Debian gpg error keyexpired

Since 19 november 2022 apt-get update on Debian 8 Jessie gives the follwowing error/warning when running apt-get update:

W: GPG error: http://archive.debian.org jessie Release: 
The following signatures were invalid: KEYEXPIRED 1587841717

The contents of my /etc/apt/sources.list:

deb http://archive.debian.org/debian/ jessie main contrib non-free
deb http://deb.freexian.com/extended-lts jessie-lts main contrib non-free

The expired keys:
apt-key list

/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
pub   4096R/2B90D010 2014-11-21 [expired: 2022-11-19]
uid   Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
pub   4096R/C857C906 2014-11-21 [expired: 2022-11-19]
uid   Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

I have the debian-archive-keyring package installed.

I tried to update the keys, using:

gpg --keyserver keyring.debian.org --recv-key 2B90D010
gpg --keyserver keyring.debian.org --recv-key C857C906

But these keys do not seem to be known on keyring.debian.org:

gpg: requesting key 2B90D010 from hkp server keyring.debian.org
gpgkeys: key 2B90D010 can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

gpg: requesting key C857C906 from hkp server keyring.debian.org
gpgkeys: key C857C906 can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0`

So I suppose my questions are:

All keys on the archive.debian.org site are expired.

1. Am I trying to update the keys against the correct keyserver (keyring.debian.org)?
2. If that is not the issue, then will somebody at Debian fix this (update and publish keys)?
3. If no, then is there a way to get rid of the warnings when apt-get update and apt-get install are run?

I’ve got the problem, that the «apt-get update» produced a KEYEXPIRED 1587841717 error:

# apt-get update
...
W: GPG error: http://archive.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1587841717

Here my sources.list:

# cat /etc/apt/sources.list.d/sources.list
deb http://http.debian.net/debian jessie main
deb http://http.debian.net/debian jessie contrib
deb http://archive.debian.org/debian jessie main
deb http://archive.debian.org/debian jessie contrib

Here the expired keys found by apt-key (it seems that the key 46925553 expired on 2020-04-25):

apt-key list | grep expired -A1
pub   4096R/46925553 2012-04-27 [expired: 2020-04-25]
uid                  Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
--
pub   4096R/65FFB764 2012-05-08 [expired: 2019-05-07]
uid                  Wheezy Stable Release Key <debian-release@lists.debian.org>
--
pub   4096R/B98321F9 2010-08-07 [expired: 2017-08-05]
uid                  Squeeze Stable Release Key <debian-release@lists.debian.org>
--
pub   4096R/473041FA 2010-08-27 [expired: 2018-03-05]
uid                  Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
--
pub   4096R/65FFB764 2012-05-08 [expired: 2019-05-07]
uid                  Wheezy Stable Release Key <debian-release@lists.debian.org>
--
pub   4096R/46925553 2012-04-27 [expired: 2020-04-25]
uid                  Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>

Now i tried to renew the keys:

apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 46925553
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 65FFB764
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys B98321F9
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 473041FA

But the keys are not changed:

# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 46925553
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.Ue8AFETZOi --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian.gpg --keyring /etc/apt/trusted.gpg.d/php.gpg --keyring /etc/apt/trusted.gpg.d/turnkey.gpg --keyring /etc/apt/trusted.gpg.d/ubuntuzilla.firefox.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 46925553
gpg: requesting key 46925553 from hkp server keyserver.ubuntu.com
gpg: key 46925553: "Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

A new «apt-get update» get the same error like above.

Can anybody help to solve the problem?

Running an Ubuntu or Debian operating system on your servers comes with a long lifetime. You won’t switch servers and migrate your applications that often.

You’ll maintain your system now and then and update installed packages to keep your system secure.

Recently, while maintaining the software on our server, we ran into the error „The following signatures were invalid: KEYEXPIRED 1544811256“ while running apt-get update.

This error happens when your system installs services from third-party repositories as we do with MongoDB.

Ubuntu/Debian Series Overview

The Problem

You’ll recognize the following output while running apt-get update on your Ubuntu 16.04 system:

$ sudo apt-get update

Ign:11 https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 InRelease  
Hit:12 https://repos.sonar.digitalocean.com/apt main InRelease  
Hit:13 https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 Release  
Err:17 https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 Release.gpg  
  The following signatures were invalid: KEYEXPIRED 1544811256
Fetched 1930 kB in 3s (601 kB/s)  
Reading package lists... Done

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 Release: The following signatures were invalid: KEYEXPIRED 1544811256

W: Failed to fetch https://repo.mongodb.org/apt/ubuntu/dists/xenial/mongodb-org/3.6/Release.gpg  The following signatures were invalid: KEYEXPIRED 1544811256  
W: Some index files failed to download. They have been ignored, or old ones used instead.  

