On Tue, Jun 23, 2020 at 2:30 AM Jeroen Diederen <jjhdiede...@zonnet.nl> wrote: > > You might also want to try this: > https://linux-audit.com/how-to-solve-an-expired-key-keyexpired-with-apt/ > https://futurestud.io/tutorials/fix-ubuntu-debian-apt-get-keyexpired-the-following-signatures-were-invalid > https://www.reddit.com/r/debian/comments/g9is3p/debian_8_jessie_keyexpired_drive_my_crazy/
Off-topic, this is just plain wrong: "This is a good thing, to warn us that we should be checking the repository. With an expired key, the solution is simple: we need to download an updated key." A signature applied during a valid key period is still good. For those following a key rotation scheme, no new signatures should occur after the key expires. But in the big Security Engineering picture, what we've found in practice is, key continuity is better then key rotation. As long as the key does not change unexpectedly, then the key is good. Peter Gutmann covers all of this stuff in his book Engineering Security (https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf). I wish the maintainers of Apt would read it and stop wasting our time with these keys due to broken policies. Jeff
