Invalid GPG signature http://ddebs.ubuntu.com/dists/trusty/Release.gpg
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ubuntu-archive-publishing |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
For the last week or so, with the trusty ddebs repository in sources.list (deb http://
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://
W: Failed to fetch http://
W: Some index files failed to download. They have been ignored, or old ones used instead.
You can check manually that the signature is bad:
$ wget -q http://
$ gpg --verify Release.gpg Release
gpg: Signature made Sun 20 Jul 2014 06:15:32 AM EDT using DSA key ID 428D7C01
gpg: BAD signature from "Ubuntu Debug Symbol Archive Automatic Signing Key <email address hidden>"
| Anders Kaseorg (andersk) wrote | #1 |
| Changed in ubuntu-archive-publishing: | |
| status: | New → Confirmed |
| information type: | Public → Public Security |
| Martin Pitt (pitti) wrote | #2 |
| Changed in ubuntu-archive-publishing: | |
| status: | Confirmed → Fix Released |
Notably, the GPG timestamp on Release.gpg is consistent with its HTTP timestamp, but the HTTP timestamp on Release is a few hours ahead of that. So I guess Release is getting uploaded without a corresponding Release.gpg, hence the inconsistency.