How to fix W: GPG error: URL Release: The following signatures were invalid: BADSIG in APT

APTINTERMEDIATEMEDIUM

This error occurs when APT package manager fails to verify the cryptographic signature of a repository's Release file. The signature verification failure indicates that either the repository's GPG key has changed, your local package lists are corrupted, or there's a network issue during verification.

What this error means

The BADSIG (Bad Signature) error means that APT has detected a mismatch between the cryptographic signature of a package repository's Release file and the expected signature from the repository's GPG key. Each repository signs its packages with a private GPG key, and APT verifies these signatures using the corresponding public key stored in your system's keyring. When the signature fails verification, it indicates either a legitimate change in the repository's signing key, corruption in your local package metadata, or a compromise in the delivery of the package data.

How to fix "W: GPG error: URL Release: The following signatures were invalid: BADSIG"

1Clear the APT package lists cache

This is the most common and effective fix. The corrupted cached package lists are often the culprit:

bash

sudo apt-get clean
cd /var/lib/apt
sudo mv lists lists.old
sudo mkdir -p lists/partial
sudo apt-get update

This sequence removes the corrupted package lists and allows apt to re-download fresh, valid ones.

2Verify the repository URL is correct

Check your APT sources to ensure the repository URL hasn't been replaced with a malicious or broken mirror:

bash

sudo nano /etc/apt/sources.list

Also check the sources.list.d directory:

bash

ls /etc/apt/sources.list.d/

If you see an unfamiliar repository causing the error, comment it out by adding a # at the beginning of its line.

3Re-import the GPG key from a keyserver

Extract the key ID from the BADSIG error message (the hexadecimal number), then re-import it:

bash

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <KEY_ID>

Replace <KEY_ID> with the actual ID from your error message. For example:

bash

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138

Then try updating again:

bash

sudo apt-get update

4Remove and re-add problematic PPA repositories

If the error is from a third-party PPA, disable it temporarily, update, then re-enable it:

bash

# Disable the PPA by renaming its config file
sudo mv /etc/apt/sources.list.d/ppa-name.list /etc/apt/sources.list.d/ppa-name.list.off

# Update to forget the source
sudo apt-get update

# Re-enable the PPA
sudo mv /etc/apt/sources.list.d/ppa-name.list.off /etc/apt/sources.list.d/ppa-name.list

# Update again
sudo apt-get update

Or use ppa-purge to completely remove a PPA:

bash

sudo apt-get install ppa-purge
sudo ppa-purge ppa:user/ppa-name

5Check for proxy or network interference

If you're behind a corporate proxy or firewall, ensure it's not intercepting repository downloads:

bash

# Test connectivity to a repository
curl -I http://archive.ubuntu.com/ubuntu/Release

If using a proxy, verify your APT proxy configuration:

bash

sudo nano /etc/apt/apt.conf.d/proxy.conf

Add or verify your proxy settings:

bash

Acquire::http::Proxy "http://proxy-address:port";

If the proxy is the issue, you may need to contact your IT team or bypass it if possible.

How to fix W: GPG error: URL Release: The following signatures were invalid: BADSIG in APT

What this error means

Typical symptoms

Common causes

How to fix "W: GPG error: URL Release: The following signatures were invalid: BADSIG"

Advanced notes

Related errors

Official resources & further reading