apt-get update failing with bad signature.

Created an attachment (id=4679)
breezy updates release file

Created an attachment (id=4680)
breezy updates release signature file (from lists/partial)

This happens quite often to lots of people and even though it might be due to a
server side hiccup, this error is too scary for novice users. At least the error
message should be changed, or apt should automatically re-download the signature
file for a retry (this usually helps). I'm marking this bug as major, since it
affects quite a lot of people.

*** Bug 24236 has been marked as a duplicate of this bug. ***

(In reply to comment #3)
> This happens quite often to lots of people and even though it might be due to a
> server side hiccup, this error is too scary for novice users. At least the error
> message should be changed, or apt should automatically re-download the signature
> file for a retry (this usually helps). I'm marking this bug as major, since it
> affects quite a lot of people.

A BIG Thankyou as YES it does affect a LOT of people. Just take a look through
the Ubuntu forums.

Thanks,
Gord

Thanks for your bugreport.

One of the archive servers in the round-robin DNS was out of sync, this is fixed
now. Please let us know if you it happens again or if this sync dosn't fix it.
Sorry that it took so long for the fix :/

Thanks for attaching the Release/Release.gpg files. There is indeed a problem
with them:
$ gpgv --keyring /etc/apt/trusted.gpg Release.gpg Release
gpgv: Signature made 2005-10-18T00:04:45 CEST using DSA key ID 437D05B5
gpgv: BAD signature from "Ubuntu Archive Automatic Signing Key
<email address hidden>"

Cheers,
 Michael

Thank you for your work Michael but apparently this problem still exists. It
happens to me every third or fourth time of running "apt-get update". And I
always get the exact same error mentioning the exact same repo:

W: GPG error: http://archive.ubuntu.com breezy-updates Release: The following
signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic
Signing Key <email address hidden>
W: You may want to run apt-get update to correct these problems

Thanks again for your help and I hope we can get this issue resolved once and
for all. If there is anything at all I can do to help please let me know.

Thanks,
Gordo

(In reply to comment #7)
> Thank you for your work Michael but apparently this problem still exists. It
> happens to me every third or fourth time of running "apt-get update". And I
> always get the exact same error mentioning the exact same repo:

It looks like the problem hit us again this afternoon. I talked to the server
admins and they said it's fixed again and a more robust mechanism is implemented
to prevent it from happening in the future.

Cheers (and let me know if you still get issues now),
 Michael

Sorry man, still happening here. Same error, same repo....

Gordo

Please re-open this bug. It is happening often.

(In reply to comment #10)
> Please re-open this bug. It is happening often.

Thanks for your bugreport. Apparently archive.ubuntu.com is out of sync in one
of it's mirrors, I informed the admins.

W: GPG error: http://nl.archive.ubuntu.com breezy Release: Unknown error executing gpgv
W: GPG error: http://nl.archive.ubuntu.com breezy-updates Release: The following signatures were invalid:
BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

maybe reopen?

W: GPG error: http://nz.archive.ubuntu.com breezy-updates Release: The following
signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic
Signing Key <email address hidden>
W: You may want to run apt-get update to correct these problems

--> reopening would be my wish as well. What's the signature system for if one
has to work around it? Then it's useless.

cheers

Problem persists here ... just now I ran an apt-get update with the following
output ("Hit" and "Get" output at the beginning skipped):

Reading package lists... Done
W: GPG error: http://nz.archive.ubuntu.com breezy-updates Release: The following
signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic
Signing Key <email address hidden>
W: You may want to run apt-get update to correct these problems

From the comments here I cannot see how the problem has been fixed. Help me,
someone, if you can see it. And please reopen.

cheers

(In reply to comment #14)
> Reading package lists... Done
> W: GPG error: http://nz.archive.ubuntu.com breezy-updates Release: The following
> signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic
> Signing Key <email address hidden>
> W: You may want to run apt-get update to correct these problems
>
> From the comments here I cannot see how the problem has been fixed. Help me,
> someone, if you can see it. And please reopen.

Thanks for the bugreport and sorry for the late reply. I just tested
nz.archive.u.c and
it seems to work here (no signature error).

