This warning occurs when apt tries to verify a repository's GPG signature, but the key has expired. The signature validation fails because the cryptographic key used to verify package authenticity has passed its expiration date. You can fix this by updating the expired GPG key from a key server.
When you run `apt update` or install packages from a third-party repository, apt verifies the repository's integrity using GPG (GNU Privacy Guard) cryptographic signatures. Each repository is signed with a GPG key that has an expiration date. When apt encounters a repository signed with an expired key, it displays a EXPKEYSIG warning (where EXPKEYSIG stands for "Expired Key Signature"). This warning indicates that the cryptographic key used to sign the packages has passed its expiration date. **Important:** This is a security feature. The expired key warning alerts you to a potential issue and prevents apt from blindly trusting packages. However, if you trust the repository and the key has simply expired (rather than been compromised), you can safely update the key by fetching a refreshed version from a key server. Key maintainers regularly refresh their keys before expiration.
Run apt update again to see the complete error message. Look for the EXPKEYSIG warning.
sudo apt updateThe output will look like:
W: GPG error: https://cli.github.com/packages stable InRelease
The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI <[email protected]>Extract the key ID: In this example, the key ID is 23F3D4EA75716059. You need this for the next step.
Tip: If you have multiple EXPKEYSIG warnings, note all the key IDs—you'll need to update each one.
Use the apt-key command to fetch the updated key from a key server. Replace KEY_ID with the key ID you identified above.
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys KEY_IDExample:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 23F3D4EA75716059Expected output (success):
gpg: key 23F3D4EA75716059: "GitHub CLI <[email protected]>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1Or for a truly expired key being refreshed:
gpg: key 23F3D4EA75716059: "GitHub CLI <[email protected]>" updated
gpg: Total number processed: 1
gpg: updated: 1If keyserver.ubuntu.com times out: Try an alternative key server:
sudo apt-key adv --keyserver keys.gnupg.net --recv-keys KEY_IDAfter updating the key, run apt update again to confirm the warning is gone.
sudo apt updateIf successful: The EXPKEYSIG warning for that key should disappear. You may see output like:
Hit:1 https://cli.github.com/packages stable InRelease
Get:2 http://security.ubuntu.com/ubuntu focal-security InRelease
Reading package lists... DoneIf warning persists: Try the alternative key server (see step 2) or proceed to the Advanced Notes section for deprecated key handling.
If you have multiple EXPKEYSIG warnings from different repositories, repeat steps 1-3 for each key ID.
List all keys and their status:
sudo apt-key listThis will show which keys are installed. Look for any with "expired" in the output.
Automated approach for multiple keys:
If you have many expired keys, create a script:
#!/bin/bash
# Save this as update-expired-keys.sh
declare -a KEYS=("23F3D4EA75716059" "8C718D3B5072E1F5" "XXXXXXXXXXXXXXXX")
for key in "${KEYS[@]}"
do
echo "Updating key: $key"
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys "$key"
done
echo "Running apt update..."
sudo apt updateMake it executable and run it:
chmod +x update-expired-keys.sh
./update-expired-keys.shOnce all EXPKEYSIG warnings are resolved, you can safely update your system.
# Update package list
sudo apt update
# Upgrade installed packages
sudo apt upgrade
# Or full upgrade (be careful, may remove packages)
sudo apt full-upgradeVerify everything is working:
# Check if any upgradable packages remain
sudo apt list --upgradable
# Check apt cache is healthy
sudo apt checkIf apt check reports any issues, you may need to fix broken dependencies:
sudo apt --fix-broken install### Modern Alternative: Using signed-by (Debian 11+ / Ubuntu 20.04+)
The apt-key command is deprecated in newer systems. The recommended approach is to use the signed-by option directly in your sources.list or .sources file.
Old method (deprecated):
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys KEY_IDNew method (preferred):
1. Download the key as a .gpg file:
curl https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x23F3D4EA75716059 | sudo gpg --dearmor -o /usr/share/keyrings/github-cli-archive-keyring.gpg2. Add the repository with signed-by:
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/github-cli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.sources3. Update and verify:
sudo apt updateThis approach:
- Isolates keys to specific repositories (better security)
- Avoids cluttering the system keyring
- Works reliably on newer systems
- Is more maintainable long-term
### Handling Permanently Expired Keys
If a key has been expired for a long time and hasn't been refreshed on the key server:
1. Check the repository's website - Look for an updated key or migration instructions
2. Remove the repository if it's no longer actively maintained:
sudo add-apt-repository --remove ppa:username/repository-name3. Find an alternative - Use the official source or a maintained fork instead
### Key Server Connection Issues
If you cannot reach the primary key server:
Try alternative key servers:
# Ubuntu key server (usually most reliable)
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys KEY_ID
# GnuPG key server
sudo apt-key adv --keyserver keys.gnupg.net --recv-keys KEY_ID
# MIT key server (IPv6 friendly)
sudo apt-key adv --keyserver pgp.mit.edu --recv-keys KEY_IDIf all key servers fail:
- Check your internet connection and firewall rules
- Verify you're not behind a corporate proxy blocking port 80 or 11371
- Try from a different network to isolate the issue
- Wait a few hours (key servers sometimes experience temporary unavailability)
### Debugging EXPKEYSIG Errors
View detailed information about a warning:
sudo apt update 2>&1 | grep -A 5 "EXPKEYSIG"Check expiration date of local keys:
sudo apt-key list --with-subkey-fingerprint | grep -A 1 "pub"Manually verify a repository's key:
# Download and inspect the key
curl https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x23F3D4EA75716059 | gpg --import --verbose### Why Expired Keys Exist
Cryptographic keys have expiration dates as a security practice:
- Limits damage if a key is compromised - An expired key cannot be used indefinitely if stolen
- Forces key rotation - Maintainers regularly prove they control their key by renewing it
- Signals active maintenance - An updated key shows the repository is actively maintained
- Expires forgotten repositories - Old, unmaintained PPAs will eventually stop working
Refreshing an expired key is a normal maintenance task and should not cause concern if you trust the repository.
E: Cannot set to hold: package 'package-name' is not installed
How to fix "Cannot set to hold" error when package is not installed in APT
debconf: unable to initialize frontend: Dialog
How to fix "debconf: unable to initialize frontend: Dialog" in APT
E: Could not connect to proxy server
Could not connect to proxy server
dpkg: serious warning: files list file for package 'package-name' contains empty filename
How to fix "files list file contains empty filename" in APT
E: Package 'package:i386' has no installation candidate
How to fix "Package package:i386 has no installation candidate" in apt