Fix Ubuntu/Debian apt-get “KEYEXPIRED: The following signatures were invalid”

Running an Ubuntu or Debian operating system on your servers comes with a long lifetime. You won’t switch servers and migrate your applications that often.

You’ll maintain your system now and then and update installed packages to keep your system secure.

Recently, while maintaining the software on our server, we ran into the error „The following signatures were invalid: KEYEXPIRED 1544811256“ while running apt-get update.

This error happens when your system installs services from third-party repositories as we do with MongoDB.

Ubuntu/Debian Series Overview

The Problem

You’ll recognize the following output while running apt-get update on your Ubuntu 16.04 system:

$ sudo apt-get update

Ign:11 https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 InRelease  
Hit:12 https://repos.sonar.digitalocean.com/apt main InRelease  
Hit:13 https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 Release  
Err:17 https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 Release.gpg  
  The following signatures were invalid: KEYEXPIRED 1544811256
Fetched 1930 kB in 3s (601 kB/s)  
Reading package lists... Done

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 Release: The following signatures were invalid: KEYEXPIRED 1544811256

W: Failed to fetch https://repo.mongodb.org/apt/ubuntu/dists/xenial/mongodb-org/3.6/Release.gpg  The following signatures were invalid: KEYEXPIRED 1544811256  
W: Some index files failed to download. They have been ignored, or old ones used instead.  

The GPG key of the MongoDB repository expired on this server. To fix this issue, you need to rotate the key on your system. Here are the steps to renew an expired key.

Step 1: Find the Expired Key

Find the expired key from apt’s key list. You can run apt-key list to print a list of all installed keys. Use the command below if you want to filter for expired keys:

$ sudo apt-key list | grep -A 1 expired

pub   4096R/91FA4AD5 2016-12-14 [expired: 2018-12-14]  
uid                  MongoDB 3.6 Release Signing Key <packaging@mongodb.com>  

This resulting list prints all packages with related key details. The important part is the key 91FA4AD5. Copy that part, because you need it in the second step.

At the time of writing this tutorial, it’s December 18th, 2018 and the key expired four days ago (December 14th, 2018).

Step 2: Renew the Expired Key

Now that you know which key expired, go ahead and renew it. Use the following command and replace the <KEY> placeholder with your key’s value (the one you copied from above):

$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys <KEY>

For the expired MongoDB GPG key, the command and output looks like this:

$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 91FA4AD5

Executing: /tmp/tmp.XC8EiRvH3E/gpg.1.sh --keyserver  
hkp://keyserver.ubuntu.com:80  
--recv-keys
91FA4AD5  
gpg: requesting key 91FA4AD5 from hkp server keyserver.ubuntu.com  
gpg: key 91FA4AD5: "MongoDB 3.6 Release Signing Key <packaging@mongodb.com>" 1 new signature  
gpg: Total number processed: 1  
gpg:         new signatures: 1  

Sweet! Processing the key finished and your system received a new signature. Run the command to find outdated keys again and ensure an empty list.

Step 3: Re-Run Update

Now go ahead and re-run the apt-get update command to update your repositories 👌

$ sudo apt-get update

That’s it. Now you can upgrade your system with the updated packages. Enjoy!

Explore the Library

Find interesting tutorials and solutions for your problems.