In this article, we will delve into the process of resolving GPG errors related to invalid signatures and expired keys in Ubuntu’s Advanced Packaging Tool (APT). This is a common issue that Ubuntu users may encounter when updating their packages.
- Understanding the Issue
- Solution 1: Refresh the GPG Key
- Solution 2: Use a Specific Keyserver
- Solution 3: Check System Clock and Contact Repository Maintainer
- Solution 4: Remove the Expired Key and PPA
- Solution 5: Set the Correct System Time in the BIOS
- Solution 6: GUI-oriented Approach
- Solution 7: Allow Insecure Repositories (Not Recommended)
Understanding the Issue
Before we dive into the solutions, it’s important to understand what the error means. When you see a message like “GPG error: The following signatures were invalid: KEYEXPIRED,” it indicates that the GPG key for a repository has expired. This can happen due to an incorrect system clock or an actual expiration of the key.
Solution 1: Refresh the GPG Key
The first solution involves refreshing the expired GPG key using the
apt-key command. Here’s how you can do it:
- Identify the expired key: Run the following command in your terminal:
sudo apt-key list | grep "expired: "
This command lists all the keys and filters out the expired ones.
- Refresh the key: Use the following command to refresh the key:
sudo apt-key adv --keyserver keys.gnupg.net --recv-keys [KEY]
[KEY] with the key obtained from the previous command. This command fetches the updated key from the specified keyserver.
Alternatively, you can use this one-liner command to refresh all expired keys:
sudo apt-key list | grep "expired: " | sed -ne 's|pub .*/\([^ ]*\) .*|\1|gp' | xargs -n1 sudo apt-key adv --keyserver keys.gnupg.net --recv-keys
This command automates the process of finding and updating all expired keys.
Solution 2: Use a Specific Keyserver
If the previous solution doesn’t work, it might be due to issues with the keyserver. In such cases, you can try using a different keyserver. For example, replace
Solution 3: Check System Clock and Contact Repository Maintainer
Ensure that your system clock is correct. An incorrect date can lead to key expired errors. If the issue persists, it may be necessary to contact the repository maintainer and import the new key once they update their keys to sign the files.
Solution 4: Remove the Expired Key and PPA
Another solution is to delete the expired key and remove the corresponding PPA (Personal Package Archive). Here’s how to do it:
- Delete the expired key: Use the following command:
sudo apt-key del [KEY]
[KEY] with the expired key. This command removes the expired key from your system.
- Remove the PPA: Delete the corresponding file in
/etc/apt/sources.list.d/and then run the following commands:
sudo apt-get clean
sudo apt-get update
These commands clean the local repository of retrieved package files and update the package list.
Optionally, you can add a new key if required using the following command:
sudo apt-get upgrade
sudo apt-get dist-upgrade
These commands upgrade all the packages on your system, and if a new key is required, it will be added.
Solution 5: Set the Correct System Time in the BIOS
If the system time is incorrect, adjust it in the BIOS settings. This is because an incorrect system time can cause the GPG keys to appear as expired.
Solution 6: GUI-oriented Approach
If you prefer a GUI-oriented approach, follow these steps:
- Open the “Software and Updates” dialog by navigating to
- In the dialog, go to the “Other Software” tab, find the problematic PPA, and click “Remove”.
Solution 7: Allow Insecure Repositories (Not Recommended)
As a last resort, you can bypass GPG signature checks by allowing insecure repositories. However, this is not recommended for security reasons. Use the following command:
sudo apt -o Acquire::AllowInsecureRepositories=true -o Acquire::AllowDowngradeToInsecureRepositories=true update
This command updates the package list while allowing insecure repositories and downgrades.
In this article, we covered different methods to resolve GPG errors related to invalid signatures and expired keys in Ubuntu’s APT. Remember, removing a PPA should be done with caution, as it may result in the loss of updates and bug fixes for applications installed from that PPA. Always ensure to keep your system and its repositories secure.
GPG stands for GNU Privacy Guard, and a GPG key is a cryptographic key used to encrypt and sign data. In the context of Ubuntu’s APT, GPG keys are used to verify the authenticity and integrity of packages and repositories.
GPG keys have an expiration date as a security measure. It ensures that keys are regularly updated and replaced with new ones to maintain the security of the system.
You can identify an expired GPG key by running the command
sudo apt-key list | grep "expired: ". This command lists all the keys and filters out the expired ones.
To refresh an expired GPG key, you can use the command
sudo apt-key adv --keyserver keys.gnupg.net --recv-keys [KEY], replacing
[KEY] with the key obtained from the previous command.
If refreshing the GPG key doesn’t work, you can try using a different keyserver by replacing
Yes, an incorrect system clock can cause GPG key expired errors. It is important to ensure that your system clock is correct to avoid such errors.
To delete an expired key, you can use the command
sudo apt-key del [KEY], replacing
[KEY] with the expired key. To remove the corresponding PPA, delete the corresponding file in
/etc/apt/sources.list.d/ and then run the commands
sudo apt-get clean and
sudo apt-get update.
Allowing insecure repositories is not recommended for security reasons. It is best to exhaust other solutions before considering this option.
To adjust the system time in the BIOS, restart your computer and enter the BIOS settings by pressing the appropriate key (usually displayed during startup). Look for the option to adjust the system time and make the necessary changes.
Yes, you can open the "Software and Updates" dialog by navigating to
/etc/apt/sources.list.d/ and double-clicking
sources.list. In the dialog, go to the "Other Software" tab, find the problematic PPA, and click "Remove".