以下签名无效:EXPKEYSIG 1397BC53640DB551

以下签名无效:EXPKEYSIG 1397BC53640DB551

这是问题 952287:[用户反馈 - 稳定版] 有报告称,由于 GPG 签名密钥过期,Linux 版 Chrome 无法安装/更新


今天,apt在我的所有机器上运行 Google PPA(针对google-chrome)时出现此错误:

me@mymachine:~$ sudo apt clean && sudo apt update && sudo apt full-upgrade -y && sudo apt autoremove -y && sudo apt autoclean -y && sudo snap refresh 
[sudo] password for me: 
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://ppa.launchpad.net/graphics-drivers/ppa/ubuntu bionic InRelease
Hit:3 http://dl.google.com/linux/chrome/deb stable Release                     
Hit:4 http://archive.ubuntu.com/ubuntu bionic InRelease                        
Get:5 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88,7 kB]
Get:6 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74,6 kB]
Err:7 http://dl.google.com/linux/chrome/deb stable Release.gpg
  The following signatures were invalid: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>
Get:8 http://archive.ubuntu.com/ubuntu bionic-security InRelease [88,7 kB]
Get:9 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [574 kB]
Get:10 http://archive.ubuntu.com/ubuntu bionic-updates/main i386 Packages [488 kB]
Get:11 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 DEP-11 Metadata [278 kB]
Get:12 http://archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 48x48 Icons [66,7 kB]
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 64x64 Icons [123 kB]
Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [756 kB]
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/universe i386 Packages [745 kB]
Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/universe Translation-en [201 kB]
Get:17 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 DEP-11 Metadata [209 kB]
Get:18 http://archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 48x48 Icons [191 kB]
Get:19 http://archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 64x64 Icons [360 kB]
Get:20 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 DEP-11 Metadata [2.468 B]
Get:21 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 DEP-11 Metadata [7.352 B]
Get:22 http://archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages [296 kB]
Get:23 http://archive.ubuntu.com/ubuntu bionic-security/main i386 Packages [216 kB]
Get:24 http://archive.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [204 B]
Get:25 http://archive.ubuntu.com/ubuntu bionic-security/universe i386 Packages [127 kB]
Get:26 http://archive.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [131 kB]
Get:27 http://archive.ubuntu.com/ubuntu bionic-security/universe Translation-en [74,2 kB]
Get:28 http://archive.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [20,8 kB]
Get:29 http://archive.ubuntu.com/ubuntu bionic-security/universe DEP-11 48x48 Icons [12,2 kB]
Get:30 http://archive.ubuntu.com/ubuntu bionic-security/universe DEP-11 64x64 Icons [50,4 kB]
Get:31 http://archive.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2.464 B]
Fetched 5.183 kB in 2s (2.131 kB/s)                                  
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://dl.google.com/linux/chrome/deb stable Release: The following signatures were invalid: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>
W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg  The following signatures were invalid: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All snaps up to date.

已经尝试使用以下命令再次导入 GPG 密钥:

wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

来源:Google Linux 软件存储库

编辑:添加西班牙语错误行以提高可见性:

Las siguientes firmas no fueron válidas: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>

EDIT2:和法语(涵盖排名前 3 位的语言):

Les signatures suivantes ne sont pas valables : EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>

答案1

这就是您从这些检查中获得的保护。 在 Google 出现问题时,您不会想立即更新软件。等他们修复后再更新。在官方宣布新密钥是解决方案之前,不要尝试通过重新安装密钥来覆盖。

答案2

显然,谷歌没有延长签名证书的有效期......它原定于今天到期,所以它就这样延长了。 https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0x7721F63BD38B4796

也许谷歌会在今天左右改变它...然后证书的更新应该可以正常工作,一切都应该恢复正常。

答案3

该问题已由 Google Abr 12/2019 解决(仅限 Google Chrome。在 Ubuntu 18.04.x 中测试)

在此处输入图片描述 无需执行任何操作。存储库已签名

2019 年 4 月 19 日更新:

在此处输入图片描述

Google 团队已确认已针对以下问题发布了其他修复其他非 Chrome Google 产品

来源:https://support.google.com/chrome/thread/4032170

答案4

看起来就像 @DooMMasteR 所说的那样,Google 让签名证书过期他们的Linux 存储库,预产期是4月12日。@yareckon 解释说,此apt安全错误按预期运行,以防止安装签名错误的软件。

问题发布 9 小时后,Google 已向使用 Google Chrome repo 的用户公开修复了证书。他们更新证书后错误就消失了,逐步覆盖 Google 拥有的其他代码库(谷歌地球、谷歌音乐管理器……)。

用户无需采取任何行动(也不建议采取任何行动),只需等待使用更新的密钥对正在使用的存储库进行签名。

相关内容