Updating Expired GPG Keys

Follow

Issue

Errors for expired GPG keys are reported when updating via apt on a switch running Cumulus Linux, and prevent package upgrades:

W: GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3 InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605
W: GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3-security-updates InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605
W: GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3-updates InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605

Or for Host Pack packages installed on servers from the apps3 repo:

W: GPG error: https://apps3.cumulusnetworks.com/repos/deb xenial InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605  KEYEXPIRED 1522652605

Resolution

Cumulus Linux (repo3)

Option 1

1) Run apt update using --allow-unathenticated flag:

sudo apt-get update --allow-unauthenticated

2) Install the new cumulus-archive-keyring package:

sudo apt-get install --allow-unauthenticated cumulus-archive-keyring

3) Proceed with the update/upgrade procedure via apt:

sudo apt-get update && sudo apt-get upgrade

Option 2

1) Download the updated cumulus-archive-keyring package:

wget https://repo3.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_3-cl3u4_all.deb

2) Install the new package:

sudo dpkg -i cumulus-archive-keyring_3-cl3u4_all.deb

3) Proceed with the update/upgrade procedure via apt:

sudo apt-get update && sudo apt-get upgrade

Option 3

Update the GPG key on the switch with the following procedure.

1) Download the new key:

sudo apt-key adv --keyserver keys.gnupg.net --recv-keys A88BBC95

2) Update the packages on the switch:

sudo apt-get update

If you still see the messages when running an update, proceed with steps 3-6:

3) Remove the old key:

sudo rm /etc/apt/trusted.gpg.d/cumulus-stage-keyring.gpg

4) Update the packages on the switch:

sudo apt-get update

5) Upgrade the packages on the switch:

sudo apt-get upgrade

6) If prompted to replace /etc/pat/trusted.gpg.d/cumulus-stage-keyring.gpg or /etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg, select Y to install the package maintainers version:

Configuration file '/etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** cumulus-external-keyring.gpg (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg ...

Configuration file '/etc/apt/trusted.gpg.d/cumulus-stage-keyring.gpg'
==> Deleted (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** cumulus-stage-keyring.gpg (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/apt/trusted.gpg.d/cumulus-stage-keyring.gpg ...

Host Pack (apps3)

1) Download the new key:

sudo apt-key adv --keyserver keys.gnupg.net --recv-keys A88BBC95

2) Update the packages on the server:

sudo apt-get update
Have more questions? Submit a request

Comments

Powered by Zendesk