If you get errors like this, could you please run:
$ sudo apt-get update -o Acquire::http::No-Cache=true

The reports about "invalid signatures" we got so far where a either a
out-of-sync archive
server (that is fixed with a better system now) or a proxy that delivered stale
data.

Please let me know if you get this problem without being behind a proxy (and/or
if the
"No-Cache" option helps). I'm happy to reopen (or open a new bugreport) if it
turns out
to be a new problem.

Cheers,
 Michael

It's broken again as of Feb. 10, 2006. Is there a solution to this that lasts? I was showing Ubuntu off and, specifically, the ease in which packages could be installed and uninstalled. Not good PR, to say the least.

I hope this is the right protocol for changing status.

More details: initially it was cn.blah-blah-blah and security.blah-blah-blah that was failing. This seems to have spontaneously fixed itself. Instead, now, it's security.blah-blah-blah alone....

Having a security-related error show up when connecting to a repository named "security" is... bad.

Still in place as of 11 Feb, incidentally.

13 Feb and problem is still in place. Is there anybody looking at this? Or is there a work-around for me to manually install whatever file it is that can't be downloaded by apt/synaptic?

I don't have an patch but here is some of what I did to further investigate the problem and got a successful update:-

0. apt-get update reported this error -
W: GPG error: http://security.ubuntu.com breezy-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
W: You may want to run apt-get update to correct these problems

1. Downloaded Release and Release.gpg from http://security.ubuntu.com/ubuntu/dists/breezy-security/

2. sudo apt-key del 0x437D05B5

3. sudo apt-key update
gpg: key 437D05B5: public key “Ubuntu Archive Automatic Signing Key <email address hidden>” imported
gpg: key FBB75451: “Ubuntu CD Image Automatic Signing Key <email address hidden>” not changed
gpg: Total number processed: 2
gpg: imported: 1
gpg: unchanged: 1
gpg: no ultimately trusted keys found

4. Checked keys and found that gpg thought they were ultimately trusted
$ sudo gpg --keyring /etc/apt/trusted.gpg --edit-key 0x437D05B5
gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

pub 1024D/437D05B5 created: 2004-09-12 expires: never usage: CS
                     trust: ultimate validity: ultimate
sub 2048g/79164387 created: 2004-09-12 expires: never usage: E
[ultimate] (1). Ubuntu Archive Automatic Signing Key <email address hidden>

5. Tried apt-get update with same result;

6. gpg likes the key and the signature:-

gpg --keyring /etc/apt/trusted.gpg --verify ~/Release.gpg ~/Release
gpg: Signature made Sat 04 Feb 2006 05:11:37 EST using DSA key ID 437D05B5
gpg: Good signature from “Ubuntu Archive Automatic Signing Key <email address hidden>”

7. Verified breezy-updates/Release as well - OK

8. Looked a bit closer (strace on the execve args to gpgv called from apt-get) and looked the contents of /var/lib/apt/lists/partial/security.ubuntu.com_ubuntu_dists_breezy-security_Release.gpg and var/lib/apt/lists/security.ubuntu.com_ubun
tu_dists_breezy-security_Release Which differed markedly!

9. Moved them out and ran a successful apt-get update.

Perhaps if apt-get flushed the Release and gpg files every time, would that fix/mask the problem? I got the apt sources last night. Might peer a little closer.

Thanks Michael for reporting the problem and Anthony for your detailed analysis. It looks like there is a problem with the timestamps on the server. If you get this error, can you please comment out all sources but the failing ones and then run:
$ sudo apt-get update -o Debug::Acquire::http=True 2>/tmp/apt-http.log

and attach the result? I suspect for some reason your local copy of the release/release.gpg file is newer than the version on the server and that causes apt to assume that there is no new version for download (this happend in the past).

Thanks,
 Michael

OK, done. I'm not sure how to attach a file, though, so please bear with me.

OK, I've figured out how to do the attachments. I commented out all but the security repo and issued the command <b>sudo apt-get update -o Debug::Acquire::http=True 2>/tmp/apt-http.log</b>. For a second I thought it had worked (it didn't kack in just a fraction of a second), but it turns out not to have.

