Bug#781005: Additional details (heisenbug: BADSIG A040830F7FAC5991)

[Trent W. Buck]

I did a little bit of investigation.
The error is coming from apt-get update.

What confuses me is that the key in the keyring appears to match (7FAC5991).

    (bootstrap)root@zygon:/tmp/pepperflashplugin-nonfree.0CEhCe2ROb# rm -rf 
var/lib/apt/lists; APT_CONFIG=apt.conf apt-get update
    Get:1 http://dl.google.com stable Release.gpg [198 B]
    Get:2 http://dl.google.com stable Release [1,347 B]
    Ign http://dl.google.com stable Release
    Get:3 http://dl.google.com stable/main amd64 Packages [1,193 B]
    Ign http://dl.google.com stable/main Translation-en_AU
    Ign http://dl.google.com stable/main Translation-en
    Fetched 2,738 B in 2s (992 B/s)
    Reading package lists... Done
    W: GPG error: http://dl.google.com stable Release: The following signatures 
were invalid: BADSIG A040830F7FAC5991 Google, Inc. Linux Package Signing Key 
<linux-packages-keymas...@google.com>

    (bootstrap)root@zygon:/tmp/pepperflashplugin-nonfree.0CEhCe2ROb# 
APT_CONFIG=apt.conf apt-key list
    ./etc/apt/pubring.gpg
    ---------------------
    pub   1024D/7FAC5991 2007-03-08
    uid                  Google, Inc. Linux Package Signing Key 
<linux-packages-keymas...@google.com>
    sub   2048g/C07CB649 2007-03-08


I tried repeatedly fetching the Release and Release.gpg files, and I get 
different results sometimes:


    (bootstrap)root@zygon:/tmp/pepperflashplugin-nonfree.0CEhCe2ROb# wget -nv 
http://dl.google.com/linux/chrome/deb/dists/stable/Release{,.gpg}{,,,,,,,,,,,}
    2015-03-23 15:48:35 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release" [1]
    2015-03-23 15:48:35 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.1" [1]
    2015-03-23 15:48:35 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.2" [1]
    2015-03-23 15:48:35 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.3" [1]
    2015-03-23 15:48:36 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.4" [1]
    2015-03-23 15:48:36 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.5" [1]
    2015-03-23 15:48:36 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.6" [1]
    2015-03-23 15:48:36 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.7" [1]
    2015-03-23 15:48:36 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.8" [1]
    2015-03-23 15:48:37 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.9" [1]
    2015-03-23 15:48:37 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.10" [1]
    2015-03-23 15:48:37 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release [1347/1347] -> 
"Release.11" [1]
    2015-03-23 15:48:37 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg" [1]
    2015-03-23 15:48:37 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.1" [1]
    2015-03-23 15:48:38 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.2" [1]
    2015-03-23 15:48:38 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.3" [1]
    2015-03-23 15:48:38 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.4" [1]
    2015-03-23 15:48:38 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.5" [1]
    2015-03-23 15:48:38 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.6" [1]
    2015-03-23 15:48:39 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.7" [1]
    2015-03-23 15:48:39 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.8" [1]
    2015-03-23 15:48:39 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.9" [1]
    2015-03-23 15:48:39 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.10" [1]
    2015-03-23 15:48:40 
URL:http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg [198/198] -> 
"Release.gpg.11" [1]
    FINISHED --2015-03-23 15:48:40--
    Total wall clock time: 5.0s
    Downloaded: 24 files, 18K in 0.001s (30.4 MB/s)

    (bootstrap)root@zygon:/tmp/pepperflashplugin-nonfree.0CEhCe2ROb# cksum 
Release* | sort
    1576061068 1347 Release
    1576061068 1347 Release.1
    1576061068 1347 Release.11
    1576061068 1347 Release.2
    1576061068 1347 Release.3
    1576061068 1347 Release.4
    1576061068 1347 Release.5
    1576061068 1347 Release.6
    1576061068 1347 Release.9
    2239460353 198 Release.gpg.10
    2239460353 198 Release.gpg.4
    2239460353 198 Release.gpg.5
    2239460353 198 Release.gpg.6
    2239460353 198 Release.gpg.8
    2529372257 1347 Release.10
    2529372257 1347 Release.7
    2529372257 1347 Release.8
    2617726415 198 Release.gpg
    2617726415 198 Release.gpg.1
    2617726415 198 Release.gpg.11
    2617726415 198 Release.gpg.2
    2617726415 198 Release.gpg.3
    2617726415 198 Release.gpg.7
    2617726415 198 Release.gpg.9

So it looks like dl.google.com has two "versions" of the Release and 
Release.gpg,
and sometimes when I download them I get the Release from one and the 
Release.gpg from the other.
And apt-get update (reasonably) says "whoa whoa whoa, someone is messing with 
me!"

IME this is usually caused by a caching proxy (e.g. squid) keeping the
Release file longer than the Release.gpg file.

I'm not using a proxy, so AFAICT the problem isn't *me*.

It could be my ISP, or it could be whatever akami-style caching google is doing.

Who should I report this bug to?

signature.asc
Description: Digital signature