80

While updating my packages on a debian based system by a 

sudo apt-get update

I've got that error message :

Reading package lists... Done
W: GPG error: ftp://ftp.fr.debian.org stable/non-US Release: 
The following signatures were invalid: KEYEXPIRED 1138684904

What should I do to fix this ?

Zoredache
  • 131,987
paulgreg
  • 4,164

8 Answers8

125

To find any expired repository keys and their IDs, use apt-key as follows:

LANG=C apt-key list | grep expired

You will get a result similar to the following:

pub   4096R/BE1DB1F1 2011-03-29 [expired: 2014-03-28]

The key ID is the bit after the / i.e. BE1DB1F1 in this case.

To update the key, run

sudo apt-key adv --recv-keys --keyserver YOUR_GPGKEY_HOST_DOMAIN BE1DB1F1

Note:

  • Updating the key will obviously not work if the package maintainer has not (yet) uploaded a new key. In that case there is little you can do other than contacting the maintainer, filing a bug against your distribution etc.
  • YOUR_GPGKEY_HOST_DOMAIN indicates domain name of any available GPG key server, such as
    • keyserver.ubuntu.com
    • keys.openpgp.org
    • pgp.mit.edu
  • (update 2023.2.22) The SKS key server keys.gnupg.net is deprecated and gone.

One liner to update all expired keys: (thanks to @ryanpcmcquen)

for K in $(apt-key list | grep expired | cut -d'/' -f2 | cut -d' ' -f1); do sudo apt-key adv --recv-keys --keyserver keys.gnupg.net $K; done
Ham
  • 103
kynan
  • 1,763
  • 6
    that does not work for me, after the command for updating the key, the key is still expired. – Karl Forner Nov 06 '14 at 12:20
  • @KarlForner was adding the key successful? – kynan Nov 07 '14 at 10:18
  • yes it was successful. – Karl Forner Nov 07 '14 at 14:08
  • @KarlForner Note that if the package maintainer has not uploaded a new key this will of course have no effect and there's nothing you can do in this case (still my instructions are correct). – kynan Nov 07 '14 at 14:11
  • this worked for me but only after I replaced at .de host with one from .us – dldnh Jun 25 '15 at 01:46
  • very compact, generic (and working) answer – mariotomo Oct 18 '15 at 17:53
  • In my case I needed to run the command more than one time, to recover all the missing keys. Thanks! – gerlos Nov 04 '15 at 10:57
  • 4
    One liner: for K in $(apt-key list | grep expired | cut -d'/' -f2 | cut -d' ' -f1); do sudo apt-key adv --recv-keys --keyserver keys.gnupg.net $K; done – ryanpcmcquen Dec 11 '16 at 00:47
  • 2
    Just a hint as to grep part: "expired" is i18ned, so depending on LANG* settings this may not work, for instance for settings pl_PL.UTF-8 one has to change "expired" to "wygasł" to make this one-liner to work. – Cromax Apr 25 '17 at 16:30
  • In some LInux distros, the host keys.gnupg.net might be no longer available because it works only with old version of the operating system, this host which serves GPG keys needs to be updated in this answer. – Ham Feb 20 '23 at 04:11
  • @Ham what's the recommended keyserver these days then? Happy to update my answer. – kynan Feb 21 '23 at 21:14
  • I found that It is just the key server keys.gnupg.net gone and no longer available, and you can switch to any other key server, there is nothing to do with old versions of operating system, I submitted my change to this answer please take a look, thanks – Ham Feb 22 '23 at 07:10
7

You need to get the newer key and add it, at which point apt will detect it and not complain. This shouldn't normally happen, but it sometimes does. What you really need is to know the hex code of the key you need to add; once you have that, it's pretty much downhill from there.

Some examples:

Avery Payne
  • 14,664
3

It might also happen when the date is not correct.

Check the date with

date

If it's misconfigured, do the following to set your timezone and date auto synchronization.

apt-get install ntp ntpdate && service ntp stop
dpkg-reconfigure tzdata
ntpdate-debian
service ntp start
Aley
  • 209
2

I had similar error, but problem was in system time. The year was 1961 :)

I corrected system date/time and after that could update without a pro

Svenv
  • 171
2

On the Debian Wiki about SecureAPT, I've found that I should remove the line containing non-us from /etc/apt/sources.list.

I actually did that and it worked.

paulgreg
  • 4,164
2

One highly unlikely, but occasionally possible, cause for this error is if having added the same key twice with different expiry dates. You would likely know having done so for this answer to be relevant to you.

This can happen, as it did for me, when hosting your own repository with your own keys. If you, when the key is about to expire, simply extend its lifetime rather than change it, and if you installed the original key using preseeding but the updated key using a deb package, then the old key will be in /etc/apt/trusted.gpg, while the new one ends up as a separate file under /etc/apt/trusted.gpg.d/. The old key will shadow the new one, which will be completely ignored by apt-key. Remove the old key by running gpg --keyring /etc/apt/trusted.gpg --delete-keys <keyid>, and your new key will become detected.

This is a bit of a non-standard corner configuration, but I hope my answer can save some confusion in case anyone else encounters this issue due to the same reason as I did.

sampi
  • 158
1

A more simple oneliner:

for key in $(sudo apt-key list | awk -v FS='[ /:]+' '/expire[sd]/ {print $3}'); do sudo apt-key adv --recv-keys --keyserver keys.gnupg.net $key; done

I just feel that if you are doing things like using cut more than once, there is a better tool. (Also, I created this based on a different question.)

Bruno Bronosky
  • 4,539
-1

You don't have to do anything. It is just a warning, you can see that from the W: prefix.

Michael F
  • 117
  • 1
    If he didn't have to do anything the whole Signing system for Repos would be useless. This is a security feature and in production envirionments key integrity is crucial for security. – Broco Mar 15 '18 at 17:41