On Mon, Feb 13, 2006 at 10:51:02AM -0000, Michael T. Richter wrote:
> Public bug report changed:
> https://launchpad.net/malone/bugs/24234
>
> Comment:
> OK, done. I'm not sure how to attach a file, though, so please bear
> with me.

Thanks a lot. It seems to have been a problem on one of our servers
(for a brief timeframe the information wasn't in sync). This should be
fixed now. Could you please give it a try again?

Thanks,
 Michael

--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

It works now. Whoever fixed this, thanks.

I wouldn't call several days, however, a "brief timeframe" on a component as critical to Ubuntu's look and feel as Synaptic/APT.

I think whatever is causing this sync problem needs to be addressed at the core and dealt with once and for all. To me this smacks of a protocol problem and, thereby, as an opportunity for a protocol hack. If end-users start getting used to failing signatures to the point that they just ignore such messages, we're primed for some "man in the middle" attacks on the whole Ubuntu distribution scheme, no?

Thanks for confirming the fix.

The "brief timeframe" refered to the timeframe in which you had to run "apt-get update (synaptic reload)" to catch the problem. People not updating in this timeframe where not affected at all.

But I agree of course that problems like this are very bad. We added code in dappers apt to cope better with the situation and organize the servers in a way that prevents it mostely. So thanks for reporting this issue!

Cheers,
 Michael

This problem is still happening in Dapper. I have checked my clock and the time seems to be correct. Will the work around for Breezy also work for Dapper?

Hi! I'm getting this same problem with Edgy right now. If I deciphered this page right, it's about apt in general, and it should be fixed... Any pointers?

Oh, and by the way, it's not intermittent, it's been happening for a couple of weeks now. My outputs is:

W: GPG error: http://archive.ubuntu.com edgy-proposed Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
W: GPG error: http://archive.ubuntu.com edgy-updates Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
W: GPG error: http://archive.ubuntu.com edgy-backports Release: Unknown error executing gpgv
W: You may want to run apt-get update to correct these problems

Having this problem in hardy now. Where can i find the local copies of release and release.gpg so that I can replace them manually?

Confirming the problem in Hardy.

Confirming again in Hardy (Server : archive.ubuntu.com)

Me too having the same problem in hardy...

nslookup sa.archive.ubuntu.com
Server: 192.168.1.254
Address: 192.168.1.254#53

Non-authoritative answer:
Name: sa.archive.ubuntu.com
Address: 91.189.88.31
Name: sa.archive.ubuntu.com
Address: 91.189.88.45
Name: sa.archive.ubuntu.com
Address: 91.189.88.46

as@m7md-desktop:~# apt-get update

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used.GPG error: http://sa.archive.ubuntu.com hardy-updates Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

W: Failed to fetch http://sa.archive.ubuntu.com/ubuntu/...pdates/Release

W: Some index files failed to download, they have been ignored, or old ones used instead

I'm also have this problem.

I'm having the same issue!

I'm having the same issue...please advise

I'm having the same issue too!
And cant update behind a proxy firewall.

I'm having the same issue in Ubuntu 8.04 with the partner repository. Is there a suggested fix? Can I clear all the GPG signatures and re-download them somehow? Or is that not a solution?

I've been having the same problem with Hardy since a clean install five days ago.

I got his error today for the first time:

I ran apt-get in Gutsy and...

W: GPG error: http://security.ubuntu.com gutsy-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

As discussed above the following command fixed this for me:

$ sudo apt-get update -o Acquire::http::No-Cache=true

$ sudo apt-get update -o Acquire::http::No-Cache=true

Fixed the same problem today.

I changed my Download location and faced this problem in Intrepid.
The No-Cache trick fixed it for me ! Thanks !

Downloading ftp://nl.archive.ubuntu.com/ubuntu/dists/jaunty/Release failed for me just now, using no-cache fixed it.
Perhaps it could be default behaviour to redownload failed files once, using no-cache?