The GPG key of the MongoDB repository expired on this server. To fix this issue, you need to rotate the key on your system. Here are the steps to renew an expired key.

Step 1: Find the Expired Key

Find the expired key from apt’s key list. You can run apt-key list to print a list of all installed keys. Use the command below if you want to filter for expired keys:

$ sudo apt-key list | grep -A 1 expired

pub   4096R/91FA4AD5 2016-12-14 [expired: 2018-12-14]  
uid                  MongoDB 3.6 Release Signing Key <packaging@mongodb.com>  

This resulting list prints all packages with related key details. The important part is the key 91FA4AD5. Copy that part, because you need it in the second step.

At the time of writing this tutorial, it’s December 18th, 2018 and the key expired four days ago (December 14th, 2018).

Step 2: Renew the Expired Key

Now that you know which key expired, go ahead and renew it. Use the following command and replace the <KEY> placeholder with your key’s value (the one you copied from above):

$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys <KEY>

For the expired MongoDB GPG key, the command and output looks like this:

$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 91FA4AD5

Executing: /tmp/tmp.XC8EiRvH3E/gpg.1.sh --keyserver  
hkp://keyserver.ubuntu.com:80  
--recv-keys
91FA4AD5  
gpg: requesting key 91FA4AD5 from hkp server keyserver.ubuntu.com  
gpg: key 91FA4AD5: "MongoDB 3.6 Release Signing Key <packaging@mongodb.com>" 1 new signature  
gpg: Total number processed: 1  
gpg:         new signatures: 1  

Sweet! Processing the key finished and your system received a new signature. Run the command to find outdated keys again and ensure an empty list.

Step 3: Re-Run Update

Now go ahead and re-run the apt-get update command to update your repositories 👌

$ sudo apt-get update

That’s it. Now you can upgrade your system with the updated packages. Enjoy!

One more thing…

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

One highly unlikely, but occasionally possible, cause for this error is if having added the same key twice with different expiry dates. You would likely know having done so for this answer to be relevant to you.

This can happen, as it did for me, when hosting your own repository with your own keys. If you, when the key is about to expire, simply extend its lifetime rather than change it, and if you installed the original key using preseeding but the updated key using a deb package, then the old key will be in /etc/apt/trusted.gpg, while the new one ends up as a separate file under /etc/apt/trusted.gpg.d/. The old key will shadow the new one, which will be completely ignored by apt-key. Remove the old key by running gpg --keyring /etc/apt/trusted.gpg --delete-keys <keyid>, and your new key will become detected.

This is a bit of a non-standard corner configuration, but I hope my answer can save some confusion in case anyone else encounters this issue due to the same reason as I did.

None of these worked for me:

$ sudo apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 5072E1F5

or

$ sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5072E1F5

or

$ sudo apt-key adv --keyserver pgp.mit.edu --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5

The sources for those are:
https://bugs.mysql.com/bug.php?id=85029 and https://bugs.mysql.com/bug.php?id=94378

I performed one suspect operation in desperation (saying ‘y’ instead of ‘N’ below) which I think wasn’t required at all:

$ sudo apt-get install mysql-apt-config

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  mysql-apt-config
1 upgraded, 0 newly installed, 0 to remove and 294 not upgraded.
Need to get 35.6 kB of archives.
After this operation, 0 B of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  mysql-apt-config
Install these packages without verification? [y/N] y
Get:1 http://repo.mysql.com/apt/ubuntu/ trusty/mysql-apt-config mysql-apt-config all 0.8.13-1 [35.6 kB]
Fetched 35.6 kB in 0s (229 kB/s)      
Preconfiguring packages ...
dpkg-deb: error: archive '/var/cache/apt/archives/mysql-apt-config_0.8.13-1_all.deb' has premature member 'control.tar.xz' before 'contro
l.tar.gz', giving up
dpkg: error processing archive /var/cache/apt/archives/mysql-apt-config_0.8.13-1_all.deb (--unpack):
 subprocess dpkg-deb --control returned error exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/mysql-apt-config_0.8.13-1_all.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

And followed it with:

$ sudo apt-get update

which did not help.

I still got the same error.

Finally, the following worked:

$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 5072E1F5

I’m speculating (blindly) that maybe pgp.mit.edu has changed their structure or maybe «MySQL Release Engineering» (run apt-key list) has moved their keys to the ubuntu key server or some such thing (I have no idea of how keys are maintained).

This comment on the duplicate thread says the same thing.

Hope this saves someone some time and effort.