How to fix W: GPG error: URL Release: The following signatures were invalid: KEYEXPIRED in APT

APTINTERMEDIATEMEDIUM

A repository's GPG signing key has expired, causing apt to reject package signatures as invalid. This commonly occurs when third-party repositories like MongoDB, MySQL, or Yarn are not actively maintained or have not renewed their GPG keys.

What this error means

This error occurs when the APT package manager validates repository signatures using GPG (GNU Privacy Guard) keys. Each Linux repository signs its packages with a GPG key to prove authenticity and integrity. When a repository's GPG key expires, APT rejects the signature as invalid because the key can no longer be trusted. This is a security mechanism that prevents using packages signed with outdated or potentially compromised keys. The error typically appears during `apt-get update` when checking third-party repositories added via PPAs or manual sources.

How to fix "W: GPG error: URL Release: The following signatures were invalid: KEYEXPIRED"

1Identify the expired key from the error message

Look at the complete error output to find the key ID. The error will mention something like KEYEXPIRED 1544811256. Note this key ID or the repository URL mentioned in the error.

bash

apt-get update 2>&1 | grep -i keyexpired

This will isolate the GPG error and show you which repository is affected.

2Verify your system clock is correct (rules out time-based false positives)

In rare cases, an incorrect system clock can make valid keys appear expired. Verify the current date and time:

bash

date

If the date is significantly in the past, update it using NTP:

bash

sudo timedatectl set-ntp true

Or set it manually (format: YYYY-MM-DD HH:MM:SS):

bash

sudo timedatectl set-time "2025-12-29 14:30:00"

3Find the official installation instructions for the repository

Visit the official website of the software (e.g., mongodb.com, mysql.com) and look for Ubuntu/Debian installation instructions. These usually include commands to add the GPG key. This ensures you get the latest, non-expired key.

For example, the official MongoDB installation guide at mongodb.com/docs/manual/tutorial/install-mongodb-on-debian/ contains the current key URL.

4Remove the old expired key and add the new one

First, remove the expired key file if it exists:

bash

sudo rm /etc/apt/trusted.gpg.d/[repository-name].gpg

Then download and add the updated key from the official source:

bash

sudo wget https://[official-key-url] -O /etc/apt/trusted.gpg.d/[repository-name].gpg

For example, to update the MySQL key:

bash

sudo rm /etc/apt/trusted.gpg.d/mysql.gpg
sudo wget https://repo.mysql.com/RPM-GPG-KEY-mysql-2023/ -O /etc/apt/trusted.gpg.d/mysql.gpg

Make sure the key file has proper permissions:

bash

sudo chmod 644 /etc/apt/trusted.gpg.d/[repository-name].gpg

5Alternative: Update the key from Ubuntu keyserver

If you have the key ID from the error message, you can refresh it directly from Ubuntu's keyserver:

bash

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys [KEY_ID]

Replace [KEY_ID] with the actual ID from the error. For example:

bash

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 871920D1991BC93C

Note: On newer Ubuntu/Debian systems (20.04+), apt-key is deprecated. Use the method in step 4 (downloading the key file directly) instead.

6Verify the key was installed and update repositories

List the installed keys to confirm:

bash

sudo apt-key list

Or check the trusted.gpg.d directory:

bash

ls -la /etc/apt/trusted.gpg.d/

Now update your repositories:

bash

sudo apt-get update

The GPG error should be resolved. You can now install or upgrade packages normally.

How to fix W: GPG error: URL Release: The following signatures were invalid: KEYEXPIRED in APT

What this error means

Typical symptoms

Common causes

How to fix "W: GPG error: URL Release: The following signatures were invalid: KEYEXPIRED"

Advanced notes

Related errors

Official resources & further reading