Forget that, rerunning "sudo apt-get update -o Acquire::http::No-Cache=true" returns an error too.
It seems to happen randomly.

sudo apt-get update:

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used.GPG error: http://nz.archive.ubuntu.com intrepid-updates Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
W: Failed to fetch http://nz.archive.ubuntu.com/ubuntu/dists/intrepid-updates/Release
W: Some index files failed to download, they have been ignored, or old ones used instead.

So, to fix this:

sudo apt-key advanced --keyserver subkeys.pgp.net --recv DCF9F87B6DFBCBAE

Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --keyserver subkeys.pgp.net --recv 40976EAF437D05B5
gpg: requesting key 437D05B5 from hkp server subkeys.pgp.net
gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <email address hidden>" 2 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: new signatures: 2

But

sudo apt-get update

and even

sudo apt-get update -o Acquire::http::No-Cache=true

Still return errors.

This is driving me nuts. What is going on?

Removing the nz from the apt urls seems to do the trick, but updates come from the main ubuntu archive. So, that's changing:

http://nz.archive.ubuntu.com/ubuntu/

to

http://archive.ubuntu.com/ubuntu/

I think it happens when a component is listed twice in sources.list
Try combining all components on one line (main restricted universe multiverse), and list every distribution only once.

I'm staggered this bug has been open nearly FOUR YEARS and is STILL not fixed!!!

Yes, it's hit me too (several times). Here's my solution:

1: Delete the contents of /var/lib/apt/lists/partial.

2: Ensure file /etc/apt/sources.list only points to "http://archive.ubuntu.com/ubuntu/", not, as Jonathan Harker points out above, sources such as "http://nz.archive.ubuntu.com/ubuntu/"

3: Run the command sudo apt-get update -o Acquire::http::No-Cache=true

4: Run the command sudo apt-get update

I honestly don't know if all the above steps are necessary. Doing them individually made no difference, but doing them one after the other (finally) worked for me.

I experienced this problem on a jaunty RC system shortly after the jaunty release. Geoff's workaround fixed it.

Confirmed this problem with Jaunty 9.04 stable. I resumed from suspend and received the same error as the OP. Geoff's workaround fixed it.

Still happening with a fresh install of Jaunty 9.04.

Some servers/repos are failing, like security.ubuntu.com

Within the same server (I use id.archive.ubuntu.com) some repos succeed and a few others fail

I confirm this bug in Jaunty. Geoff's workaround fixed it.

Hi all,
I just installed ubuntu 9.04 and im getting this error!!

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used.GPG error: http://security.ubuntu.com jaunty-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/jaunty-security/Release

W: Some index files failed to download, they have been ignored, or old ones used instead.

Any Help??!!
All is appreciated

Thanks

Encountered this same problem in Jaunty.
Geoff's workaround fixed it.

Thank you, Geoff!

Hi all,

also prb

GPG error: http://archive.ubuntu.com jaunty-updates Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>Failed to fetch cdrom://Ubuntu 9.04 _Jaunty Jackalope_ - Release i386 (20090420.1)/dists/jaunty/main/binary-i386/Packages Please use apt-cdrom to make this CD-ROM recognized by APT. apt-get update cannot be used to add new CD-ROMs
Failed to fetch cdrom://Ubuntu 9.04 _Jaunty Jackalope_ - Release i386 (20090420.1)/dists/jaunty/restricted/binary-i386/Packages Please use apt-cdrom to make this CD-ROM recognized by APT. apt-get update cannot be used to add new CD-ROMs
Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jaunty-security/main/source/Sources.bz2 Hash Sum mismatch
Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jaunty-security/universe/source/Sources.bz2 Hash Sum mismatch
Some index files failed to download, they have been ignored, or old ones used instead.

