is "oh, I need new keys? Cool, go get new keys" not just defeating the purpose of having a signed repository in the first place? Are the keys signed by a master key that apt-key checks? Should we be doing some additional validation to ensure that we're getting legitimate keys?