How to Fix “KEYEXPIRED” Error During apt-get update on Debian-based Systems


2 views

When running sudo apt-get update on Debian or Ubuntu systems, you might encounter:

W: GPG error: ftp://ftp.fr.debian.org stable/non-US Release: 
The following signatures were invalid: KEYEXPIRED 1138684904

This occurs when the repository's GPG key used to verify packages has expired. The timestamp (1138684904 in this case) represents the expiration date in Unix epoch time.

The most straightforward fix is to update the keyring package:

sudo apt-get install debian-archive-keyring
sudo apt-get update

For Ubuntu systems, use:

sudo apt-get install ubuntu-keyring
sudo apt-get update

If the above doesn't work, manually import the new key:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys [KEY_ID]

To find the KEY_ID, check the error message or the repository's documentation. For example, for Debian:

gpg --keyserver keyring.debian.org --recv-key [KEY_ID]
gpg -a --export [KEY_ID] | sudo apt-key add -

After applying either solution, verify the keys are properly updated:

apt-key list

Look for your repository's key and check its expiration date is in the future.

To prevent future occurrences, set up unattended upgrades:

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Edit the configuration file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Ensure these lines are present:

Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

When running sudo apt-get update on Debian-based systems, you might encounter:

W: GPG error: ftp://ftp.fr.debian.org stable/non-US Release: 
The following signatures were invalid: KEYEXPIRED 1138684904

This occurs when the repository's GPG key has expired, preventing package verification.

The most straightforward fix is to update your keyring packages:

sudo apt-get install debian-archive-keyring
sudo apt-get update

If the keyring package doesn't resolve the issue, you can manually manage the keys:

# List available keys
sudo apt-key list

# Remove the expired key (replace XXXX with actual key ID)
sudo apt-key del XXXX

# Download the new key
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys XXXX

# Update again
sudo apt-get update

For third-party repositories, you might need to:

# Example for a PPA
sudo add-apt-repository --remove ppa:example/ppa
sudo add-apt-repository ppa:example/ppa
sudo apt-get update

After applying any solution, verify with:

sudo apt-get update | grep -i keyexpired

No output means the issue is resolved.

Regularly update your keyring to avoid future issues:

sudo apt-get install --only-upgrade debian-archive-keyring