How to Fix “KEYEXPIRED” GPG Error in apt-get Update on Linux Systems


2 views

When running sudo apt-get update on Debian/Ubuntu systems, you might encounter this frustrating error:

W: GPG error: http://debian.datastax.com stable Release: 
The following signatures were invalid: KEYEXPIRED 1439480363 
KEYEXPIRED 1439480363 KEYEXPIRED 1439480363

This occurs when the repository's GPG key used to verify packages has expired. Unlike Windows or macOS, Linux package management relies heavily on cryptographic verification.

Repository maintainers typically set expiration dates for security reasons:

  • Forces regular key rotation
  • Limits damage if keys are compromised
  • Ensures security best practices

The timestamp (1439480363) represents the Unix epoch time when the key expired.

For the DataStax repository example:

sudo apt-key adv --keyserver keyserver.ubuntu.com \
--recv-keys 2B5C1B00
sudo apt-get update

If you don't know the key ID:

sudo apt update 2>&1 | grep -oP 'NO_PUBKEY \K[0-9A-F]{8,16}'

For production systems, consider these robust solutions:

# Method 1: Update the key from keyserver
sudo apt-key adv --refresh-keys --keyserver keyserver.ubuntu.com

# Method 2: Manual key installation
wget -qO - https://debian.datastax.com/debian/repo_key | sudo apt-key add -

# Method 3: Complete repository reconfiguration
sudo rm /etc/apt/sources.list.d/datastax.sources.list
sudo apt-add-repository -y "deb http://debian.datastax.com/community stable main"

For stubborn cases where keys won't update:

# Check existing keys
apt-key list

# Delete expired key (replace KEYID)
sudo apt-key del KEYID

# Verify repository configuration
ls -l /etc/apt/sources.list.d/
cat /etc/apt/sources.list

Remember that in newer Debian/Ubuntu versions, apt-key is deprecated. Consider using:

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://debian.datastax.com/debian/repo_key | \
sudo gpg --dearmor -o /etc/apt/keyrings/datastax.gpg

When running sudo apt-get update, you might encounter errors like:

W: GPG error: http://debian.datastax.com stable Release: 
The following signatures were invalid: 
KEYEXPIRED 1439480363 KEYEXPIRED 1439480363 KEYEXPIRED 1439480363

This occurs when the repository's GPG key used to verify packages has expired. Unlike other GPG errors, simply using --fix-missing won't resolve this.

First, identify which key is problematic:

sudo apt-key list

Look for entries marked [expired] near the expiration timestamp (1439480363 in this case). The output might show something like:

pub   4096R/ABC12345 2013-04-10 [expired: 2015-08-12]
uid                  DataStax Package Signing Key <packages@datastax.com>

For repositories that provide key rotation:

sudo apt-key adv --keyserver keyserver.ubuntu.com \
--recv-keys ABC12345

Replace ABC12345 with the actual key ID from your apt-key list output.

When automatic update fails, download and install the key manually:

wget -qO - https://debian.datastax.com/debian/repo_key | sudo apt-key add -

For emergency situations only, you can temporarily disable verification:

sudo apt-get -o Acquire::AllowInsecureRepositories=true update

Warning: This compromises package security and should only be used as a last resort.

Add this cron job to check for expiring keys monthly:

0 0 1 * * /usr/bin/apt-key list | grep -A 1 expired && \
echo "Expired keys detected" | mail -s "Key Alert" admin@example.com

For common repositories:

  • DataStax: sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 2B5C1B00
  • Docker: curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
  • NodeSource: curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | sudo apt-key add -

After applying any solution, verify with:

sudo apt-get clean
sudo apt-get update

Check that the KEYEXPIRED warning no longer appears in the output.