Results 1 to 5 of 5

Thread: GPG BADSIG ED444FF07D8D0BF6 error on apt-get update

  1. #1
    Join Date
    2014-Feb
    Posts
    4

    GPG BADSIG ED444FF07D8D0BF6 error on apt-get update

    Hi, while updating I get this error:

    Code:
    W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.kali.org kali/updates Release: The following signatures were invalid: BADSIG ED444FF07D8D0BF6 Kali Linux Repository <[email protected]>
    
    W: Failed to fetch http://security.kali.org/kali-security/dists/kali/updates/Release  
    
    W: Some index files failed to download. They have been ignored, or old ones used instead.
    I tried to import the gpg key like described here and also followed the instructions regarding gpg key import published here. Also an
    Code:
    aptitude reinstall kali-archive-keyring
    was not successful, still getting this error on update.

    What is going on here? Is this a MIM-attack on network site that tries to inject poisened kali packages on my machine?

    Thanks for your attention,
    Kalimero

  2. #2
    Join Date
    2013-Mar
    Posts
    354
    Try this: aptitude clean and then aptitude autoclean.

    Retry: aptitude install kali-archive-keyring

  3. #3
    Join Date
    2014-Feb
    Posts
    4
    Yes, I did this before, no chance, this error still occurs on every update.

    Am I the only one with this error? I can not imagine this error happens only to me.

    Could anybody please explain how this error is generated, exactly? What exactly is apt trying to verify? Which file exactly is verified against which key?

    I am just trying to understand what exactly goes wrong here and have not enough knowledge about apt-get internals, so some more insight about what exactly the package manager does will help in understanding if the data received on my site really is different from the data offered on the kali servers.

    Thank you very much for your attention!

    BTW I just see that there is no secure access to http://archive.kali.org/archive-key.asc possible - from my understanding this breaks the whole chain of security that is offered by the combination of cryptographic secured protocols and gpg. The archive-key.asc should be accessible via https - makes no sense that it is not.

  4. #4
    Join Date
    2013-Mar
    Posts
    3
    I started getting this same error yesterday, in varying flavors.

    When doing an apt-get update
    Code:
    Reading package lists... Done
    W: GPG error: http://http.kali.org kali Release: The following signatures were invalid: BADSIG ED444FF07D8D0BF6 Kali Linux Repository <[email protected]>
    Sometimes
    Code:
    W: Failed to fetch gzip:/var/lib/apt/lists/partial/http.kali.org_kali_dists_kali_main_binary-amd64_Packages  Hash Sum mismatch
    
    W: Failed to fetch gzip:/var/lib/apt/lists/partial/http.kali.org_kali_dists_kali_non-free_binary-i386_Packages  Hash Sum mismatch
    
    E: Some index files failed to download. They have been ignored, or old ones used instead.
    Sometimes
    Code:
    W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://http.kali.org kali Release: The following signatures were invalid: BADSIG ED444FF07D8D0BF6 Kali Linux Repository <[email protected]>
    
    W: Failed to fetch http://http.kali.org/kali/dists/kali/Release  
    
    W: Some index files failed to download. They have been ignored, or old ones used instead.
    Thought maybe the repos were updating or undergoing some sort of maintenance, but the issue persists today. Have done all the apt-get clean, autoclean, remove, autoremove stuff.

    I'm not a crypto guy, and maybe I'm overcautious and skeptical, but getting crypto errors 1 day after GnuTLS vuln was big news, and packages like libgnutls-openssl27 in the update queue, well it doesn't give me a warm and fuzzy.

  5. #5
    Join Date
    2013-Mar
    Posts
    3
    Did nothing different today, haven't even rebooted, but do not get the GPG errors anymore.

Similar Threads

  1. Replies: 0
    Last Post: 2014-02-13, 14:49

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •