How to solve an expired key (KEYEXPIRED) with apt

Updating expired keys on Debian and Ubuntu

Software updates and package management is easy with systems based on Debian or Ubuntu. Just apt-get update (or apt update) and run an upgrade. But sometimes you may encounter the following situation: a KEYEXPIRED message.

root# apt-get update && apt-get upgrade
Get:1 xenial-security InRelease [94.5 kB]
Hit:2 xenial InRelease
Get:3 xenial-updates InRelease [95.7 kB]
Hit:4 xenial-backports InRelease
Hit:5 stable InRelease
Get:6 xenial-updates/main amd64 Packages [373 kB]
Ign:7 xenial InRelease
Get:8 xenial Release [2,309 B]
Get:9 xenial Release.gpg [287 B]
Get:10 xenial-updates/main i386 Packages [368 kB]
Get:11 xenial-updates/universe amd64 Packages [319 kB]
Get:12 xenial-updates/universe i386 Packages [316 kB]
Err:9 xenial Release.gpg
The following signatures were invalid: KEYEXPIRED 1471427554
Fetched 1,566 kB in 0s (2,003 kB/s)
Reading package lists… Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: xenial Release: The following signatures were invalid: KEYEXPIRED 1471427554
W: Failed to fetch The following signatures were invalid: KEYEXPIRED 1471427554
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
The following packages will be upgraded:
apparmor libapparmor-perl libapparmor1 python3-distupgrade python3-software-properties software-properties-common ubuntu-release-upgrader-core
7 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/672 kB of archives.
After this operation, 5,120 B of additional disk space will be used.
Do you want to continue? [Y/n] y

The KEYEXPIRED shows that validation failed on the related repository signature. This is a good thing, to warn us that we should be checking the repository. With an expired key, the solution is simple: we need to download an updated key. Apparently it is for the nginx repository.

Step 1: Run apt-key

Using the apt-key utility we can display all the known keys.

apt-key list

In our case, we see the nginx key is expired a few days ago:

pub 2048R/7BD9BF62 2011-08-19 [expired: 2016-08-17]
uid nginx signing key <>

Two items are highlighted in this example. The first one is the short version of the key. The second one is showing that the key is expired (including the date). This key was valid for almost 5 years.

To quickly find the expired keys, search for “expired:”:

apt-key list | grep “expired:”

Step 2: Update the key

We can now use the key gathered in step 1 to update it:

apt-key adv --keyserver --recv-keys [KEY]

The output might look like this:

Screenshot of apt to renew an expired APT key

The key is renewed, after choosing the right one (otherwise no change is made)

On purpose we selected an incorrect key, which was also related to nginx:

pub 1024R/C300EE8C 2010-07-21
uid Launchpad Stable

As you can see in the output above, nothing happens when you select the wrong key.

Step 3: Update

After renewing the expired key you can run apt update again and install any available upgrades.

apt update && apt upgrade

Happy upgrading!

Automate security audits and know your risks
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux and Unix-based systems more secure.

Is system hardening taking a lot of time for you? Don't know where to start? We solved that problem: Lynis Enterprise.


  • RuslanRuslan

    You a little misteken. Command that update key must look like this:

    apt-key adv –keyserver –recv-keys [KEY]

  • Eddie DunnEddie Dunn

    Thanks for the guide; it solved my problem.

    However, the line “apt-key adv –keyserver –recv-keys [KEY]” is broken, since the double dashes before keyserver and recv-keys are replaced by “–”.

    • Thanks, I’ve changed it to a code block. WordPress and the use of dashes/minus signs gets messed up easily.

  • GeoJulienGeoJulien

    Thanks for your help.
    I’ve been facing a trouble where the keyserver is unreachable and I’m not behind a proxy. I’ve found the solution: sudo apt-key adv –keyserver hkp:// –recv 7F0CEB10

  • Carlos AlvarezCarlos Alvarez

    Many thanks for your article. It solved my expired key problem. !!!
    Congratulations from Santiago, Chile.


Leave a Reply

Your email address will not be published. Required fields are marked *