Angelo
I am Angelo. A systems engineer passionate about Linux and all open-source software. Although here I'm just another member of the family.

Remove an expired key in APT

Hello, dear friends. Although it is not always recommended, many times to get recent versions of a package or a whole program, we need to add external repositories. Usually, these repositories have a GPG key that allows us to secure the installation. What happens when these GPG keys expire? Well, it is no longer possible to use the repository. So in this post, you will learn how to remove an expired key in APT.

According to Wikipedia:

GPG is an encryption and digital signature tool developed by Werner Koch, which is a replacement for PGP (Pretty Good Privacy) but with the main difference that it is free software licensed under the GPL. GPG uses the IETF standard called OpenPGP.

With this tool, we will be able to create public keys of the repositories that will allow the system to determine if it is trustworthy or not. Especially if these packages have been modified and could cause problems in the system.

For these reasons, all repositories have a GPG key that must be added to the system manually or using apt-key.

The problem arises when these keys expire because they are created for a limited time. This causes APT to give an error called EXPKEYSIG.

To solve this problem, it is best to remove the key from the system and then download the new GPG key from the repository.

So, let’s go for it.

Remove an expired key in APT

When we have an expired GPG key added in the system when we run

sudo apt update

You will get an error similar to this one.

Err:2 [repository_URL] InRelease
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: [repository_URL] InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743
W: Failed to fetch [repository_URL]  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743
W: Some index files failed to download. They have been ignored, or old ones used instead.

The important part of this error is to verify that the GPG key has indeed expired.

The best thing to do then is to remove it from the system. There are two ways to do this. If the GPG key was added manually, then it is stored in the /etc/apt/trusted.gpg.d/ path with a .gpg extension and you can simply use the rm command to remove it.

On the other hand, if the GPG key was added with the apt-key command then the process is different and you should use this same command to remove the GPG key.

To check which GPG keys are expired in the system, you can use this command

sudo apt-key list 2>/dev/null | grep expired -B 1

Sample Output

pub rsa3072 2018-01-14 [SC] [expired: 2021-07-21] [SC] [expired: 2021-07-21] [expired: 2021-07-21
  1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
  uid [ expired] Automatic Signing Key 

From this screen output, we are interested in getting the last 8 numbers of the GPG key fingerprint. These numbers form the ID we need.

In this case, 95BD4743 is the number we are looking for.

So, to delete the GPG key, then you have to run

sudo apt-key for [ID]

For this example, it would be

sudo apt-key for 95BD4743

And voila, all that’s left is for you to download and add the new GPG key from the affected repository.

Then, when you run

sudo apt update

The error will be gone and you will be able to use the repository again.

Conclusion

In this post, you have learned an elementary trick of repository management such as removing an expired key in APT. This way, you won’t have any problems with it when the time comes. This trick or tutorial works for both desktop and server users.

GPG website

More Security posts

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

x