Fixing apt-get update errors
I ran into some issues when updating my system
apt-get update
apt-get upgrade
The second command spilled out some errors, among which:
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cli.github.com/packages stable InRelease: The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI <opensource+cli@github.com>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://pkg.cloudflareclient.com jammy InRelease: The following signatures were invalid: EXPKEYSIG 6E2DD2174FA1C3BA Cloudflare Package Repository <support@cloudflare.com>
E: Failed to fetch https://proget.makedeb.org/dists/makedeb/InRelease 530 <none> [IP: 2606:4700:3032::ac43:afa2 443]
E: The repository 'https://proget.makedeb.org makedeb InRelease' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://deb.gierens.de stable InRelease' doesn't support architecture 'i386'
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repository.spotify.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5384CE82BA52C83A
The following problems can be seen:
- Expired keys for github cli and cloudflare
- Missing key for spotify
- Dead makedeb server
1. Dealing with expired keys
The first error code shown is EXPKEYSIG. This means that the GPG key used to sign the package has expired. The package manager, apt in this case, rejects the key. To resolve the issue, the expired key needs to be replaced with a new key from the package provider official site.
The key location and the source can be found on the apt source list files:
ls /etc/apt/sources.list.d/
Lets see the github and cloudflare file contents:
cat /etc/apt/sources.list.d/github-cli.list
# deb [arch=amd64 signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main
cat /etc/apt/sources.list.d/cloudflare-client.list
# deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ jammy main
With the key location and the source the key can be updated with:
# GitHub CLI
wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg \
| sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
Or with some other commands for the cloudflare warp app:
# Cloudflare WARP
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
| sudo gpg --yes --dearmor -o /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
While I was writing the post I came across the expkeysig website. It has some more insights on the error and a tool to build the fix command which will provide the necessary commands to update the key by just inserting the expired key and the package manager been used. These look slightly different to the commands above. They setup the trusted keys with a key server:
sudo apt-key del 75716059
sudo gpg --keyserver keyserver.ubuntu.com --recv-keys 23F3D4EA75716059
sudo gpg --export 23F3D4EA75716059 | sudo tee /usr/share/keyrings/75716059-archive-keyring.gpg > /dev/null
# Update your sources.list entry to include [signed-by=/usr/share/keyrings/75716059-archive-keyring.gpg]
sudo apt-get update
2. Dealing with a missing key
The other key related error code is NO_PUBKEY. This would require a similar solution, find the key location and add the missing key to the file. So, lets check the source list file:
cat /etc/apt/sources.list.d/spotify.list
# deb https://repository.spotify.com stable non-free
Surprise, no key location. There is a source but not a location. I did look into the common directories were keys could be found:
ls -la /etc/apt/keyrings/
ls -la /usr/share/keyrings/
ls -la /etc/apt/trusted.gpg.d/
And I could not see any file name which might hint to spotify key. So I downloaded the key to a new file and manually updated the list file:
curl -sS https://download.spotify.com/debian/pubkey_5384CE82BA52C83A.gpg \
| sudo gpg --yes --dearmor -o /etc/apt/keyrings/spotify.gpg
And on the list file I added the key location:
deb [signed-by=/etc/apt/keyrings/spotify.gpg] https://repository.spotify.com stable non-free
At this point you might also wonder how is it possible that it worked on the past. It did not occur to me while fixing the issues that I have been using spotify for a while, therefore the key must have existed in the machine so that apt could have installed it before. I assume that one of the gpg keys which are in the /etc/apt/trusted.gpg.d/ directory belong to spotify.
I could have added the new spotify key to the same trusted.gpg.d directory. However, following the recommendations on the already apt-key manpage deprecation section I have placed the key in a different directory. Any key in the trusted.gpg.d directory can be used to authenticate packages from any repository. In contrast, using the signed-by method above, means that the key is only trusted for the given package. This reduces a possible attack surface.
3. Dealing with a dead server
The error mentions that updating from the makedeb repository is not secure:
E: The repository 'https://proget.makedeb.org makedeb InRelease' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
So lets just disable it:
sudo mv /etc/apt/sources.list.d/makedeb.list /etc/apt/sources.list.d/makedeb.list.disabled
Update before upgrade
After doing all the key changes it is necessary to update:
sudo apt-get update
And the following upgrade showed no more issues.