How to Fix EXPKEYSIG Error on Ubuntu

Encountering the EXPKEYSIG error on Ubuntu? This error typically means that a repository's GPG key has expired, preventing you from updating or installing packages from that repository. Don't worry, we've got you covered with a simple step-by-step guide to resolve this issue.

Understanding the EXPKEYSIG Error

The EXPKEYSIG error occurs when the cryptographic key used to verify a repository's packages has expired. This verification process ensures that the packages you install are authentic and secure.

Example Error Message

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://example.com/ubuntu focal InRelease: The following signatures were invalid: EXPKEYSIG 0123456789ABCDEF John Doe <john.doe@example.com>

Step-by-Step Guide to Fix EXPKEYSIG Error on Ubuntu

1. Identify the Expired Key

First, locate the expired key ID in the error message. For example, in the message above, the key ID is 0123456789ABCDEF.

2. Fetch the Updated Key

Use the following command to fetch the updated key from a key server. Note that apt-key is deprecated, so we’ll use gpg instead.

gpg --keyserver keyserver.ubuntu.com --recv-keys 0123456789ABCDEF

3. Add the Key to the Trusted Keyring

Instead of using apt-key, we’ll directly add the key to the trusted keyring directory.

gpg --export --armor 0123456789ABCDEF | sudo tee /etc/apt/trusted.gpg.d/0123456789ABCDEF.gpg

4. Update Your Package Lists

After updating the key, refresh your package lists to apply the changes.

sudo apt-get update

Handling Specific Keyring Files

Some repositories specify their GPG keys in the sources list using the signed-by option. In these cases, follow the instructions below.

Example: Updating the Docker Key

  1. Identify the Key ID

    Find the key ID in the error message. Let’s say it’s 9DC858229FC7DD38854AE2D88D81803C0EBFCD88.

  2. Fetch the Updated Key

    gpg --keyserver keyserver.ubuntu.com --recv-keys 9DC858229FC7DD38854AE2D88D81803C0EBFCD88

  3. Export the Key to the Keyring File

    Export the key to the specific keyring file, such as /usr/share/keyrings/docker-archive-keyring.gpg.

    gpg --export --armor 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 | sudo tee /usr/share/keyrings/docker-archive-keyring.gpg

  4. Update Your Package Lists

    sudo apt-get update

General Steps for Any Repository with Pinned Keys

For repositories that pin their keys, use the following steps:

  1. Identify the Key ID

    Check the error message or repository documentation to find the key ID.

  2. Fetch the Updated Key

    gpg --keyserver keyserver.ubuntu.com --recv-keys <KEY_ID>

  3. Export the Key to the Keyring File

    gpg --export --armor <KEY_ID> | sudo tee /usr/share/keyrings/<repository-keyring-file>.gpg

  4. Update Your Package Lists

    sudo apt-get update

Complete Example: Updating a Custom Repository Key

Suppose you have a custom repository configured like this:

deb [signed-by=/usr/share/keyrings/custom-repo-keyring.gpg] https://example.com/ubuntu focal main

  1. Identify the Key ID

    Assume the key ID is 1234567890ABCDEF.

  2. Fetch the Updated Key

    gpg --keyserver keyserver.ubuntu.com --recv-keys 1234567890ABCDEF

  3. Export the Key to the Keyring File

    gpg --export --armor 1234567890ABCDEF | sudo tee /usr/share/keyrings/custom-repo-keyring.gpg

  4. Update Your Package Lists

    sudo apt-get update

By following these steps, you can resolve the EXPKEYSIG error on your Ubuntu system, ensuring your repositories remain functional and secure.

Conclusion

The EXPKEYSIG error can be a bit of a headache, but it's a crucial part of maintaining the integrity of your package management system on Ubuntu. Regularly updating your GPG keys and using the latest methods will keep your system secure and your software up-to-date. Whenever you encounter this issue, refer back to this guide for a straightforward solution.