The following signatures were invalid: EXPKEYSIG 1397BC53640DB551

apt 18.04 updates google-chrome ppa

53,903

Solution 1

Looks like, as @DooMMasteR said, Google let signing cert expire for their Linux repositories, which due date was April 12th. @yareckon explained that this apt security error is working as expected to prevent badly signed software being installed.

9 hours after the issue was posted, Google fixed certs transparently for the users using Google Chrome repo. The error stopped after they renewed the certs, progressively also on the rest of Google owned repos (Google Earth, Google Music Manager...).

No action is needed (and recommended) from users side, just waiting for the repos in use to be signed with renewed keys.

Solution 2

This is the protection you are getting from these checks. You don't want to update your software right now while something is messed up on Google's end. Wait until they fix it. Don't try to override by reinstalling keys until some official word comes out that a new key is the solution.

Solution 3

Apparently Google did not extend the validity of the signing cert... it was due to end today and so it did. https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0x7721F63BD38B4796

maybe Google will change it, today or so… then the update of the cert should work fine and everything should go back to normal.

Solution 4

the problem was solved by Google Abr 12/2019 (Only Google Chrome. Tested in Ubuntu 18.04.x)

There's nothing to do. The repository has already been signed

Update apr 19/2019:

Google Team has confirmed that additional fixes have gone out for other non-Chrome Google products

source: https://support.google.com/chrome/thread/4032170

Solution 5

Looks like Google's signing keys expired. Be patient and wait for them to fix them (which may or may not require re-adding the key after they fixed it).

View more solutions

53,903

Leo

Updated on September 18, 2022

Comments

Leo over 1 year

This is Issue 952287: [User Feedback - Stable] Reports of Chrome for Linux failing to install/update due to expired GPG signing key

Today, running apt in all my machines gives this error with the Google PPA (for google-chrome):

me@mymachine:~$ sudo apt clean && sudo apt update && sudo apt full-upgrade -y && sudo apt autoremove -y && sudo apt autoclean -y && sudo snap refresh 
[sudo] password for me: 
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://ppa.launchpad.net/graphics-drivers/ppa/ubuntu bionic InRelease
Hit:3 http://dl.google.com/linux/chrome/deb stable Release                     
Hit:4 http://archive.ubuntu.com/ubuntu bionic InRelease                        
Get:5 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88,7 kB]
Get:6 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74,6 kB]
Err:7 http://dl.google.com/linux/chrome/deb stable Release.gpg
  The following signatures were invalid: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>
Get:8 http://archive.ubuntu.com/ubuntu bionic-security InRelease [88,7 kB]
Get:9 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [574 kB]
Get:10 http://archive.ubuntu.com/ubuntu bionic-updates/main i386 Packages [488 kB]
Get:11 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 DEP-11 Metadata [278 kB]
Get:12 http://archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 48x48 Icons [66,7 kB]
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 64x64 Icons [123 kB]
Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [756 kB]
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/universe i386 Packages [745 kB]
Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/universe Translation-en [201 kB]
Get:17 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 DEP-11 Metadata [209 kB]
Get:18 http://archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 48x48 Icons [191 kB]
Get:19 http://archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 64x64 Icons [360 kB]
Get:20 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 DEP-11 Metadata [2.468 B]
Get:21 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 DEP-11 Metadata [7.352 B]
Get:22 http://archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages [296 kB]
Get:23 http://archive.ubuntu.com/ubuntu bionic-security/main i386 Packages [216 kB]
Get:24 http://archive.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [204 B]
Get:25 http://archive.ubuntu.com/ubuntu bionic-security/universe i386 Packages [127 kB]
Get:26 http://archive.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [131 kB]
Get:27 http://archive.ubuntu.com/ubuntu bionic-security/universe Translation-en [74,2 kB]
Get:28 http://archive.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [20,8 kB]
Get:29 http://archive.ubuntu.com/ubuntu bionic-security/universe DEP-11 48x48 Icons [12,2 kB]
Get:30 http://archive.ubuntu.com/ubuntu bionic-security/universe DEP-11 64x64 Icons [50,4 kB]
Get:31 http://archive.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2.464 B]
Fetched 5.183 kB in 2s (2.131 kB/s)                                  
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://dl.google.com/linux/chrome/deb stable Release: The following signatures were invalid: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>
W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg  The following signatures were invalid: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All snaps up to date.

