132

I frequently cross this issue, and always have to google for an answer. Does anyone have a permanent fix for BADSIG errors from apt-get?

W: GPG error: http://download.virtualbox.org lucid Release: The following signatures were invalid: BADSIG 54422A4B98AB5139 Oracle Corporation (VirtualBox archive signing key)

hhlp
  • 42,002
cmcginty
  • 5,888
  • 1
    Are you using apt-cacher-ng? – lfaraone Aug 10 '10 at 21:17
  • follow the example in the link - replace the example code in the linked answer with the BADSIG codes in your question. – fossfreedom Oct 07 '11 at 17:13
  • fossfreedom, I couldn't get that solution to work on my system. Kept getting "--keyserver" was not understood. The solution offered by Dr.Ubuntu below worked for me. – Dirk Oct 27 '11 at 16:57
  • Have a look also here http://askubuntu.com/questions/67594/unable-to-repair-packages-in-ubuntu-software-center/67603#67603 I think the commands you are using are correct, your just not using the correct key. – Bruno Pereira Dec 09 '11 at 14:29
  • Yes, @portablejim, apt-key list lists 1024D/3E5C1192 key. – Ivan Dec 09 '11 at 14:37
  • 4
    It is important that you understand what are GPG signatures on APT used for, the GPG signature validates that the repository contains packages provided from a trusted source. It ensures both integrity and authenticity. Every time you add a new repository from some provider you will need to add it's GPG key. – João Pinto Aug 10 '10 at 22:03
  • That is important information, but it doesn't answer the question at all. The asker may very well understand that already. – Kazark Dec 29 '11 at 20:11
  • also your hash-sum mismatch error will be resolved by this: http://askubuntu.com/questions/93114/error-with-ubuntu-update-manager-and-sotware-center – fossfreedom Jun 19 '12 at 20:49

6 Answers6

135

Here's the (easiest) solution:

Type the following commands in the Terminal:

$ sudo -i
# apt-get clean
# cd /var/lib/apt
# mv lists lists.old
# mkdir -p lists/partial
# apt-get clean
# apt-get update

Credits: ubuntugeek.com

Edit:

If the error occurs again (maybe after a few days/months), open Nautilus as root > navigate to var/lib/apt > delete the "lists.old" folder > then open the "lists" folder and delete the "partial" folder. Now, execute the aforementioned commands again.

jokerdino
  • 41,320
Srinivas Gollapudi
  • 1,466
  • 10
    This solves the more common error for me--updating through an Internet connection with a proxy (WiFi "cafe" that requires web logon) which corrupts some of my lists if I get logged off or forget to log on during an update. – hobs Jan 01 '12 at 23:03
  • 3
    What would the actual error be if qbi's answer doesn't help but this does? – ArtOfCode Feb 01 '12 at 07:02
  • It also happens to me because of: WiFi "cafe" that requires web logon – Postadelmaga Aug 08 '12 at 11:08
  • 5
    I wish the OP would check this as the answer! – Dave Jul 24 '13 at 16:03
  • @ArtOfCode: the error is exactly the same. This answer helped me, but on the web you only find the method that qbi points out and that you can find everywhere on the web. – 0xC0000022L Oct 15 '13 at 07:09
  • Note that this is also documented solution on the VirtualBox linux download pages, under "What to do when experiencing The following signatures were invalid: BADSIG ... " – grm Jan 20 '14 at 05:39
  • meet exactly the same error and successfully solve with this solution, thanks – stanleyhunk Apr 25 '15 at 04:39
68

The important part of your error message is the following in bold:

W: GPG error: http://download.virtualbox.org lucid Release: The following signatures were invalid: BADSIG 54422A4B98AB5139 Oracle Corporation (VirtualBox archive signing key)

Copy the stuff in bold and then open a terminal and type:

sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 54422A4B98AB5139

i.e. paste using SHIFT + INS the number you have copied - 54422A4B98AB5139

You'll have to enter your password, the key will be downloaded and integrated.

