Updating Expired GPG Keys

Follow

Issue

Errors for expired GPG keys are reported when updating via apt on a switch running Cumulus Linux, and prevent package upgrades:

W: GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3 InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605
W: GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3-security-updates InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605
W: GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3-updates InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605

Or for Host Pack packages installed on servers from the apps3 repo:

W: GPG error: https://apps3.cumulusnetworks.com/repos/deb xenial InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605  KEYEXPIRED 1522652605

Resolution

Cumulus Linux (repo3)

Option 1

1) Run apt update using --allow-unathenticated flag:

sudo apt-get update --allow-unauthenticated

2) Install the new cumulus-archive-keyring package:

sudo apt-get install --allow-unauthenticated cumulus-archive-keyring

3) Proceed with the update/upgrade procedure via apt:

sudo apt-get update && sudo apt-get upgrade

Option 2

1) Download the updated cumulus-archive-keyring package:

wget http://repo3.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl3u5_all.deb

2) Install the new package:

sudo dpkg -i cumulus-archive-keyring_4-cl3u5_all.deb

3) Proceed with the update/upgrade procedure via apt:

sudo apt-get update && sudo apt-get upgrade

Option 3

Update the GPG key on the switch with the following procedure.

1) Download the new key:

sudo apt-key adv --keyserver keys.gnupg.net --recv-keys A88BBC95

2) Update the packages on the switch:

sudo apt-get update

If you still see the messages when running an update, proceed with steps 3-6:

3) Remove the old key:

sudo rm /etc/apt/trusted.gpg.d/cumulus-stage-keyring.gpg

4) Update the packages on the switch:

sudo apt-get update

5) Upgrade the packages on the switch:

sudo apt-get upgrade

6) If prompted to replace /etc/pat/trusted.gpg.d/cumulus-stage-keyring.gpg or /etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg, select Y to install the package maintainers version:

Configuration file '/etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** cumulus-external-keyring.gpg (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg ...

Configuration file '/etc/apt/trusted.gpg.d/cumulus-stage-keyring.gpg'
==> Deleted (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** cumulus-stage-keyring.gpg (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/apt/trusted.gpg.d/cumulus-stage-keyring.gpg ...

Host Pack (apps3)

1) Download the new key:

sudo apt-key adv --keyserver keys.gnupg.net --recv-keys A88BBC95

2) Update the packages on the server:

sudo apt-get update
Have more questions? Submit a request

Comments

This support portal has moved

Cumulus Networks is now part of the NVIDIA Networking Business Unit! The NVIDIA Cumulus Global Support Services (GSS) team has merged its operations with the NVIDIA Mellanox support services team.

You can access NVIDIA Cumulus support content from the Mellanox support portal.

You open and update new cases on the Mellanox support portal. Any previous cases that have been closed have been migrated to the Mellanox support portal.

Cases that are still open on the Cumulus portal will continue to be managed on the Cumulus portal. Once these cases close, they will be moved to the Mellanox support portal.

Powered by Zendesk