GPG key expired when running apt-get update


Userlevel 1
Today, when running apt-get update I got an error, that security key got expired:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3 InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605

I tried to find the key, which is expired:

apt-key list | grep expired
pub 2048R/A88BBC95 2016-04-02 [expired: 2018-04-02]

And tried to update it manually: apt-key adv --keyserver keys.gnupg.net --recv-keys A88BBC95

But the answer was, that key has't changed:

gpg: key A88BBC95: "Cumulus Linux 3.0 Package Repository Automatic Signing Key " not changed

Could anyone, please, assist - how to troubleshoot his situation?

7 replies

Userlevel 4
Are you using NTP on that system?
What does 'ntpq -p' output on your system?
What does 'date' output on your system?
Userlevel 1
Yes, we do use ntp, and the time is set correctly.
cumulus@lab-sw9:mgmt-vrf:~$ date
Mon Apr 2 17:48:02 +03 2018

cumulus@lab-sw9:mgmt-vrf:~$ ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*pendalf.solidex 178.124.134.106 3 u 341 1024 377 0.381 4.481 27.040
+feona.solidex.m 178.124.134.106 3 u 640 1024 377 0.382 80.332 140.294

Also, I tried updating different systems - they all show same symptoms with key expired.
Userlevel 4
What version of Cumulus are you looking at? 'cat /etc/lsb-release'
On mine I see the key you're referring to but mine shows as follows:
/etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg
---------------------------------------------------
pub 2048R/A88BBC95 2016-04-02 [expires: 2019-12-01]
uid Cumulus Linux 3.0 Package Repository Automatic Signing Key
sub 2048R/86DF72CD 2016-04-02 [expires: 2019-12-01]
Userlevel 3
The key really had exprired. We had fixed it in the 3.5.0 or 3.5.1 timeframe, but we hadn't pushed the new key out to the keyserver. That has now been done, so the apt-key command now works.

Thanks for bringing this to our attention, Sergei

Eric, you probably picked up the newer key through one of our development packages at some point.

Userlevel 3
If you are running 3.5.0 through 3.5.3 may have to remove /etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg due to apt ordering preferences on keys, so the new key is used.. We're still looking into it still.
Userlevel 1
Dave, thank you for response. I indeed use 3.4.3.
I have succeeded to update the key after your comment and then successfully ran update.

Sergei.
Userlevel 4
I was running on 3.5.3 for my testing which explains the disparity. See our new KB on the subject for anyone running into issues who happens to stumble on this thread --> https://support.cumulusnetworks.com/hc/en-us/articles/360002663013

Reply