Already tried importing GPG key again with:

wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

Source: Google Linux Software Repositories

EDIT: add error line in Spanish for better visibility:

Las siguientes firmas no fueron válidas: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>

EDIT2: and French (to cover top 3 languages):

Les signatures suivantes ne sont pas valables : EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>

Admin about 5 years

It just happened to me as well.
Admin about 5 years

Sam problem here, reacquiring keys did not help so far, seems to be a problem on googles end.
Admin about 5 years

reacquiring keys helped for me.
Admin about 5 years

upvote this link support.google.com/chrome/thread/4032170?hl=en and wait! We can do nothing more.
Admin about 5 years

I've added a link to the bug report at the top of the post. Please feel free to move it or to delete it.
Admin about 5 years

I think it is fixed now
Admin about 5 years

Now the same issue happened to Google Chrome Remote Desktop repository - support.google.com/chrome/thread/4111585?hl=en
Admin about 5 years

This happened to me today, 8 days later and it's still happening.

jelhan about 5 years

Waiting until they fix it may not be an option for all. E.g. this is breaking CI pipelines for us. If you now what you are doing, you might take the risk and disable checks for this repo for now by adding [trusted=yes] to it's configuration: deb [trusted=yes] http://dl.google.com/linux/chrome/deb/ stable main
Michael Härtl about 5 years

It's not the first time this happens. I remember having this same issue with google at least 2 more times over the last years. I wonder what's going on at Google and why they can't keep their stuff together.
Michael Firth about 5 years

In case it is useful, it is possible to see when the signing key last changed on Google's server with curl -I https://dl.google.com/linux/linux_signing_key.pub. Currently this still gives July 2017 as the date the key file was updated.
Mr. Sam about 5 years

@jelhan That’s why CI pipelines ideally tap into local mirrors/caches rather than going directly upstream.
Oli about 5 years

Don't do this. If for no other reason than the source being unencrypted. If you did this, forgot all about it and then strayed onto a bad network, it could easily intercept and subvert the Release, packages.list, and therefore essentially run anything it liked as root on your computer. It's not a good idea.
dimisjim about 5 years

But I am just trusting google's repo. We can surely trust google, right?
Oli about 5 years

You've missed my point. If somebody can intercept your network traffic, they can pretend to be Google. There's no TLS on a http:// connection. Normally Apt has your back here because they check that all release and package lists are signed. If you intercepted this normally —and maliciously changed something— you'd see a signing error. You're bypassing that whole mechanism here.
dimisjim about 5 years

Indeed. Thanks for the explanation
DK Bose about 5 years

@MichaelHärtl I've been watching Google and meritocracy seems to be out of vogue.
link_boy about 5 years

Agreed, but you can temporarily just make it https with trusted=yes (for now, assuming you're not being TLS MiTM). For example: deb [arch=amd64, trusted=yes] https://dl.google.com/linux/chrome/deb/ stable main
dimisjim about 5 years

Also indeed. So I guess my recent edit, I should at least go back to 0 instead of -2 :P
link_boy about 5 years

@jelhan Agreed, but you should temporarily make it https with trusted=yes (for now, assuming you're not being TLS MiTM). For example: deb [arch=amd64, trusted=yes] https://dl.google.com/linux/chrome/deb/ stable main
tatsu about 5 years

@CarlosAlbertoSilveiradeAnd said "Great!!, work for me! Thanks" but as an edit to my post because he doesn't know how to use this site yet.... I'm adding it so people know it worked for someone.
kissgyorgy about 5 years

trusted=yes defeats the whole purpose of digital signing and basically compromise your whole system. You should not do that lightly, especially not a good idea for a "temporary workaround".
contributorpw about 5 years

This doesn't work. Nothing new happens. I still can only update manually.
dimisjim about 5 years

Google has resolved this. No need to follow the above procedure.
Paddy Landau about 5 years

Where did you report that? Google still hasn't fixed it on certain other repositories, e.g. the Music Manager, so I would like to report that as well.