i have this proplem
tamer@tamer-desktop:~$ sudo apt-get update -f
Hit http://packages.medibuntu.org jaunty Release.gpg
Ign http://packages.medibuntu.org jaunty/free Translation-en_US
Hit http://archive.ubuntu.com jaunty Release.gpg
Ign http://archive.ubuntu.com jaunty/main Translation-en_US
Ign http://archive.ubuntu.com jaunty/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty/multiverse Translation-en_US
Ign http://archive.ubuntu.com jaunty/universe Translation-en_US
Get:1 http://archive.ubuntu.com jaunty-updates Release.gpg [189B]
Ign http://archive.ubuntu.com jaunty-updates/main Translation-en_US
Ign http://archive.ubuntu.com jaunty-updates/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty-updates/multiverse Translation-en_US
Ign http://archive.ubuntu.com jaunty-updates/universe Translation-en_US
Get:2 http://archive.ubuntu.com jaunty-security Release.gpg [189B]
Ign http://archive.ubuntu.com jaunty-security/main Translation-en_US
Ign http://archive.ubuntu.com jaunty-security/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty-security/multiverse Translation-en_US
Ign http://archive.ubuntu.com jaunty-security/universe Translation-en_US
Hit http://archive.ubuntu.com jaunty Release
Hit http://archive.ubuntu.com jaunty-updates Release
Hit http://archive.ubuntu.com jaunty-security Release
Err http://archive.ubuntu.com jaunty-updates Release

Err http://archive.ubuntu.com jaunty-security Release

Hit http://archive.ubuntu.com jaunty/main Packages
Hit http://archive.ubuntu.com jaunty/restricted Packages
Hit http://archive.ubuntu.com jaunty/multiverse Packages
Hit http://archive.ubuntu.com jaunty/universe Packages
Ign http://packages.medibuntu.org jaunty/non-free Translation-en_US
Hit http://packages.medibuntu.org jaunty Release
Hit http://packages.medibuntu.org jaunty/free Packages
Hit http://packages.medibuntu.org jaunty/non-free Packages
Hit http://packages.medibuntu.org jaunty/free Sources
Hit http://packages.medibuntu.org jaunty/non-free Sources
Fetched 378B in 22s (17B/s)
Reading package lists... Done
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used.GPG error: http://archive.ubuntu.com jaunty-updates Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used.GPG error: http://archive.ubuntu.com jaunty-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jaunty-updates/Release

W: Failed to fetch http://archive.ubuntu.com/ubun...

After installing sources for the new firefox, I was happily getting daily updates for 3.6.

Yesterday, however, I noticed that I hadn't had an update for a while, so I started update manager, and then tried again in terminal.

I'm getting some intermittent results here. I ran a script to check my keys out:

#! /bin/sh

# Simple script to check for all PPAs refernced in your apt sources and
# to grab any signing keys you are missing from keyserver.ubuntu.com.
# Additionally copes with users on launchpad with multiple PPAs
# (e.g., ~asac)
#
# Author: Dominic Evans https://launchpad.net/~oldman
# License: LGPL v2

for APT in `find /etc/apt/ -name *.list`; do
    grep -o "^deb http://ppa.launchpad.net/[a-z0-9\-]\+/[a-z0-9\-]\+" $APT | while read ENTRY ; do
        # work out the referenced user and their ppa
        USER=`echo $ENTRY | cut -d/ -f4`
        PPA=`echo $ENTRY | cut -d/ -f5`
        # some legacy PPAs say 'ubuntu' when they really mean 'ppa', fix that up
        if [ "ubuntu" = "$PPA" ]
        then
            PPA=ppa
        fi
        # scrape the ppa page to get the keyid
        KEYID=`wget -q --no-check-certificate https://launchpad.net/~$USER/+archive/$PPA -O- | grep -o "1024R/[A-Z0-9]\+" | cut -d/ -f2`
        sudo apt-key adv --list-keys $KEYID >/dev/null 2>&1
        if [ $? != 0 ]
        then
            echo Grabbing key $KEYID for archive $PPA by ~$USER
            sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com $KEYID
        else
            echo Already have key $KEYID for archive $PPA by ~$USER
        fi
    done
done

echo DONE

This returned me the text "Already have key 1654E635 for archive ppa by ~firerabbit
Already have key AA1C92B0 for archive ppa by ~gwibber-team
Already have key 77558DD0 for archive ppa by ~do-core
Already have key DA6DEEAA for archive ppa by ~globalmenu-team
Already have key 5AAB5553 for archive ppa by ~gnote
Already have key 72D340A3 for archive ppa by ~gwibber-daily
Already have key 2D9A3C5B for archive ppa by ~webkit-team
Already have key 0624A220 for archive ppa by ~tualatrix
Already have key 247510BE for archive ppa by ~ubuntu-mozilla-daily
Already have key A1F196A8 for archive ppa by ~pidgin-developers
DONE"

