If you're a Debian user and you've encountered the EXPKEYSIG error, you're not alone. This error indicates that a repository's GPG key has expired, and you need to update it to continue receiving updates from that repository. This guide will walk you through the process step-by-step.
The EXPKEYSIG error occurs when the GPG key used to verify the authenticity of a repository's packages has expired. This key is essential for ensuring the packages you download and install are legitimate and haven't been tampered with.
First, identify the key ID that has expired. You can find this in the error message itself. In the example above, the key ID is 0123456789ABCDEF.
Next, use the apt-key adv command to fetch the updated key from a key server.
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0123456789ABCDEF
After updating the key, refresh your package lists to ensure everything is up-to-date.
sudo apt-get updateapt-keyThe apt-key command is deprecated and may be removed in future releases of Debian. Instead of using apt-key, you can add the key directly to the /etc/apt/trusted.gpg.d directory.
/etc/apt/trusted.gpg.dFetch the Updated Key
Use gpg to fetch the key.
gpg --keyserver keyserver.ubuntu.com --recv-keys 0123456789ABCDEF
Export the Key to a File
Export the key to a file in the /etc/apt/trusted.gpg.d directory.
gpg --export --armor 0123456789ABCDEF | sudo tee /etc/apt/trusted.gpg.d/0123456789ABCDEF.gpg
Update the Package Lists
Refresh your package lists to ensure everything is synchronized.
sudo apt-get update
Some repositories pin their public keys to specific keyring files using the signed-by option in the sources list. In such cases, the above method might not work. Here’s how to update these keys.
Identify the Key ID
Locate the key ID in the error message. Let’s assume it’s ABF5BD827BD9BF62.
Fetch the Updated Key
gpg --keyserver keyserver.ubuntu.com --recv-keys ABF5BD827BD9BF62
Export the Key to the Keyring File
Export the key to the specified keyring file (e.g., /usr/share/keyrings/nginx-archive-keyring.gpg).
gpg --export --armor ABF5BD827BD9BF62 | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg
Update the Package Lists
sudo apt-get update
For repositories that pin their keys, follow these general steps:
Identify the Key ID
Find the key ID from the error message or repository documentation.
Fetch the Updated Key
gpg --keyserver keyserver.ubuntu.com --recv-keys <KEY_ID>
Export the Key to the Keyring File
gpg --export --armor <KEY_ID> | sudo tee /usr/share/keyrings/<package-keyring-file>.gpg
Update the Package Lists
sudo apt-get update
Suppose you have a custom repository entry like this:
deb [signed-by=/usr/share/keyrings/custom-repo-keyring.gpg] https://example.com/debian bullseye main
Identify the Key ID
Assume the key ID is 1234567890ABCDEF.
Fetch the Updated Key
gpg --keyserver keyserver.ubuntu.com --recv-keys 1234567890ABCDEF
Export the Key to the Keyring File
gpg --export --armor 1234567890ABCDEF | sudo tee /usr/share/keyrings/custom-repo-keyring.gpg
Update the Package Lists
sudo apt-get update
By following these steps, you can resolve the EXPKEYSIG error on your Debian system and ensure your repositories continue to function correctly.
The EXPKEYSIG error can be a hassle, but it's a necessary part of maintaining secure package management on Debian. By regularly updating your GPG keys and using the recommended methods, you can keep your system secure and your packages up-to-date. If you encounter any issues, refer back to this guide for a step-by-step solution.