Hello, dear friends. Although it is not always recommended, many times to get recent versions of a package or a whole program, we need to add external repositories. Usually, these repositories have a GPG key that allows us to secure the installation. What happens when these GPG keys expire? Well, it is no longer possible to use the repository. So in this post, you will learn how to remove an expired key in APT.
According to Wikipedia:
GPG is an encryption and digital signature tool developed by Werner Koch, which is a replacement for PGP (Pretty Good Privacy) but with the main difference that it is free software licensed under the GPL. GPG uses the IETF standard called OpenPGP.
With this tool, we will be able to create public keys of the repositories that will allow the system to determine if it is trustworthy or not. Especially if these packages have been modified and could cause problems in the system.
For these reasons, all repositories have a GPG key that must be added to the system manually or using apt-key
.
The problem arises when these keys expire because they are created for a limited time. This causes APT to give an error called EXPKEYSIG
.
To solve this problem, it is best to remove the key from the system and then download the new GPG key from the repository.
So, let’s go for it.
Remove an expired key in APT
When we have an expired GPG key added in the system when we run
sudo apt update
You will get an error similar to this one.
Err:2 [repository_URL] InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 Reading package lists... Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: [repository_URL] InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 W: Failed to fetch [repository_URL] The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 W: Some index files failed to download. They have been ignored, or old ones used instead.
The important part of this error is to verify that the GPG key has indeed expired.
The best thing to do then is to remove it from the system. There are two ways to do this. If the GPG key was added manually, then it is stored in the /etc/apt/trusted.gpg.d/
path with a .gpg
extension and you can simply use the rm
command to remove it.
On the other hand, if the GPG key was added with the apt-key
command then the process is different and you should use this same command to remove the GPG key.
To check which GPG keys are expired in the system, you can use this command
sudo apt-key list 2>/dev/null | grep expired -B 1
Sample Output
pub rsa3072 2018-01-14 [SC] [expired: 2021-07-21] [SC] [expired: 2021-07-21] [expired: 2021-07-21 1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743 uid [ expired] Automatic Signing Key
From this screen output, we are interested in getting the last 8 numbers of the GPG key fingerprint. These numbers form the ID we need.
In this case, 95BD4743
is the number we are looking for.
So, to delete the GPG key, then you have to run
sudo apt-key for [ID]
For this example, it would be
sudo apt-key for 95BD4743
And voila, all that’s left is for you to download and add the new GPG key from the affected repository.
Then, when you run
sudo apt update
The error will be gone and you will be able to use the repository again.
Conclusion
In this post, you have learned an elementary trick of repository management such as removing an expired key in APT. This way, you won’t have any problems with it when the time comes. This trick or tutorial works for both desktop and server users.
More Security posts
Hi!
I think there are a couple of errors in the text. [sudo apt-key for] probably should be replaced by [sudo apt-key del]