Next I ran nohup sudo apt-get update>>update.txt

I got the output:
"Ign file: apt-build Release.gpg
Ign file: apt-build/main Translation-en_US
Get:1 file: apt-build Release [89B]
Ign file: apt-build/main Packages
Get:2 http://archive.canonical.com jaunty Release.gpg [189B]
Get:3 http://ppa.launchpad.net jaunty Release.gpg [307B]
Get:4 http://download.virtualbox.org jaunty Release.gpg [197B]
Hit http://archive.mmu.edu.my jaunty Release.gpg
Get:5 http://packages.medibuntu.org jaunty Release.gpg [197B]
Hit http://deb.opera.com lenny Release.gpg
Get:6 http://security.ubuntu.com jaunty-security Release.gpg [189B]
Get:7 http://dl.google.com stable Release.gpg [189B]
Ign http://archive.mmu.edu.my jaunty/main Translation-en_US
Ign http://dl.google.com stable/non-free Translation-en_US
Ign http://dl.google.com stable/main Translation-en_US
Get:8 http://dl.google.com stable Release [1308B]
Ign http://archive.mmu.edu.my jaunty/universe Translation-en_US
Ign http://ppa.launch...

I cured the problem, now my Firefox 3.5 and 3.6 updates are coming.

I deleted all of the authentication keys from the sources list and ran Oldmanuk 's script.

Then everthing worked like a charm. It seems that the script doesn't have super-cow powers, but with a little deleting first, it worked like a charm. (Thanks to Dominic Evans for that one)

This is fixed in Karma I believe. I didn't upgrade yet, I'll wait this time around for the official release.

Ignore last post - all gpg errors returned. Same problem!!!

How to clean up? Delete all sources and start again?

This has appeared for me on Jaunty during "sudo apt-get update":

Hit http://tw.archive.ubuntu.com jaunty-security/multiverse Packages
Get:4 http://tw.archive.ubuntu.com jaunty-updates/main Packages [129kB]
99% [4 Packages bzip2 0] 183kB/s 0s
bzip2: Data integrity error when decompressing.
 Input file = (stdin), output file = (stdout)

It is possible that the compressed file(s) have become corrupted.
You can use the -tvv option to test integrity of such files.

You can use the `bzip2recover' program to attempt to recover
data from undamaged sections of corrupted files.

Err http://tw.archive.ubuntu.com jaunty-updates/main Packages
  Sub-process bzip2 returned an error code (2)
Fetched 684kB in 21s (31.1kB/s)
W: GPG error: http://tw.archive.ubuntu.com jaunty-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
W: Failed to fetch http://tw.archive.ubuntu.com/ubuntu/dists/jaunty-updates/main/binary-amd64/Packages.bz2 Sub-process bzip2 returned an error code (2)

E: Some index files failed to download, they have been ignored, or old ones used instead.

I was having the exact issue as #63. The comment in #49 fixed it. My new /etc/apt/sources.list (with comments left out for brevity):

deb http://archive.ubuntu.com/ubuntu/ jaunty main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ jaunty main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ jaunty-updates main restricted multiverse universe
deb-src http://archive.ubuntu.com/ubuntu/ jaunty-updates main restricted multiverse universe
deb http://archive.ubuntu.com/ubuntu/ jaunty-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ jaunty-security main restricted universe multiverse

This cured all errors for me:

sudo apt-get clean
cd /var/lib/apt
sudo mv lists lists.old
sudo mkdir -p lists/partial
sudo apt-get clean
sudo apt-get update

Karmic. The same issue.

The problem is in intermediate proxy serveversm which caches file, that should not be cached. In my experiments, bug never-triggered on FTP. Bug disappear after removing transparent proxy. Bug disappear after disabling cache on transparent proxy.

