The officially official Devuan Forum!

You are not logged in.

#1 2022-09-03 11:15:26

nenesse
Member
From: Paris
Registered: 2020-01-10
Posts: 8  

[SOLVED] apt-get update: gpg error (expired key)

Hi,
problems with apt-get today

apt-get update
Get:1 http://deb.devuan.org/merged chimaera InRelease [33.9 kB]
Get:2 http://deb.devuan.org/merged chimaera-security InRelease [26.5 kB]
Err:1 http://deb.devuan.org/merged chimaera InRelease
  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
Get:3 http://deb.devuan.org/merged chimaera-backports InRelease [26.6 kB]
Err:2 http://deb.devuan.org/merged chimaera-security InRelease
  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
Err:3 http://deb.devuan.org/merged chimaera-backports InRelease
  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
Fetched 86.9 kB in 0s (174 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.devuan.org/merged chimaera InRelease: The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository
(Amprolla3 on Nemesis) <repository@devuan.org>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.devuan.org/merged chimaera-security InRelease: The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.devuan.org/merged chimaera-backports InRelease: The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Failed to fetch http://deb.devuan.org/merged/dists/chimaera/InRelease  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Failed to fetch http://deb.devuan.org/merged/dists/chim … /InRelease  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Failed to fetch http://deb.devuan.org/merged/dists/chim … /InRelease  The following signatures were invalid: EXPKEYSIG BB23C00C61FC752C Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.

gpg --keyserver keys.gnupg.net --search-keys BB23C00C61FC752C
gpg: error searching keyserver: Server indicated a failure
gpg: keyserver search failed: Server indicated a failure

Last edited by nenesse (2022-09-03 12:20:18)

Offline

#2 2022-09-03 11:41:00

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,528  

Re: [SOLVED] apt-get update: gpg error (expired key)

Is the system clock correct?

I see

$ gpg --keyserver keys.gnupg.net --search-keys BB23C00C61FC752C 
gpg: data source: http://pgp.surf.nl:11371
(1)	 4096 bit RSA key BB23C00C61FC752C, created: 2017-09-04
Keys 1-1 of 1 for "BB23C00C61FC752C".  Enter number(s), N)ext, or Q)uit > 
$

Offline

#3 2022-09-03 11:44:44

nenesse
Member
From: Paris
Registered: 2020-01-10
Posts: 8  

Re: [SOLVED] apt-get update: gpg error (expired key)

date
Sat Sep  3 13:43:33 CEST 2022

Paris timezone

Last edited by nenesse (2022-09-03 11:45:17)

Offline

#4 2022-09-03 11:49:48

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,528  

Re: [SOLVED] apt-get update: gpg error (expired key)

Do you have a firewall running that might be blocking port 11371?

Can we see the output of

cat /etc/{nsswitch,resolv}.conf

Offline

#5 2022-09-03 12:03:32

nenesse
Member
From: Paris
Registered: 2020-01-10
Posts: 8  

Re: [SOLVED] apt-get update: gpg error (expired key)

i flush nftables  ruleset
I have stopped privoxy and unbound

└─┤ cat /etc/{nsswitch,resolv}.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files
group:          files
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
# freebox sur le réseau local
# ou sur réseau extérieur, réseau local en 172.16
# ou 4G Free
nameserver 212.27.40.240
nameserver 212.27.40.241

# partage de connexion smartphone android, autre que free
#nameserver 192.168.42.129

# openDns
#nameserver 208.67.222.222
#nameserver 208.67.220.220

# Raspberry Netgear
#nameserver 192.168.0.1

# unbound
#nameserver 127.0.0.1

Last edited by nenesse (2022-09-03 12:03:46)

Offline

#6 2022-09-03 12:10:04

vazhnov
Member
From: Wrocław, Poland
Registered: 2020-05-31
Posts: 14  

Re: [SOLVED] apt-get update: gpg error (expired key)

I think the root cause is that the key BB23C00C61FC752C expired:

 $ gpg --list-keys BB23C00C61FC752C
pub   rsa4096 2017-09-04 [SC] [expired: 2022-09-03]
      E032601B7CA10BC3EA53FA81BB23C00C61FC752C
uid           [ expired] Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>

The same key described on the page https://www.devuan.org/os/keyring , fingerprint is E032 601B 7CA1 0BC3 EA53 FA81 BB23 C00C 61FC 752C.

