36

I'm getting the following error every time I do apt-get upgrade:

GPG error: http://nginx.org trusty Release: The following signatures were invalid: KEYEXPIRED 1471427554

I just have the official nginx ppa installed the standard way, by having added the following to my sources.list

deb http://nginx.org/packages/ubuntu/ trusty nginx
deb-src http://nginx.org/packages/ubuntu/ trusty nginx

Is this an error from their end that they will eventually fix hopefully, or is there something I'm going to have to do from my end?

Thomas Ward
  • 78,878
Mohamed Hafez
  • 805

2 Answers2

50

After adding a third party repository to a /etc/apt/sources.list.d/* file or /etc/apt/sources.list, you need to make sure the corresponding gpg key is inserted into the apt keystore.

To be more specific for this special case of nginx.org repository: you need to add the nginx.org gpg key file used for the signing of the repository.

This can be done by either downloading the file https://nginx.org/keys/nginx_signing.key manually and issue sudo apt-key add nginx_signing.key (as suggested by nginx.org and @ThomasWard) or you can do this in one single line:

wget https://nginx.org/keys/nginx_signing.key -O - | sudo apt-key add -
Phillip -Zyan K Lee- Stockmann
  • 2,393
11

The root cause of this problem is because the "older" Nginx signing key expired on Aug 17, 2016:

$ sudo apt-key list

pub   2048R/7BD9BF62 2011-08-19 [expired: 2016-08-17]
uid                  nginx signing key <signing-key@nginx.com>

To fix this issue, add the new signing key using the command as suggested by @phillip-zyan-k-lee-stockmann and @ThomasWard:

wget https://nginx.org/keys/nginx_signing.key -O - | sudo apt-key add -

The new key now expires in 2024:

$ sudo apt-key list

pub   2048R/7BD9BF62 2011-08-19 [expires: 2024-06-14]
uid                  nginx signing key <signing-key@nginx.com>
Josh
  • 103
hwdsl2
  • 136