Vyacheslav, if the .dsc file is modified in transit or by a malicious server, apt-get download will discard it.
Don't forget, we publish a gigantic list of 'spoofed' ubuntu.com domains and encourage people to use local ones if they are faster than our network connection :) https://launchpad.net/ubuntu/+archivemirrors Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1649097 Title: any source package signature is not valid Status in apt package in Ubuntu: New Bug description: In short: The GPG key 105BE7F7, with that 'linux' source package is signed, revoked on 08/16/16 (4 months ago!) How to reproduce: $ apt-get source linux-image-$(uname -r) ... Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic' ... Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 4.4.0-53.74 (tar) [133 MB] ... gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7 gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc ... ### if you add this key: $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7 $ apt-key list ... pub 4096R/105BE7F7 2011-09-06 uid Brad Figg <brad.f...@canonical.com> sub 4096R/F336E4D5 2011-09-06 pub 4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16] uid Brad Figg <brad.f...@canonical.com> ### THE KEY IS REVOKED 4 MONTHS AGO! ### Additional info: $ lsb_release -rd Description: Ubuntu 16.04.1 LTS Release: 16.04 ### My unmodified /etc/apt/sources.list in attachment. ### Note, /etc/apt/sources.list.d/ directory is empty. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
