layout-3layout-6layout-1layout-top
layout-toplayout-6layout-1

Update Expired GPG Keys

Issue

Errors for expired GPG keys are reported when updating via apt on a switch running Cumulus Linux, and prevent package upgrades:

W: GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3 InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605
W: GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3-security-updates InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605
W: GPG error: http://repo3.cumulusnetworks.com CumulusLinux-3-updates InRelease: The following signatures were invalid: KEYEXPIRED 1522652605 KEYEXPIRED 1522652605 KEYEXPIRED 1522652605

Resolution

You can resolve this issue in one of three ways.

Option 1: Use the allow-unauthenticated Flag

  1. Run apt update using the --allow-unathenticated flag:

    sudo apt-get update --allow-unauthenticated

  2. Install the new cumulus-archive-keyring package:

    sudo apt-get install --allow-unauthenticated cumulus-archive-keyring

  3. Proceed with the update/upgrade procedure via apt:

    sudo apt-get update && sudo apt-get upgrade

Option 2: Download the Updated cumulus-archive-keyring Package

  1. Download the updated cumulus-archive-keyring package:

    wget http://repo3.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl3u5_all.deb

  2. Install the new package:

    sudo dpkg -i cumulus-archive-keyring_4-cl3u5_all.deb

  3. Proceed with the update/upgrade procedure via apt:

    sudo apt-get update && sudo apt-get upgrade

Option 3: Update the GPG Key on the Switch

Update the GPG key on the switch with the following procedure.

  1. Download the new key:

    sudo apt-key adv --keyserver keys.gnupg.net --recv-keys A88BBC95

  2. Update the packages on the switch:

    sudo apt-get update

If you still see the messages when running an update, do the following:

  1. Remove the old key:

    sudo rm /etc/apt/trusted.gpg.d/cumulus-stage-keyring.gpg

  2. Update the packages on the switch:

    sudo apt-get update

  3. Upgrade the packages on the switch:

    sudo apt-get upgrade

  4. If prompted to replace /etc/pat/trusted.gpg.d/cumulus-stage-keyring.gpg or /etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg, press Y to install the package maintainers version:

    Configuration file '/etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** cumulus-external-keyring.gpg (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/apt/trusted.gpg.d/cumulus-external-keyring.gpg ...

Configuration file '/etc/apt/trusted.gpg.d/cumulus-stage-keyring.gpg'
==> Deleted (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** cumulus-stage-keyring.gpg (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/apt/trusted.gpg.d/cumulus-stage-keyring.gpg ...