How to solve an expired key (KEYEXPIRED) with apt

Software updates and package management is easy with systems based on Debian or Ubuntu. Just apt-get update (or apt update) and run an upgrade. But sometimes you may encounter the following situation: a KEYEXPIRED message.

KEYEXPIRED message

# apt-get update && apt-get upgrade  
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB]  
Hit:2 http://nl.archive.ubuntu.com/ubuntu xenial InRelease  
Get:3 http://nl.archive.ubuntu.com/ubuntu xenial-updates InRelease [95.7 kB]  
Hit:4 http://nl.archive.ubuntu.com/ubuntu xenial-backports InRelease  
Hit:5 https://packages.cisofy.com/community/lynis/deb stable InRelease  
Get:6 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [373 kB]  
Ign:7 http://nginx.org/packages/mainline/ubuntu xenial InRelease  
Get:8 http://nginx.org/packages/mainline/ubuntu xenial Release [2,309 B]  
Get:9 http://nginx.org/packages/mainline/ubuntu xenial Release.gpg [287 B]  
Get:10 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [368 kB]  
Get:11 http://nl.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [319 kB]  
Get:12 http://nl.archive.ubuntu.com/ubuntu xenial-updates/universe i386 Packages [316 kB]  
Err:9 http://nginx.org/packages/mainline/ubuntu xenial Release.gpg  
The following signatures were invalid: KEYEXPIRED 1471427554  
Fetched 1,566 kB in 0s (2,003 kB/s)  
Reading package lists… Done  
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://nginx.org/packages/mainline/ubuntu xenial Release: The following signatures were invalid: KEYEXPIRED 1471427554  
W: Failed to fetch http://nginx.org/packages/mainline/ubuntu/dists/xenial/Release.gpg The following signatures were invalid: **KEYEXPIRED** 1471427554  
W: Some index files failed to download. They have been ignored, or old ones used instead.  
Reading package lists… Done  
Building dependency tree  
Reading state information… Done  
Calculating upgrade… Done  
The following packages will be upgraded:  
apparmor libapparmor-perl libapparmor1 python3-distupgrade python3-software-properties software-properties-common ubuntu-release-upgrader-core  
7 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.  
Need to get 0 B/672 kB of archives.  
After this operation, 5,120 B of additional disk space will be used.  
Do you want to continue? [Y/n] y

The KEYEXPIRED shows that validation failed on the related repository signature. This is a good thing, to warn us that we should be checking the repository. With an expired key, the solution is simple: we need to download an updated key. Apparently it is for the nginx repository.

Step 1: Run apt-key

Using the apt-key utility we can display all the known keys.

apt-key list

In our case, we see the nginx key is expired a few days ago:

pub 2048R/7BD9BF62 2011-08-19 [expired: 2016-08-17]
uid nginx signing key signing-key@nginx.com

Two items are highlighted in this example. The first one is the short version of the key. The second one is showing that the key is expired (including the date). This key was valid for almost 5 years.

To quickly find the expired keys, search for “expired:”:

apt-key list | grep "expired:"

Step 2: Update the key

We can now use the key gathered in step 1 to update it:

apt-key adv --keyserver keys.gnupg.net --recv-keys [KEY]

The output might look like this:

Screenshot of apt to renew an expired APT key

The key is renewed, after choosing the right one (otherwise no change is made)

On purpose we selected an incorrect key, which was also related to nginx:

/etc/apt/trusted.gpg.d/nginx-development.gpg

pub 1024R/C300EE8C 2010-07-21
uid Launchpad Stable

As you can see in the output above, nothing happens when you select the wrong key.

Step 3: Update

After renewing the expired key you can run apt update again and install any available upgrades.

apt update && apt upgrade

Happy upgrading!

Screenshot of Lynis security tool

Take the next step!

Want to keep your software packages up-to-date and secure or check for vulnerabilities? Perform a system audit with Lynis, including a configuration test for vulnerable packages.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page