 $ apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
------------------------------------------------------------
pub   rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
      1F89 983E 0081 FDE0 18F3  CC96 73A4 F27B 8DD4 7936
uid           [ unknown] Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
sub   rsa4096 2021-01-17 [S] [expires: 2029-01-15]

/etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
---------------------------------------------------------------------
pub   rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
      AC53 0D52 0F2F 3269 F5E9  8313 A484 4904 4AAD 5C5D
uid           [ unknown] Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
sub   rsa4096 2021-01-17 [S] [expires: 2029-01-15]

/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
---------------------------------------------------------
pub   rsa4096 2021-02-13 [SC] [expires: 2029-02-11]
      A428 5295 FC7B 1A81 6000  62A9 605C 66F0 0D6C 9793
uid           [ unknown] Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
uid           [ unknown] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
      6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-----------------------------------------------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
--------------------------------------------------------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      6ED6 F5CB 5FA6 FB2F 460A  E88E EDA0 D238 8AE2 2BA9
uid           [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
--------------------------------------------------------
pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
uid           [ unknown] Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/devuan-keyring-2016-archive.gpg
------------------------------------------------------
pub   rsa2048 2014-12-02 [SC]
      72E3 CB77 3315 DFA2 E464  743D 9453 2124 5419 22FB
uid           [ unknown] Devuan Repository (Primary Devuan signing key) <repository@devuan.org>
sub   rsa2048 2014-12-02 [E]
sub   rsa4096 2016-04-26 [S]

/etc/apt/trusted.gpg.d/devuan-keyring-2016-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2016-10-06 [SC]
      CF19 21B2 D91C 6435 848E  8100 99C4 6A90 B1FB 3B59
uid           [ unknown] Devuan ISO Toaster (Devuan GNU+Linux) <onelove@devuan.org>
sub   rsa4096 2016-10-06 [E]

/etc/apt/trusted.gpg.d/devuan-keyring-2017-archive.gpg
------------------------------------------------------
pub   rsa4096 2017-09-04 [SC] [expired: 2022-09-03]
      E032 601B 7CA1 0BC3 EA53  FA81 BB23 C00C 61FC 752C
uid           [ expired] Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>

and:

 $ ls -lAF /etc/apt/trusted.gpg.d
total 80
-rw-r--r-- 1 root root 8700 Feb 25  2021 debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Feb 25  2021 debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2453 Feb 25  2021 debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Feb 25  2021 debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Feb 25  2021 debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Feb 25  2021 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 7443 Feb 25  2021 debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Feb 25  2021 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Feb 25  2021 debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 3637 Oct  3  2017 devuan-keyring-2016-archive.gpg
-rw-r--r-- 1 root root 2233 Oct  3  2017 devuan-keyring-2016-cdimage.gpg
-rw-r--r-- 1 root root 3638 Oct  3  2017 devuan-keyring-2017-archive.gpg
 $ dpkg -S /etc/apt/trusted.gpg.d/devuan-keyring-2017-archive.gpg
devuan-keyring: /etc/apt/trusted.gpg.d/devuan-keyring-2017-archive.gpg
 $ apt-cache policy devuan-keyring 
devuan-keyring:
  Installed: 2017.10.03
  Candidate: 2017.10.03
  Version table:
 *** 2017.10.03 500
        500 http://pl.deb.devuan.org/merged daedalus/main amd64 Packages
        100 /var/lib/dpkg/status

Last edited by vazhnov (2022-09-03 12:17:14)

Offline

#7 2022-09-03 12:53:15

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,130  

Re: [SOLVED] apt-get update: gpg error (expired key)

New keyring just got built and needs to get into the repos and propagate to the mirrors.

