A Step-by-Step Guide How to Deal With Expired GPG Keys
Tags:
aptgpg
Created At: 2024/01/24
Updated At: 2024/01/24
A quick note for GPG key warning message from apt update :
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.anydesk.com all InRelease: The following signatures were invalid: EXPKEYSIG 18DF3741CDFFDE29 philandro Software GmbH <info@philandro.com>
W: Failed to fetch http://deb.anydesk.com/dists/all/InRelease The following signatures were invalid: EXPKEYSIG 18DF3741CDFFDE29 philandro Software GmbH <info@philandro.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.GPG is the OpenPGP (Pretty Good Privacy) part of the GNU Privacy Guard (GnuPG).
It is used to authorize the target source.
For my case, the expired GPG key ID belongs to Anydesk.
After searching through the Internet, there are many different ways to renew the key, but some of them are outdated, deprecated or insecure.
Warning from apt-key(8)
ref: https://manpages.debian.org/testing/apt/apt-key.8.en.html
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.Use of apt-key is deprecated, except for the use of apt-key del in maintainer scripts to remove existing keys from the main keyring.The recommended way is just using tee command with wget to maintain the keys with the default directory /etc/apt/trusted.gpg.d/ or suggest directory /etc/apt/keyrings. (see more detail with ref above)
wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.ascMake sure to use:
ascextension for ASCII armored keys, works with apt version 1.4+gpgextension for binary OpenPGP format (also known as “GPG key public ring”), works with all apt versions
Transfer between asc & gpg format
- GPG Binary to OpenPGP ASCII armor
$ gpg --dearmor file.gpg file.asc- OpenPGP ASCII armor to GPG Binary
$ gpg --enarmor file.asc file.gpgThe filename for the keys can be customized, which should be specific in the
source.listwith thesigned-byargument (Signed-Byas deb822 multi-line format).
If no keyring files are specified the default is thetrusted.gpgkeyring and all keyrings in thetrusted.gpg.d/directory.
Ref: https://manpages.ubuntu.com/manpages/noble/en/man5/sources.list.5.html
If missing GPG key
NO_PUBKEY error will occur if apt doesn’t find proper GPG key file in .
Err:21 http://deb.anydesk.com all InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 18DF3741CDFFDE29Solution (Option 1 with apt-key)
The key to pass into --recv-keys argument can be found in error message, for example with the above message, the key will be 18DF3741CDFFDE29 .
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 18DF3741CDFFDE29Solution (Option 2 with tee)
The target URL should be found in the documentation somewhere from the packet official website, ex.
- http://deb.anydesk.com/howto.html
- https://ngrok.com/docs/getting-started/
$ wget -qO - https://keys.anydesk.com/repos/DEB-GPG-KEY | sudo tee /etc/apt/trusted.gpg.d/anydesk.ascSolution (Option 3 with tee & gpg dearmor)
$ wget -qO - https://keys.anydesk.com/repos/DEB-GPG-KEY | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/anydesk.gpgHope this article could save you day ! There might have more details around apt, gpg, source.list. I will keep organize and publish !
Ref
- https://www.digitalocean.com/community/tutorials/how-to-handle-apt-key-and-add-apt-repository-deprecation-using-gpg-to-add-external-repositories-on-ubuntu-22-04
- https://askubuntu.com/questions/1259803/what-does-the-apt-key-adv-command-mean
- https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
- https://code.yidas.com/pgp-gpg-commands/
- https://opensource.com/article/22/9/deprecated-linux-apt-key
- https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html
- https://askubuntu.com/questions/29889/how-do-i-check-if-my-openpgp-key-is-in-the-ubuntu-keyserver
- https://manpages.ubuntu.com/manpages/xenial/man5/sources.list.5.html
