Why are the proposed BADSIG (on apt-get update) fixes secure?
I'm running apt-get update
, and I see errors like
W: GPG error: http://us.archive.ubuntu.com precise Release:
The following signatures were invalid:
BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <[email protected]>
It's not hard to find instructions on how to fix these problems, for instance by asking for the new keys with apt-key adv --recv-keys
or rebuilding the cache; so I'm not asking about how to fix these.
But why is this the right thing to do? Why is "oh, I need new keys? Cool, go get new keys" not just defeating the purpose of having a signed repository in the first place? Are the keys signed by a master key that apt-key
checks? Should we be doing some additional validation to ensure that we're getting legitimate keys?
Relevant basic concepts about the idea behind GPG signature and how it ensures a more secure signed repository:
- What are the GPG signatures?
In my opinion, the proposed fixes aren't secure. A more secure solution would be to blow out everything in /var/lib/apt/lists/
as suggested in this answer. I suggest this because, apt automatically checks for the integrity of the package and is a much hassle-free solution compared to hunting down each of the keys.
That doesn't mean you shouldn't manually add the keys, but only if you know how to check if the keys are valid. Some ways of checking the integrity of the package / validity of the key:
-
Cross checking if the GPG key is already listed in
releases.gpg
file. If it already is available, you can be rest assured that the key is secure because only the keys of trusted developers are included in thereleases.gpg
file. - install
debsig-verify
package (manpage for thedebsig-verify
command ). It automatically verifies the source and the validity of the Debian package itself. Though, you might run into weird problems from time to time sincedebsig-verify
checks for signatures embedded inside of Debian packages, something that is not widely practised since the advent of secure-apt.
So, the accepted solution at What is the easiest way to resolve apt-get BADSIG GPG errors? is not exactly recommended nor secure for the average Joe, as he would probably have neither the time, patience or awareness to check if the solution is secure enough for him. Instead, the second answer on that question should be recommended for its simplicity and a more guaranteed security.
Relevant:
- What precautions should I take with .debs I find on the internet?
- Are PPA's safe to add to my system and what are some "red flags" to watch out for?