Anyone else getting EXPKEYSIG w/ apt-get update? (Ubuntu - Jammy)

Reading package lists... Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease: The following signatures were invalid: EXPKEYSIG DE3623EF08C996E5 OpenZiti Developers <developers@openziti.org> W: Failed to fetch https://packages.openziti.org/zitipax-openziti-deb-stable/dists/jammy/InRelease The following signatures were invalid: EXPKEYSIG DE3623EF08C996E5 OpenZiti Developers <developers@openziti.org> W: Some index files failed to download. They have been ignored, or old ones used instead.

Hi Ian, thanks for reaching out to our community support!

This is the first we’ve heard of an issue with our package repositories. I’ve forwarded your report to the folks that maintain the repo to take a look at. We’ll fix it or have another answer for you soon.

I’m investigating. The package repo’s metadata signing key does not expire. The metadata are signed automatically by Artifactory whenever a package is uploaded with the JFrog API.

I’ll try to reproduce this with a Jammy box. I believe you’re using the ziti-edge-tunnel package. Is it an x86_64 system?

I should note that it only happens with one of my 22.04 machines and not the others, so the issue could be on my end. The machines all have the same sources.list files though.

Yes and yes. x86 and edge-tunnel

Err:9 https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease The following signatures were invalid: EXPKEYSIG DE3623EF08C996E5 OpenZiti Developers <developers@openziti.org> Reading package lists... Done W: GPG error: https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease: The following signatures were invalid: EXPKEYSIG DE3623EF08C996E5 OpenZiti Developers <developers@openziti.org> E: The repository 'https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.

Does your Jammy box have a source list exactly like this?

deb [signed-by=/usr/share/keyrings/openziti.gpg] https://packages.openziti.org/zitipax-openziti-deb-stable jammy main

Is the pubkey file readable by others?

❯ ls -l /usr/share/keyrings/openziti.gpg
-rw-r--r-- 1 root root 1.8K Jun 28 18:27 /usr/share/keyrings/openziti.gpg

Did you install ziti-edge-tunnel by crafting the APT source file and downloading the key, or perhaps by running this script?

Which version of the package is currently installed, if any?

apt show ziti-edge-tunnel

I installed it so long ago I can’t remember, but I know I used the older script manually to install it. Here are the answers to your questions:

deb [signed-by=/usr/share/keyrings/openziti.gpg] https://packages.openziti.org/zitipax-openziti-deb-stable/ jammy main
-rw-r--r-- 1 root root 1765 Feb  7  2023 /usr/share/keyrings/openziti.gpg
Package: ziti-edge-tunnel
Version: 1.0.3
Status: install ok installed
Priority: optional
Section: devel
Maintainer: support@netfoundry.io
Installed-Size: 4723 kB
Depends: debconf, iproute2, sed, systemd, libatomic1, libssl3 | libssl1.1 | libssl1.0.0, login, passwd, policykit-1, zlib1g
Homepage: https://github.com/openziti/ziti-tunneler-sdk-c
Download-Size: unknown
APT-Manual-Installed: yes
APT-Sources: /var/lib/dpkg/status
Description: OpenZiti tunneler SDK

This is a strange one. Thank you for helping me narrow it down.

Do you have matching fingerprints?

❯ gpg --show-keys --with-fingerprint  /usr/share/keyrings/openziti.gpg
pub   rsa3072/0xDE3623EF08C996E5 2022-07-11 [SC]
      Key fingerprint = 34CB CF18 427D 8814 B5BD  BB0D DE36 23EF 08C9 96E5
uid                              OpenZiti Developers <developers@openziti.org>
sub   rsa3072/0x5F4C996B0DAC0B5F 2022-07-11 [E]


❯ curl -sSLf https://get.openziti.io/tun/package-repos.gpg | sudo gpg --show-keys --with-fingerprint

pub   rsa3072 2022-07-11 [SC]
      34CB CF18 427D 8814 B5BD  BB0D DE36 23EF 08C9 96E5
uid                      OpenZiti Developers <developers@openziti.org>
sub   rsa3072 2022-07-11 [E]

I think I fixed it. For some reason the gpg key I had there was not the correct one…Once I followed that script you linked, I got the correct key and then used gpg to dearmour it. I will make sure this key is consistent across my systems

mitchelli@eastport ~ $ sudo apt-get update Ign:1 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0 InRelease Hit:2 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0 Release Get:4 https://pkgs.tailscale.com/stable/ubuntu jammy InRelease Get:6 https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease [4274 B] Hit:7 http://archive.ubuntu.com/ubuntu jammy InRelease Hit:8 http://archive.ubuntu.com/ubuntu jammy-updates InRelease Get:9 https://packages.openziti.org/zitipax-openziti-deb-stable jammy/main amd64 Packages [5131 B] Hit:10 http://archive.ubuntu.com/ubuntu jammy-backports InRelease Hit:5 https://linux.dell.com/repo/community/openmanage/11010/jammy jammy InRelease Hit:11 http://archive.ubuntu.com/ubuntu jammy-security InRelease Fetched 11.7 kB in 1s (11.4 kB/s) Reading package lists... Done

-rw-r--r-- 1 root root 1753 Jul 15 15:24 /usr/share/keyrings/openziti.gpg

^^ Note the different size.

Old key:

gpg --show-keys --with-fingerprint /usr/share/keyrings/openziti.gpg.bak 
pub   rsa3072 2022-07-11 [SC] [expired: 2024-07-10]
      34CB CF18 427D 8814 B5BD  BB0D DE36 23EF 08C9 96E5
uid                      OpenZiti Developers <developers@openziti.org>
sub   rsa3072 2022-07-11 [E] [expired: 2024-07-10]

New key:

gpg --show-keys --with-fingerprint /usr/share/keyrings/openziti.gpg
pub   rsa3072 2022-07-11 [SC]
      34CB CF18 427D 8814 B5BD  BB0D DE36 23EF 08C9 96E5
uid                      OpenZiti Developers <developers@openziti.org>
sub   rsa3072 2022-07-11 [E]
1 Like

Wonderful. I suspect the error reported by APT was diagnostic: you had an older pubkey that had expired. It won’t be an issue again for the foreseeable future because the current key doesn’t expire, as long as all systems have the forever key.

Thanks. Like I said, I need to make sure I have this key across all systems now. I think that was the issue.