Offline

#8 2022-09-03 14:03:53

nenesse
Member
From: Paris
Registered: 2020-01-10
Posts: 8  

Re: [SOLVED] apt-get update: gpg error (expired key)

apt-cache policy devuan-keyring
devuan-keyring:
  Installé : 2022.09.03
  Candidat : 2022.09.03
Table de version :
*** 2022.09.03 100
        100 /var/lib/dpkg/status
     2017.10.03 500
        500 http://deb.devuan.org/merged chimaera/main amd64 Packages

gpg --keyserver keys.gnupg.net --search-keys BB23C00C61FC752C
gpg: error searching keyserver: Server indicated a failure
gpg: keyserver search failed: Server indicated a failure

Offline

#9 2022-09-03 14:14:43

iceman1
Member
Registered: 2022-09-03
Posts: 1  

Re: [SOLVED] apt-get update: gpg error (expired key)

Hello Everyone

The devs are working on it since midnight, please give me some time. this is a known issue

Offline

#10 2022-09-03 15:33:20

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,528  

Re: [SOLVED] apt-get update: gpg error (expired key)

@nenesse: I think you'll have to use

wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb
dpkg -i devuan-keyring_2022.09.04_all.deb

Last edited by Head_on_a_Stick (2022-09-03 15:33:37)

Offline

#11 2022-09-03 15:55:40

nenesse
Member
From: Paris
Registered: 2020-01-10
Posts: 8  

Re: [SOLVED] apt-get update: gpg error (expired key)

yes
then copying /usr/share/keyrings/devuan-keyring.gpg => /etc/apt/trusted.gpg.d
and deleting /etc/apt/trusted.gpg.d/devuan-keyring-2017-archive.gpg
apt-get update works.

Temporary solution pending that of the developers.

Offline

#12 2022-09-03 16:09:25

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,130  

Re: [SOLVED] apt-get update: gpg error (expired key)

nenesse wrote:

yes
then copying /usr/share/keyrings/devuan-keyring.gpg => /etc/apt/trusted.gpg.d
and deleting /etc/apt/trusted.gpg.d/devuan-keyring-2017-archive.gpg
apt-get update works.

Temporary solution pending that of the developers.

I believe those extra steps are only needed if you installed the first package made today, dated 2022.09.03, but the second package with date 2022.09.04 copies the new file for you.

Offline

#13 2022-09-03 16:21:07

nenesse
Member
From: Paris
Registered: 2020-01-10
Posts: 8  

Re: [SOLVED] apt-get update: gpg error (expired key)

yes, extra steps for 2022.09.03.deb, not needed with 2022.09.04.deb.
I mark this post solved, thanks to the developers for the speed.

rendez-vous le 3 septembre 2023 smile

Last edited by nenesse (2022-09-03 17:04:26)

Offline

#14 2022-09-03 18:35:12

brocashelm
Member
Registered: 2020-06-29
Posts: 96  

Re: [SOLVED] apt-get update: gpg error (expired key)

devuan-keyring has already been updated in the repository. This command was provided by Bb|hcb in the IRC channel:
apt update --allow-insecure-repositories && apt install devuan-keyring --allow-unauthenticated

Last edited by brocashelm (2022-09-03 19:09:30)


"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." - Benjamin Franklin

"In a time of universal deceit, telling the truth is a revolutionary act." - George Orwell

Offline

#15 2022-09-03 20:22:20

fhblf
Member
Registered: 2022-04-17
Posts: 1  

Re: [SOLVED] apt-get update: gpg error (expired key)

Head_on_a_Stick wrote:

@nenesse: I think you'll have to use

wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb
dpkg -i devuan-keyring_2022.09.04_all.deb

Works great, thanks!

wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb && sudo dpkg -i devuan-keyring_2022.09.04_all.deb

Last edited by fhblf (2022-09-03 20:24:21)

Offline

#16 2022-09-03 20:32:16

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,528  

Re: [SOLVED] apt-get update: gpg error (expired key)

I think the --allow-insecure-repositories & --allow-unauthenticated options are a bit easier. I forgot about them :-)

Offline

#17 2022-09-03 21:13:06

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,130  

Re: [SOLVED] apt-get update: gpg error (expired key)

If you download the file and want a checksum, here they are:

$ md5sum devuan-keyring_2022.09.04_all.deb 
6209781a66b39c95c012765bc7ca2297  devuan-keyring_2022.09.04_all.deb

$ sha256sum devuan-keyring_2022.09.04_all.deb 
96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d  devuan-keyring_2022.09.04_all.deb

Offline

#18 2022-09-03 22:33:30

Bakaras
Member
Registered: 2022-09-03
Posts: 1  

Re: [SOLVED] apt-get update: gpg error (expired key)

I use:
rm -rf /var/lib/apt/lists/*
apt update --allow-insecure-repositories
apt upgrade

