Why are the proposed BADSIG (on apt-get update) fixes secure?

security apt

I'm running apt-get update, and I see errors like

W: GPG error: http://us.archive.ubuntu.com precise Release: 
The following signatures were invalid: 
BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <[email protected]>

It's not hard to find instructions on how to fix these problems, for instance by asking for the new keys with apt-key adv --recv-keys or rebuilding the cache; so I'm not asking about how to fix these.

But why is this the right thing to do? Why is "oh, I need new keys? Cool, go get new keys" not just defeating the purpose of having a signed repository in the first place? Are the keys signed by a master key that apt-key checks? Should we be doing some additional validation to ensure that we're getting legitimate keys?


Relevant basic concepts about the idea behind GPG signature and how it ensures a more secure signed repository:

  • What are the GPG signatures?

In my opinion, the proposed fixes aren't secure. A more secure solution would be to blow out everything in /var/lib/apt/lists/ as suggested in this answer. I suggest this because, apt automatically checks for the integrity of the package and is a much hassle-free solution compared to hunting down each of the keys.

That doesn't mean you shouldn't manually add the keys, but only if you know how to check if the keys are valid. Some ways of checking the integrity of the package / validity of the key:

  • Cross checking if the GPG key is already listed in releases.gpg file. If it already is available, you can be rest assured that the key is secure because only the keys of trusted developers are included in the releases.gpg file.
  • install debsig-verify package (manpage for the debsig-verify command Manpage icon). It automatically verifies the source and the validity of the Debian package itself. Though, you might run into weird problems from time to time since debsig-verify checks for signatures embedded inside of Debian packages, something that is not widely practised since the advent of secure-apt.

So, the accepted solution at What is the easiest way to resolve apt-get BADSIG GPG errors? is not exactly recommended nor secure for the average Joe, as he would probably have neither the time, patience or awareness to check if the solution is secure enough for him. Instead, the second answer on that question should be recommended for its simplicity and a more guaranteed security.

Relevant:

  • What precautions should I take with .debs I find on the internet?
  • Are PPA's safe to add to my system and what are some "red flags" to watch out for?

Related

changing system terminal colours?
How to give more RAM to wine Applications
Is SSD TRIM support still automatic in 12.10?
Why isn't Grub2 using custom resolution?
what is the best Google Calender application for unity to alert and notify you with Events?
URL in Launcher
How to cross-compile programs for the Raspberry Pi with gcc?
skype crashes in ubuntu 12.04
How do I add printers from a windows print server
Scientific diagram drawing software
How to use the new feature of remote login in ubuntu 12.10?
libre office copy formatting Ctrl+Shift+C alternative