Software & AppsOperating SystemLinux

Fixing GPG Error: Invalid Signatures and Expired Keys in Ubuntu’s APT

Ubuntu 1

In this article, we will delve into the process of resolving GPG errors related to invalid signatures and expired keys in Ubuntu’s Advanced Packaging Tool (APT). This is a common issue that Ubuntu users may encounter when updating their packages.

Understanding the Issue

Before we dive into the solutions, it’s important to understand what the error means. When you see a message like “GPG error: The following signatures were invalid: KEYEXPIRED,” it indicates that the GPG key for a repository has expired. This can happen due to an incorrect system clock or an actual expiration of the key.

Solution 1: Refresh the GPG Key

The first solution involves refreshing the expired GPG key using the apt-key command. Here’s how you can do it:

  1. Identify the expired key: Run the following command in your terminal:
sudo apt-key list | grep "expired: "

This command lists all the keys and filters out the expired ones.

  1. Refresh the key: Use the following command to refresh the key:
sudo apt-key adv --keyserver keys.gnupg.net --recv-keys [KEY]

Replace [KEY] with the key obtained from the previous command. This command fetches the updated key from the specified keyserver.

Alternatively, you can use this one-liner command to refresh all expired keys:

sudo apt-key list | grep "expired: " | sed -ne 's|pub .*/\([^ ]*\) .*|\1|gp' | xargs -n1 sudo apt-key adv --keyserver keys.gnupg.net --recv-keys

This command automates the process of finding and updating all expired keys.

Solution 2: Use a Specific Keyserver

If the previous solution doesn’t work, it might be due to issues with the keyserver. In such cases, you can try using a different keyserver. For example, replace keys.gnupg.net with pgp.mit.edu or keyserver.ubuntu.com.

Solution 3: Check System Clock and Contact Repository Maintainer

Ensure that your system clock is correct. An incorrect date can lead to key expired errors. If the issue persists, it may be necessary to contact the repository maintainer and import the new key once they update their keys to sign the files.

Solution 4: Remove the Expired Key and PPA

Another solution is to delete the expired key and remove the corresponding PPA (Personal Package Archive). Here’s how to do it:

  1. Delete the expired key: Use the following command:
sudo apt-key del [KEY]

Replace [KEY] with the expired key. This command removes the expired key from your system.

  1. Remove the PPA: Delete the corresponding file in /etc/apt/sources.list.d/ and then run the following commands:
sudo apt-get clean
sudo apt-get update

These commands clean the local repository of retrieved package files and update the package list.

Optionally, you can add a new key if required using the following command:

sudo apt-get upgrade

or

sudo apt-get dist-upgrade

These commands upgrade all the packages on your system, and if a new key is required, it will be added.

Solution 5: Set the Correct System Time in the BIOS

If the system time is incorrect, adjust it in the BIOS settings. This is because an incorrect system time can cause the GPG keys to appear as expired.

Solution 6: GUI-oriented Approach

If you prefer a GUI-oriented approach, follow these steps:

  1. Open the “Software and Updates” dialog by navigating to /etc/apt/sources.list.d/ and double-clicking sources.list.
  2. In the dialog, go to the “Other Software” tab, find the problematic PPA, and click “Remove”.

Solution 7: Allow Insecure Repositories (Not Recommended)

As a last resort, you can bypass GPG signature checks by allowing insecure repositories. However, this is not recommended for security reasons. Use the following command:

sudo apt -o Acquire::AllowInsecureRepositories=true -o Acquire::AllowDowngradeToInsecureRepositories=true update

This command updates the package list while allowing insecure repositories and downgrades.

Conclusion

In this article, we covered different methods to resolve GPG errors related to invalid signatures and expired keys in Ubuntu’s APT. Remember, removing a PPA should be done with caution, as it may result in the loss of updates and bug fixes for applications installed from that PPA. Always ensure to keep your system and its repositories secure.

What is a GPG key?

GPG stands for GNU Privacy Guard, and a GPG key is a cryptographic key used to encrypt and sign data. In the context of Ubuntu’s APT, GPG keys are used to verify the authenticity and integrity of packages and repositories.

Why does a GPG key expire?

GPG keys have an expiration date as a security measure. It ensures that keys are regularly updated and replaced with new ones to maintain the security of the system.

How do I identify an expired GPG key?

You can identify an expired GPG key by running the command sudo apt-key list | grep "expired: ". This command lists all the keys and filters out the expired ones.

How do I refresh an expired GPG key?

To refresh an expired GPG key, you can use the command sudo apt-key adv --keyserver keys.gnupg.net --recv-keys [KEY], replacing [KEY] with the key obtained from the previous command.

What should I do if refreshing the GPG key doesn’t work?

If refreshing the GPG key doesn’t work, you can try using a different keyserver by replacing keys.gnupg.net with pgp.mit.edu or keyserver.ubuntu.com.

Can an incorrect system clock cause GPG key expired errors?

Yes, an incorrect system clock can cause GPG key expired errors. It is important to ensure that your system clock is correct to avoid such errors.

How can I delete an expired key and remove the corresponding PPA?

To delete an expired key, you can use the command sudo apt-key del [KEY], replacing [KEY] with the expired key. To remove the corresponding PPA, delete the corresponding file in /etc/apt/sources.list.d/ and then run the commands sudo apt-get clean and sudo apt-get update.

Should I allow insecure repositories as a solution?

Allowing insecure repositories is not recommended for security reasons. It is best to exhaust other solutions before considering this option.

How can I adjust the system time in the BIOS?

To adjust the system time in the BIOS, restart your computer and enter the BIOS settings by pressing the appropriate key (usually displayed during startup). Look for the option to adjust the system time and make the necessary changes.

Is there a GUI-oriented approach to resolve GPG errors?

Yes, you can open the "Software and Updates" dialog by navigating to /etc/apt/sources.list.d/ and double-clicking sources.list. In the dialog, go to the "Other Software" tab, find the problematic PPA, and click "Remove".

Leave a Comment

Your email address will not be published. Required fields are marked *