Currently works only with pkgmaster.devuan.org

Last edited by Bakaras (2022-09-03 22:47:01)

Offline

#19 2022-09-04 00:54:22

Joerg_rw
Member
Registered: 2017-04-23
Posts: 1  

Re: [SOLVED] apt-get update: gpg error (expired key)

https://dev1galaxy.org/viewtopic.php?pid=37322#p37322 is about same issue, https://dev1galaxy.org/viewtopic.php?id=5212 "[SOLVED] Invalid Signatures" should get merged in here, replacing my message

ralph.ronnquist wrote:

Note that the full hands-on may also require that the old local InRelease file for the distribution is removed manually, so the sequence of command would thus be (eg for chimaera):

  • # rm /var/lib/apt/lists/deb.devuan.org_merged_dists_chimaera_InRelease

  • # apt-get update --allow-unauthenticated --allow-insecure-repositories

  • # apt-get install devuan-keyring --allow-unauthenticated

Alternatively: Anyone uncomfortable with those command line options should rather download the new keyring directly, eg

Alternatively: if you have your own method that works, then that is fine too.

Offline

#20 2022-09-05 09:48:18

Morgennebel
Member
Registered: 2017-06-07
Posts: 13  

Re: [SOLVED] apt-get update: gpg error (expired key)

Unfortunately this bug also prevents new installations with existing ISO files.

Workaround:

* Once installer fails to read a network mirror
* Start a shell from the installer (somewhere at the bottom of the menu)
* Execute wget as described above
* mv *.deb /target/root
* chroot /target
* dpkg -i /root/*.deb
* exit shell
* Continue installation

-MN

Offline

#21 2022-09-05 12:30:31

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,130  

Re: [SOLVED] apt-get update: gpg error (expired key)

To do a new install with the existing live isos, you can just download the package in a terminal with wget, check the sha256sum and install with dpkg or gdebi. Then run the installer.

Offline

#22 2022-09-05 16:09:23

Morgennebel
Member
Registered: 2017-06-07
Posts: 13  

Re: [SOLVED] apt-get update: gpg error (expired key)

fsmithred wrote:

To do a new install with the existing live isos, you can just download the package in a terminal with wget, check the sha256sum and install with dpkg or gdebi. Then run the installer.

I tried the server and netinstall ISOs. Both do not have dpkg available (or I did not found them in /usr/sbin, /sbin or /usr/bin).

Offline

#23 2022-09-05 21:10:59

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,130  

Re: [SOLVED] apt-get update: gpg error (expired key)

Morgennebel wrote:
fsmithred wrote:

To do a new install with the existing live isos, you can just download the package in a terminal with wget, check the sha256sum and install with dpkg or gdebi. Then run the installer.

I tried the server and netinstall ISOs. Both do not have dpkg available (or I did not found them in /usr/sbin, /sbin or /usr/bin).

For the installer isos (server, desktop, netinstall) the following might work in a shell:

anna install devuan-keyring_2022.09.04_all.deb

or maybe...

anna install /pool/DEBIAN/main/d/dpkg/dpkg_1.20.9_amd64.deb
dpkg -i  devuan-keyring_2022.09.04_all.deb

For the live isos (minimal-live, desktop-live) dpkg is installed and will work. Only the desktop-live has gdebi.

Offline

#24 2022-09-05 22:10:17

adant
Member
Registered: 2018-09-19
Posts: 3  

Re: [SOLVED] apt-get update: gpg error (expired key)

Just FYI the expired key is still exists in beowulf (@ Amprolla3 on Nemesis). Scared me for a minute.
Thanks for all you do smile

Offline

#25 2022-09-08 16:50:42

Morgennebel
Member
Registered: 2017-06-07
Posts: 13  

Re: [SOLVED] apt-get update: gpg error (expired key)

Morgennebel wrote:
fsmithred wrote:

To do a new install with the existing live isos, you can just download the package in a terminal with wget, check the sha256sum and install with dpkg or gdebi. Then run the installer.

I tried the server and netinstall ISOs. Both do not have dpkg available (or I did not found them in /usr/sbin, /sbin or /usr/bin).

You need first to chroot to /target first. dpkg is then available.

# chroot /target
# dpkg -i ....

Ciao, -MN

Offline

Board footer