[tor-relays] EXPKEYSIG when running 'apt update'

Hi tor-relays,

I'm getting this error when running 'apt update':

Err:4 Index of /torproject.org bullseye InRelease
  The following signatures were invalid: EXPKEYSIG 74A941BA219EC810
deb.torproject.org archive signing key

The signing key in
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg does not appear
to be expired, so I guess some repository metadata signature has
expired. Does anyone else encounter this issue?

Thanks,

Imre

Hi tor-relays,

I'm getting this error when running 'apt update':

mee too

Err:4 Index of /torproject.org bullseye InRelease
  The following signatures were invalid: EXPKEYSIG 74A941BA219EC810
deb.torproject.org archive signing key

The signing key in
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg does not appear
to be expired, so I guess some repository metadata signature has
expired. Does anyone else encounter this issue?

Had the same thing today and saw that some machines had a newer archive key in:
/usr/share/keyrings/tor-archive-keyring.gpg

You can get the new one with this one line:

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Hi Imre,

I also ran into this issue. Following the current instructions [1] and adding a signed-by
in sources.list fixed this for me:

deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] Index of /torproject.org <DISTRIBUTION> main

Looks like the expiration date on the key was changed and the package deb.torproject.org-keyring
only updates that key in /usr/share/keyrings/. I can't but wonder if everyone that doesn't have a
signed-by is affected, which must be quite a few.

Regards,

Peter

[1]: Debian Repository | Tor Project | Support

Hi,

same here on 2 VPS with Ubuntu 22.04 (jammy).

Err:5 Index of /torproject.org jammy InRelease
  The following signatures were invalid: EXPKEYSIG 74A941BA219EC810
deb.torproject.org archive signing key

I followed [1] and executed the following command:

# wget -qO-
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg
/dev/null

I thought that the package deb.torproject.org-keyring should keep the
signing key up-to-date, however the package was installed and is the
newest version (unattended-upgrades activated for TorProject
repository).

# apt install deb.torproject.org-keyring
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
deb.torproject.org-keyring is already the newest version
(2022.04.27.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

[1] Why and how I can enable Tor Package Repository in Debian? | Tor Project | Support

Regards,

wurstsemmel

Yeah I had the public signing key in both /etc/apt/trusted.gpg.d and
/usr/share/keyrings. I had to manually update the key in
/usr/share/keyrings/tor-archive-keyring.gpg as that file was referenced
by my sources.list file. Not sure how it ended up in two places. Thanks
for pointing this out!