Ubuntu: How to solve a GPG Error (BADSIG)

Categories: Howto, Linux, Ubuntu

Well, well, haven’t we all faced this irritating issue where apt-gets begin to fail? I have faced it one too many times. Frustrating and mind-numbing. One of the common error is the infamous GPG Error. A “BADSIG” scenario. For instance, I faced this today:

$> sudo apt-get update
Ign http://archive.ubuntu.com trusty-security/main Translation-en_IN
Ign http://archive.ubuntu.com trusty-security/multiverse Translation-en_IN
Ign http://archive.ubuntu.com trusty-security/restricted Translation-en_IN
Ign http://archive.ubuntu.com trusty-security/universe Translation-en_IN
Ign http://archive.ubuntu.com trusty-proposed/main Translation-en_IN
Ign http://archive.ubuntu.com trusty-proposed/multiverse Translation-en_IN
Ign http://archive.ubuntu.com trusty-proposed/restricted Translation-en_IN
Ign http://archive.ubuntu.com trusty-proposed/universe Translation-en_IN
Fetched 490 kB in 46s (10.6 kB/s)
Reading package lists... Done
W: GPG error: http://archive.ubuntu.com trusty-backports Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>

So what is this? Why do we see this?

Let us begin with what is GPG? It is acronym for GNU Privacy Guard and is an alternative for PGP suite, which provides cryptographic privacy and authenticaion for data communication. And additional useful information is GPG is a key-based encryption method, i.e., using public key & private key. Using these public-private key pairs, Ubuntu servers sign the files that are transferred to the client (i.e., our local box) & the APT at the client end check their signatures. This is required to check that a package hasn’t been tampered since the time it was uploaded to the archive and the time we download it. During this check if there is a mismatch in the signature the corresponding APT actions raises error.

Why the mismatch? That is a question I have been trying hard to find the answer for and it has been a really long & hard search with very less significant data. With all the search, I concluded that the mismatch of the signature is possible in any of the following scenarios:

  1. Old files
  2. Corrupt files
  3. Partial Downloads
  4. All of the above.

It appears like the APT doesn’t handle some of the error conditions well. To quote from one of the page:

This is due to cache inconsistencies and thus is not necessarily a bug in Ubuntu at all. But I hope the fine devs can find a way to better deal with broken proxies. This is a very visible issue, a large number of internet connections are behind proxies and the users cannot do anything about it.

If anybody got more info please lemme know. Share your knowledge & let us grow together.

Anyways, the resolution here is to drop all the state information of each & every package resource and rebuild them. And, to do so follow these steps & this will rebuild the cache:

$> sudo apt-get clean
$> sudo mv /var/lib/apt/lists /var/lib/apt/lists.old
$> sudo mkdir -p /var/lib/apt/lists/partial
$> sudo apt-get clean
$> sudo apt-get update

This should solve the ‘BADSIG’ problem for sure.


  • http://ubuntuforums.org/showthread.php?t=1983220
  • https://wiki.debian.org/SecureApt
  • https://bugs.launchpad.net/ubuntu/+source/synaptic/+bug/863306
  • https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/24061
  • http://en.wikipedia.org/wiki/GNU_Privacy_Guard

    Leave a Reply

    Your email address will not be published.