LINUXMAKER, OpenSource, Tutorials

The following signatures were invalid: EXPKEYSIG 7. . .

If you get a message saying that a repository's signatures are invalid, especially with a message like "EXPKEYSIG", it means that the associated GPG key has expired or is no longer valid. In this case, you need to renew the key. Here's how to do that for the Tor Project repository, for example, and generally for other repositories on Debian-based systems.

Step 1: Import new key

First, the new key for the corresponding repository must be imported. For the Tor project, this could be done as follows:

  1. Delete old key (optional):

    You can delete the old key if you are sure that you no longer need it:

    sudo apt-key del 74A941BA219EC810

  2. Download and import new key:

    Tor provides a new GPG key that you can download and import:

    curl deb.torproject.org/torproject.org/DEB.GPG-KEY-torproject.org.asc | sudo gpg --dearmor -o /usr/share/keyrings/tor-archive-keyring.gpg

  3. Adjust repository entry (optional):

    If you use a special sources.list file format, you may need to specify the path to the new key file. For example:

    deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] deb.torproject.org/torproject.org bookworm main

    The exact path and distribution (bullseye, bookworm etc.) must be adjusted according to your system.

Step 2: Update package lists

After the new key is added, you should update the package lists:

sudo apt-get update

Step 3: Check and install

After the update, the error message should disappear and you can ensure that all packages with the new signatures are correctly verified.

General instructions for other repositories:

For other repositories that receive similar error messages:

  1. Key search: Check the repository's official website for information about the new GPG key or update the key if the provider has published one.

  2. Import key: Use the appropriate command to import the new key, often via apt-key or gpg:

    wget -qO - example.com/repo.gpg | sudo apt-key add -

  3. Update package lists: Run sudo apt-get update again to make sure the new signatures are correctly detected.

By following these steps, you can ensure that your repository signatures remain up to date and are free from security risks.