Jorge Castro
  • 71,754
qbi
  • 19,125
  • 3
    my error was related to a bad repo, not just the key missing ... however your answer is likely valid for 99% of the cases – cmcginty Aug 19 '10 at 01:56
  • 4
    +1 because that's quite a useful thing to know how to do. However, it did not fix my problem. – Kazark Dec 29 '11 at 20:13
  • 21
    Has this actually worked for anyone? – Jjed Mar 15 '12 at 04:43
  • 6
    BADSIG is different than NO_PUBKEY. For BADSIG the answer below solved it. I'm not sure how I ended up in this situation, but I had BADSIG on 5 different PPAs even after importing the keys. – mfisch May 21 '12 at 04:02
  • 18
    I believe this could be very dangerous in a situation where somebody is trying to do something nasty (man in the middle attack for example). Don't just add keys from error messages. Only add keys you trust. – gertvdijk Jan 28 '13 at 16:41
  • How long should the keyserver take in responding to the request for the key? Let's say I'm on a public wifi. – Adrian Keister Jun 19 '13 at 21:19
  • 1
    The solution Srinivas Gollapudi provided should be considered a better solution. If the above approach provides similar results, it doesn't necessarily mean its better or safer. As gertvdijk mentioned the adding of keys could itself be a security risk. – Sn3akyP3t3 Dec 05 '13 at 01:38
  • It works for me – Ahmed Hamdy Jun 25 '14 at 22:35
  • 1
    @Casey If it didn't solve your problem, you shouldn't accept the answer. You might want to accept a different answer instead. – kasperd Oct 04 '14 at 08:25
31

Try deleting the key

sudo apt-key del 16126D3A3E5C1192

then updating the repository

sudo apt-get update

You should get a NO_PUBKEY error instead of a BADSIG error and

sudo apt-key finger

should not find the key (called "Ubuntu Extras Archive Automatic Signing Key")

Now add the key

sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 16126D3A3E5C1192

The result of apt-key finger should have

pub   1024D/3E5C1192 2010-09-20
      Key fingerprint = C474 15DF F48C 0964 5B78  6094 1612 6D3A 3E5C 1192
uid                  Ubuntu Extras Archive Automatic Signing Key <ftpmaster@ubuntu.com>

If that does not work, try

apt-get clean            # Remove cached packages
cd /var/lib/apt
mv lists lists.old       # Backup mirror info
mkdir -p lists/partial   # Recreate directory structure
apt-get clean
apt-get update           # Fetch mirror info

Source: this ubuntu forums thread

Portablejim
  • 2,748
  • I had multiple BADSIG errors which included even the standard Ubuntu archives. When I deleted VirtualBox key suddenly all those errors turned into NO_PUBKEY. Then when I added the VirtualBox key the errors disappeard for all the other repos. So it turned out that one bad key produced errors for many other unrelated repos. – Mateusz Stachowski Apr 25 '15 at 17:26
12

Another easier way to resolve BADSIG GPG errors is via a software called Y PPA manager

sudo add-apt-repository ppa:webupd8team/y-ppa-manager
sudo apt-get update
sudo apt-get install y-ppa-manager

Click on Advanced
enter image description here

And then select Fix all GPG Badsig errors
enter image description here

Ashu
  • 9,482
3

If you still have this error after adding the key try:

  1. goto your apt-cacher-ng cache directory, and delete the virtualbox entry:

    cd /var/cache/apt-cacher-ng
sudo rm -rf download.virtualbox.org
cmcginty
  • 5,888
2

Found another server that we could use:

gpg --keyserver hkp://subkeys.pgp.net --recv-keys [YOURKEYINQUESTION]
gpg --armor --export [YOURKEYINQUESTION] | sudo apt-key add -
Ionică Bizău
  • 9,503
Jack
  • 21