Solution:
1. after the fail, try all known HTTP methods to force non-caching behaviour (Example of PHP header to fool caching proxy). Both for datafile and for signature!
        header('Expires: Mon, 26 Jul 1997 05:00:00 GMT'); // Date in the past
        header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); // always modified
        header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1
        header('Pragma: no-cache'); // HTTP/1.0
2. wait for wget fixes this bug: https://savannah.gnu.org/bugs/index.php?28137
3. Use FTP ot HTTPS protocols where available.

I just ran into the same problem.
Switching form the country server to the central server seem to have worked around the error message.

#Example of change in sources.list after Synaptic repository changed to "Main server"
http://za.archive.ubuntu.com/ubuntu/ ->> http://archive.ubuntu.com/ubuntu/

#Error before:
The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic

Not a ideal situation.

#Error output from apt-get update, removed update file loading
$ sudo apt-get update
...
...
Reading package lists... Done
W: GPG error: http://za.archive.ubuntu.com karmic Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
W: GPG error: http://security.ubuntu.com karmic-security Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

I have this problem also, among others. I was originaly using the san marino server here in italy. I switched to the us server and then the main server. All have failed in the same way:" W: GPG error: http://archive.canonical.com karmic Release: Unknown error executing gpgv".

Not sure if this is helpful, but I'm using 9.10 also. Other problems that started at the same time were my wireless stopped working (atheros ar5bxb63), my indicator applets work as they wish when I start/restart the computer giving errors: 'OAFIID:GNOME_WindowPicker, _GoHome, _MixerApplet, etc. depending on which one doesn't work on that boot.

Has this really been the same problem through all these years with no fix? Maybe this year is the year we get it. Let me know if I can be of any help.

Also found that this bug is related and unsolved, maybe it can help: http://ubuntuforums.org/showthread.php?t=1133117

I am a newbie so please be patience with me I keep having the same problem in Ubuntu 9.10 it fails to get the updates but I noticed i keeps going to a tw website.
Look at this ;
 Failed to fetch http://tw.archive.ubuntu.com/ubuntu/dists/karmic/Release.gpg Could not connect to tw.archive.ubuntu.com:80 (140.112.8.139), connection timed out
  W: Failed to fetch http://deb.opera.com/opera/dists/stable/Release

W: Some index files failed to download, they have been ignored, or old ones used instead.
My system is in English I suspect this is a Taiwan connection. What can I do?

I'm running Ubuntu 10.04.3 LTS and I just got the error described today. I received this as output to sudo apt-get update today:
_US
Ign http://download.skype.com stable Release
Ign http://packages.medibuntu.org/ lucid/free Translation-en_US
Hit http://download.skype.com stable/non-free Packages
Ign http://packages.medibuntu.org/ lucid/non-free Translation-en_US
Hit http://packages.medibuntu.org lucid Release
Hit http://packages.medibuntu.org lucid/free Packages
Hit http://packages.medibuntu.org lucid/non-free Packages
Hit http://packages.medibuntu.org lucid/free Sources
Hit http://packages.medibuntu.org lucid/non-free Sources
Hit http://download.virtualbox.org lucid Release.gpg
Ign http://download.virtualbox.org/virtualbox/debian/ lucid/contrib Translation-en_US
Ign http://download.virtualbox.org/virtualbox/debian/ lucid/non-free Translation-en_US
Hit http://download.virtualbox.org lucid Release
Hit http://download.virtualbox.org lucid/contrib Packages
Hit http://download.virtualbox.org lucid/non-free Packages
Fetched 5,267B in 10s (489B/s)
Reading package lists... Done
W: GPG error: http://archive.canonical.com lucid Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
dominique@Dominique-lucid:~$
Advice?

Getting this error in Oneiric.

W: GPG error: http://archive.canonical.com oneiric Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>

1) Tried:
sudo apt-get update -o Acquire::http::No-Cache=true
But just got the same error.

2) Tried switching from us.archive.* to archive.* and re-running the update with no-cache.
Same error.

3) Delete the contents of /var/lib/apt/lists/partial, per palmerg's recommendation above, and re-ran all of the above.
Same error.