36

I'm getting the following error every time I do apt-get upgrade:

GPG error: http://nginx.org trusty Release: The following signatures were invalid: KEYEXPIRED 1471427554

I just have the official nginx ppa installed the standard way, by having added the following to my sources.list

deb http://nginx.org/packages/ubuntu/ trusty nginx
deb-src http://nginx.org/packages/ubuntu/ trusty nginx

Is this an error from their end that they will eventually fix hopefully, or is there something I'm going to have to do from my end?

Thomas Ward
  • 72,494
  • 30
  • 173
  • 237
Mohamed Hafez
  • 785
  • 1
  • 6
  • 13
  • 1
    Did you download [this key from NGINX](http://nginx.org/keys/nginx_signing.key), then run `sudo apt-key add nginx_signing.key` and still getting this error? – Thomas Ward Aug 18 '16 at 16:30
  • 2
    this happens ... sometimes. But this ("1471427554") does not look like a valid GPG key. `wget http://nginx.org/keys/nginx_signing.key -O - |sudo apt-key add -` will do both steps suggested by @ThomasWard in one small command. – Phillip -Zyan K Lee- Stockmann Aug 18 '16 at 16:34
  • `LANG=C sudo apt-key adv --keyserver keys.gnupg.net --recv-keys 1471427554` returns the following error: `Executing: /tmp/tmp.EU8uLKmT5b/gpg.1.sh --keyserver keys.gnupg.net --recv-keys 1471427554 gpg: "1471427554" not a key ID: skipping` – Phillip -Zyan K Lee- Stockmann Aug 18 '16 at 16:38
  • @Phillip-ZyanKLee-Stockmann I see what you're saying, but maybe they copy-pasted or such. (We need them to reply to whether they added the key or not...) – Thomas Ward Aug 18 '16 at 16:40
  • @Mohamed-Hafez Please, post in the question the output of `wget http://nginx.org/keys/nginx_signing.key -O - |sudo apt-key add - ` commands (@Phillip-ZyanKLee-Stockmann comment) – Thiago Rider Augusto Aug 18 '16 at 16:46
  • @Phillip-ZyanKLee-Stockmann's comment worked!! one suggestion, could I have used https in the address to be more secure? too late for me but just checking for anyone else who might see this – Mohamed Hafez Aug 18 '16 at 16:48
  • 1
    yes, the key file is available via https as well. – Phillip -Zyan K Lee- Stockmann Aug 18 '16 at 16:52
  • 1
    @Phillip: Actually, 1471427554 is the timestamp of the expiry time for the APT signing key. Modern versions of the date command will parse it to readable format for you: `date -u -d @1471427554` gives `Wed Aug 17 09:52:34 UTC 2016`. – BertD Aug 30 '17 at 23:02

2 Answers2

50

After adding a third party repository to a /etc/apt/sources.list.d/* file or /etc/apt/sources.list, you need to make sure the corresponding gpg key is inserted into the apt keystore.

To be more specific for this special case of nginx.org repository: you need to add the nginx.org gpg key file used for the signing of the repository.

This can be done by either downloading the file https://nginx.org/keys/nginx_signing.key manually and issue sudo apt-key add nginx_signing.key (as suggested by nginx.org and @ThomasWard) or you can do this in one single line:

wget https://nginx.org/keys/nginx_signing.key -O - | sudo apt-key add -
Phillip -Zyan K Lee- Stockmann
  • 2,303
  • 12
  • 26
11

The root cause of this problem is because the "older" Nginx signing key expired on Aug 17, 2016:

$ sudo apt-key list

pub   2048R/7BD9BF62 2011-08-19 [expired: 2016-08-17]
uid                  nginx signing key <[email protected]>

To fix this issue, add the new signing key using the command as suggested by @phillip-zyan-k-lee-stockmann and @ThomasWard:

wget https://nginx.org/keys/nginx_signing.key -O - | sudo apt-key add -

The new key now expires in 2024:

$ sudo apt-key list

pub   2048R/7BD9BF62 2011-08-19 [expires: 2024-06-14]
uid                  nginx signing key <[email protected]>
Josh
  • 103
  • 1
hwdsl2
  • 136
  • 4
  • I think that I like this answer overall overall since it attempts to explain what happened better. (The above explanation didn't fit with my use case despite the response.) – codenoob Apr 21 '19 at 02:28