我遇到了问题,“apt-get update”产生了 KEYEXPIRED 1587841717 错误:
# apt-get update
...
W: GPG error: http://archive.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1587841717
这是我的来源列表:
# cat /etc/apt/sources.list.d/sources.list
deb http://http.debian.net/debian jessie main
deb http://http.debian.net/debian jessie contrib
deb http://archive.debian.org/debian jessie main
deb http://archive.debian.org/debian jessie contrib
这里是 apt-key 发现的过期密钥(看来密钥 46925553 于 2020-04-25 过期):
apt-key list | grep expired -A1
pub 4096R/46925553 2012-04-27 [expired: 2020-04-25]
uid Debian Archive Automatic Signing Key (7.0/wheezy) <[email protected]>
--
pub 4096R/65FFB764 2012-05-08 [expired: 2019-05-07]
uid Wheezy Stable Release Key <[email protected]>
--
pub 4096R/B98321F9 2010-08-07 [expired: 2017-08-05]
uid Squeeze Stable Release Key <[email protected]>
--
pub 4096R/473041FA 2010-08-27 [expired: 2018-03-05]
uid Debian Archive Automatic Signing Key (6.0/squeeze) <[email protected]>
--
pub 4096R/65FFB764 2012-05-08 [expired: 2019-05-07]
uid Wheezy Stable Release Key <[email protected]>
--
pub 4096R/46925553 2012-04-27 [expired: 2020-04-25]
uid Debian Archive Automatic Signing Key (7.0/wheezy) <[email protected]>
现在我尝试更新密钥:
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 46925553
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 65FFB764
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys B98321F9
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 473041FA
但键没有改变:
# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 46925553
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.Ue8AFETZOi --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian.gpg --keyring /etc/apt/trusted.gpg.d/php.gpg --keyring /etc/apt/trusted.gpg.d/turnkey.gpg --keyring /etc/apt/trusted.gpg.d/ubuntuzilla.firefox.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 46925553
gpg: requesting key 46925553 from hkp server keyserver.ubuntu.com
gpg: key 46925553: "Debian Archive Automatic Signing Key (7.0/wheezy) <[email protected]>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
新的“apt-get update”会出现与上面相同的错误。
有人可以帮忙解决这个问题吗?
答案1
在撰写本文时(2023 年 8 月),这个问题(至少!)有两件事值得注意:
Jessie 仅在 Debian Archive 站点上可用
archive.debian.org。Jessie 的签名密钥均已过期且尚未更换。因此,(目前)排名最高的下载“debian-archive-keyring”的答案将无济于事。这些过期的密钥是导致
KEYEXPIRED 1587841717OP问题中列出的错误的原因。
虽然最安全的答案肯定是升级到当前十年支持的产品,但您可能会发现这个问题,因为您正在使用过去 Jessie 不受支持的硬件(看着你 ReadyNAS)。
在无法升级发行版的情况下,我能看到的下一个最安全的解决方案是通过在存档类型(即)后面sources.list添加来将特定条目设置为可信。所以你的文件可能看起来像这样:[trusted=yes]debsources.list
# Keys Expired But I ~~Want~~ Need To Hold On To The Past
deb [trusted=yes] http://archive.debian.org/debian jessie main
deb [trusted=yes] http://archive.debian.org/debian-security jessie/updates main
apt-get仍然会抛出有关过期签名密钥的警告,但不会再出现错误。
如果您已经走到这一步,您就会知道在史密森学会之外运行此类设备是一个糟糕的主意,而且您只是要求妥协。但我们到了。
答案2
您需要debian-archive-keyring手动下载 Debian jessie 的最新软件包并使用dpkg -i.您可以在以下位置找到它的链接软件包.debian.org。您也可以使用拉伸包。
请注意,jessie 已达到生命周期,并且不再获得进一步的安全支持。由于未打补丁的系统很容易受到损害,并且受损害的系统经常被用来攻击其他系统,因此您应该考虑立即升级到受支持的版本,以免对互联网造成危害。
答案3
看起来 Debian Jessie 现在有了新密钥。我能够通过以下方式导入它:
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com 7638D0442B90D010
答案4
以下内容对我有用(将旧系统升级到 Debian 8,然后再升级到 Debian 9):
sed -i 's;http://archive.debian.org/debian;http://deb.debian.org/debian;' /etc/apt/sources.list
apt update