[smartmontools-support] BAD signature from Smartmontools Signing Key when updating database

[Christian Franke]

Artur Meinild wrote:
> I tried to update the database with the command:
> sudo /usr/sbin/update-smart-drivedb
>
> But I got this error:
> gpg: Signature made Sat 24 Oct 2020 06:19:21 PM CEST
> gpg:                using RSA key EA74AB25721042C5
> gpg: BAD signature from "Smartmontools Signing Key (through 2020) 
> <smartmontools-database at listi.jpberlin.de 
> <mailto:smartmontools-database at listi.jpberlin.de>>" [unknown]
> /usr/sbin/update-smart-drivedb: 
> /var/lib/smartmontools/drivedb/drivedb.h.error.raw: *** BAD signature 
> or outdated key ***
>
> Is this a known problem - what do I need to do to solve this? I'm on 
> updated Ubuntu 20.04.1

Yes - this is a known problem. I've seen this a few weeks ago for the 
first time:

If a file is downloaded from SVN repository at sourceforge with curl, a 
previously cached version of the file may be returned. In the above 
case, only one file is affected, therefore the signature verification fails.

The problem is visible in the "ETag" HTTP reply:

  $ u='https://svn.code.sf.net/p/smartmontools/code'

  $ curl -v $u/branches/RELEASE_7_0_DRIVEDB/smartmontools/drivedb.h 2>&1 \
     | grep ETag:
  < ETag: "5111//branches/RELEASE_7_0_DRIVEDB/smartmontools/drivedb.h"

  $ curl -v 
$u/branches/RELEASE_7_0_DRIVEDB/smartmontools/drivedb.h.raw.asc 2>&1 \
     | grep ETag:
  < ETag: 
"5103//branches/RELEASE_7_0_DRIVEDB/smartmontools/drivedb.h.raw.asc"

Using
   curl -H 'Accept-Encoding: identity' ...
fixes the problem. I will add this to the update script
wget >= 1.16.1 adds this HTTP request header by default.


Workaround for now:

Use wget instead of curl:
   sudo usr/sbin/update-smart-drivedb -t wget
or try an alternative download LOCATION (github, sf, trac):
   sudo usr/sbin/update-smart-drivedb -u LOCATION

Thanks,
Christian