GPG key expired when running apt-get update

  • 1
  • Problem
  • Updated 2 weeks ago
Today, when running apt-get update I got an error, that security key got expired:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3 InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605

I tried to find the key, which is expired:

apt-key list | grep expired
pub   2048R/A88BBC95 2016-04-02 [expired: 2018-04-02]

And tried to update it manually: apt-key adv --keyserver keys.gnupg.net --recv-keys A88BBC95

But the answer was, that key has't changed:

gpg: key A88BBC95: "Cumulus Linux 3.0 Package Repository Automatic Signing Key <support@cumulusnetworks.com>" not changed

Could anyone, please, assist - how to troubleshoot his situation?
Photo of Sergei Hanus

Sergei Hanus

  • 476 Points 250 badge 2x thumb

Posted 3 weeks ago

  • 1
Photo of Eric Pulvino

Eric Pulvino, Official Rep

  • 3,930 Points 3k badge 2x thumb
Are you using NTP on that system? 
What does `ntpq -p` output on your system? 
What does `date` output on your system?
Photo of Sergei Hanus

Sergei Hanus

  • 476 Points 250 badge 2x thumb
Yes, we do use ntp, and the time is set correctly.
cumulus@lab-sw9:mgmt-vrf:~$ date
Mon Apr  2 17:48:02 +03 2018

cumulus@lab-sw9:mgmt-vrf:~$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*pendalf.solidex 178.124.134.106  3 u  341 1024  377    0.381    4.481  27.040
+feona.solidex.m 178.124.134.106  3 u  640 1024  377    0.382   80.332 140.294

Also, I tried updating different systems - they all show same symptoms with key expired.
Photo of Eric Pulvino

Eric Pulvino, Official Rep

  • 3,930 Points 3k badge 2x thumb
What version of Cumulus are you looking at? `cat /etc/lsb-release`
On mine I see the key you're referring to but mine shows as follows:
/etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg
---------------------------------------------------
pub   2048R/A88BBC95 2016-04-02 [expires: 2019-12-01]
uid                  Cumulus Linux 3.0 Package Repository Automatic Signing Key <support@cumulusnetworks.com>
sub   2048R/86DF72CD 2016-04-02 [expires: 2019-12-01]
Photo of Dave Olson

Dave Olson, MTS

  • 1,050 Points 1k badge 2x thumb
The key really had exprired.  We had fixed it in the 3.5.0 or 3.5.1 timeframe, but we hadn't pushed the new key out to the keyserver.   That has now been done, so the apt-key command now works.

Thanks for bringing this to our attention, Sergei


Eric, you probably picked up the newer key through one of our development packages at some point.
Photo of Dave Olson

Dave Olson, MTS

  • 1,050 Points 1k badge 2x thumb
If you are running 3.5.0 through 3.5.3 may have to remove /etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg due to apt ordering preferences on keys, so the new key is used..  We're still looking into it still.
Photo of Sergei Hanus

Sergei Hanus

  • 476 Points 250 badge 2x thumb
Dave, thank you for response. I indeed use 3.4.3.
I have succeeded to update the key after your comment and then successfully ran update.

 Sergei.
Photo of Eric Pulvino

Eric Pulvino, Official Rep

  • 3,930 Points 3k badge 2x thumb
I was running on 3.5.3 for my testing which explains the disparity.  See our new KB on the subject for anyone running into issues who happens to stumble on this thread --> https://support.cumulusnetworks.com/hc/en-us/articles/360002663013