[Bug 1649097] Re: any source package signature is not valid
Vyacheslav
1649097 at bugs.launchpad.net
Tue Dec 13 21:03:30 UTC 2016
Arnold, do you mean, that source packages are cross-signed with official
Ubuntu key that are already in `apt-key list` after Ubuntu installation?
I understand that if 'Hash sum' check fails I get this kind of error
message, but what about, for instance, spoofing ubuntu.com domain by my
Internet provider and writing correct hash sum for modified contents
into .dsc file?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1649097
Title:
any source package signature is not valid
Status in apt package in Ubuntu:
New
Bug description:
In short:
The GPG key 105BE7F7, with that 'linux' source package is signed,
revoked on 08/16/16 (4 months ago!)
How to reproduce:
$ apt-get source linux-image-$(uname -r)
...
Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic'
...
Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 4.4.0-53.74 (tar) [133 MB]
...
gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc
...
### if you add this key:
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7
$ apt-key list
...
pub 4096R/105BE7F7 2011-09-06
uid Brad Figg <brad.figg at canonical.com>
sub 4096R/F336E4D5 2011-09-06
pub 4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16]
uid Brad Figg <brad.figg at canonical.com>
### THE KEY IS REVOKED 4 MONTHS AGO!
### Additional info:
$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
### My unmodified /etc/apt/sources.list in attachment.
### Note, /etc/apt/sources.list.d/ directory is empty.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions
More information about the foundations-bugs
mailing list