GPG Key Expired — Package Signature Verification and Key Management Errors
About GPG Key Expired
Fix GPG key expired errors that prevent package installation, repository updates, and signature verification on Linux systems. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: GPG (GNU Privacy Guard) keys are used to sign and verify packages, repositories, and files. Package managers (apt, yum/dnf) verify repository signatures using GPG keys. Keys have expiration dates and must be renewed or replaced when they expire. Expired keys cause 'EXPKEYSIG' or 'NO_PUBKEY' errors during package updates. Third-party repository keys are the most common source of expired key issues. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Repository GPG signing key expired and the system has the old key cached. Third-party repository has not been updated with the new key. System date is incorrect, making valid keys appear expired. GPG key was not properly added when the repository was configured. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Identify the expired key: the error message includes the key ID (e.g., EXPKEYSIG 1234ABCD). Refresh the key from the keyserver: 'sudo gpg --keyserver keyserver.ubuntu.com --recv-keys KEY_ID'. For apt: 'sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com KEY_ID' (deprecated) or use signed-by. Check system date: 'date' — if incorrect, fix with 'sudo timedatectl set-ntp true'. For persistent issues: download the current key from the repository's website and add it manually. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Is it safe to ignore GPG key errors?
Not recommended. GPG verification ensures packages are from trusted sources and have not been tampered with. Ignoring key errors (--allow-unauthenticated) bypasses this security check and could allow malicious packages.
Overview
Fix GPG key expired errors that prevent package installation, repository updates, and signature verification on Linux systems.
Key Details
- GPG (GNU Privacy Guard) keys are used to sign and verify packages, repositories, and files
- Package managers (apt, yum/dnf) verify repository signatures using GPG keys
- Keys have expiration dates and must be renewed or replaced when they expire
- Expired keys cause 'EXPKEYSIG' or 'NO_PUBKEY' errors during package updates
- Third-party repository keys are the most common source of expired key issues
Common Causes
- Repository GPG signing key expired and the system has the old key cached
- Third-party repository has not been updated with the new key
- System date is incorrect, making valid keys appear expired
- GPG key was not properly added when the repository was configured
Steps
- 1Identify the expired key: the error message includes the key ID (e.g., EXPKEYSIG 1234ABCD)
- 2Refresh the key from the keyserver: 'sudo gpg --keyserver keyserver.ubuntu.com --recv-keys KEY_ID'
- 3For apt: 'sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com KEY_ID' (deprecated) or use signed-by
- 4Check system date: 'date' — if incorrect, fix with 'sudo timedatectl set-ntp true'
- 5For persistent issues: download the current key from the repository's website and add it manually