24

After a recent apt update && apt full-upgrade I started getting the following error when running apt full-upgrade subsequently:

Get:4 https://repo.skype.com/deb stable InRelease [4,502 B]                                        
Err:4 https://repo.skype.com/deb stable InRelease
  The following signatures were invalid: EXPKEYSIG 1F3045A5DF7587C3 Skype Linux Client Repository <[email protected]>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repo.skype.com/deb stable InRelease: The following signatures were invalid: EXPKEYSIG 1F3045A5DF7587C3 Skype Linux Client Repository <[email protected]>
W: Failed to fetch https://repo.skype.com/deb/dists/stable/InRelease  The following signatures were invalid: EXPKEYSIG 1F3045A5DF7587C3 Skype Linux Client Repository <[email protected]>
W: Some index files failed to download. They have been ignored, or old ones used instead.

Is there a way to correct this, or should I just wait for Microsoft/Canonical to produce/update the necessary key signatures?

Broadsworde
  • 3,922
  • 4
  • 27
  • 45
  • Does this answer your question? ["GPG error: Release: The following signatures were invalid: BADSIG"](https://askubuntu.com/questions/131601/gpg-error-release-the-following-signatures-were-invalid-badsig) – guiverc Jun 24 '21 at 04:31
  • Keys are provided for Ubuntu repositories, you need to add them for 3rd party sources that don't provide them to Canonical/Ubuntu. – guiverc Jun 24 '21 at 04:32
  • BADSIG answers are aimed at removing the bad key then getting a fresh one. My issue is the latest one available is expired. – Broadsworde Jun 24 '21 at 04:56
  • Check your host time and date. – paladin Jun 24 '21 at 07:41
  • Date, time and time zone are correct. – Broadsworde Jun 24 '21 at 07:54
  • 4
    The GPG-key for Skype's repository expired on 2021-06-21 and Microsoft has not yet renewed it. Sadly, this is not the first time ... – matigo Jun 24 '21 at 08:19
  • @karel , my instinct is to wait for apt upgrade to pickup the new key signature, which kind of aligns with the advice in your suggested answer. We will only know if this is the right approach if and when apt upgrade actually does it. – Broadsworde Jun 24 '21 at 10:35
  • 1
    I really wish someone from Microsoft would step up and fix this bug or a volunteer who supports the ubuntu package distribution tooling ... this issue is ongoing and impacting everyone using skype – Scott Stensland Oct 14 '21 at 17:41

2 Answers2

23

The key has now been updated, you can install it with:

curl https://repo.skype.com/data/SKYPE-GPG-KEY | sudo apt-key add -

Kris
  • 421
  • 1
  • 3
  • 9
  • 1
    I'm confused, the contents of https://repo.skype.com/deb/dists/stable/InRelease indicate an update was made yesterday (2021-Jun-23), so surely apt full-upgrade should be picking up a new key signature if one was available. – Broadsworde Jun 24 '21 at 08:50
  • 3
    This works for me, but Why can this happen automatically when you type `sudo apt-get update` ? – Boris Valderrama Jun 24 '21 at 21:34
21

The validity of the signature key has expired, and only after a few days Microsoft generated a new key. The key replacement in your system is not automatic and you need to delete the old key and add the new one.

There are two ways two solve the issue: one, using the traditional apt-key add command, the other one adding manually the new key to the keyring.

# Solution valid until Ubuntu 21.04 (including it)

You can delete the no longer valid key:

sudo apt-key del 1F3045A5DF7587C3

and then re-add the new valid key:

curl https://repo.skype.com/data/SKYPE-GPG-KEY | sudo apt-key add -

Running sudo apt update && sudo apt upgrade you should see no errors.

# Solution valid in Ubuntu 21.04 and future releases

When you try to add an APT repository key using apt-key in Ubuntu, you may see the following message:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

The apt-key man page mentions that:

use of apt-key is deprecated, except for the use of apt-key del in maintainer scripts to remove existing keys from the main keyring.

So, if you use a version of Ubuntu until 21.04, you are ok using apt-key del and apt-key add, but for the following versions you must manually add the key in the keyring (in Ubuntu 21.04 both solutions work perfectly: I tested both of them).

You can delete the no longer valid key:

sudo apt-key del 1F3045A5DF7587C3

Download the key and add it to the keyring:

curl https://repo.skype.com/data/SKYPE-GPG-KEY | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/skype-stable-archive-keyring.gpg

Open the skype-stable.list file...

sudo nano /etc/apt/sources.list.d/skype-stable.list

...and modify the first line in this way:

deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/skype-stable-archive-keyring.gpg] https://repo.skype.com/deb stable main

Running sudo apt update && sudo apt upgrade you should see no errors.

Lorenz Keel
  • 8,362
  • 8
  • 36
  • 49
  • 1
    I really wish someone from Microsoft would step up and fix this bug or a volunteer who supports the ubuntu package distribution tooling ... this issue is ongoing and impacting everyone using skype – Scott Stensland Oct 14 '21 at 17:42