Package: apt Version: 1.8.2 Tags: minor I had manually used ``` apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 96B3EE5F29111145 || curl " https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x96B3EE5F29111145"; | apt-key add - ```
(For reference, the equivalent content is available from: https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/9885e188a10e30088813c32270f05f7583875619/so-setup-network.sh#L638-L689 ) which adds a key to `/etc/apt/trusted.gpg` -- I did this a while ago. The key I had for this has expired: ``` apt-get update ... Err:11 https://packages.wazuh.com/3.x/apt stable InRelease The following signatures were invalid: EXPKEYSIG 96B3EE5F29111145 Wazuh.com (Wazuh Signing Key) <supp...@wazuh.com> ``` ** It would have been somewhat helpful if the message said "expired" instead of "invalid". I went and checked (or could have checked): ``` apt-key list /etc/apt/trusted.gpg -------------------- ... pub rsa4096 2016-08-01 [SC] [expired: 2019-08-01] 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 uid [ expired] Wazuh.com (Wazuh Signing Key) <supp...@wazuh.com> ... ``` I ran: ``` curl https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo tee /etc/apt/trusted.gpg.d/wazuh.asc apt-get update ``` And I still got a complaint about EXPKEYSIG for 96B3EE5F29111145 ``` apt-key list /etc/apt/trusted.gpg -------------------- ... pub rsa4096 2016-08-01 [SC] [expired: 2019-08-01] 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 uid [ expired] Wazuh.com (Wazuh Signing Key) <supp...@wazuh.com> ... /etc/apt/trusted.gpg.d/wazuh.asc -------------------------------- pub rsa4096 2016-08-01 [SC] [expires: 2027-05-15] 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 uid [ unknown] Wazuh.com (Wazuh Signing Key) <supp...@wazuh.com> sub rsa4096 2016-08-01 [E] [expires: 2027-05-15] ``` Expected results: If a key exists twice, once w/ an old expiry, and once w/ a newer expiry, accept the newer expiry. Alternatively, if a key exists twice, w/ different expiries and apt really doesn't want to deal w/ it, it should explain about the mismatch (apt-key list didn't complain that I had two keys for the same key w/ different expiration dates). For reference, I can trigger it w/ deterministic file names like: ``` apt-key list /etc/apt/trusted.gpg -------------------- pub rsa4096 2017-05-20 [SC] [expires: 2025-05-18] 067E 3C45 6BAE 240A CEE8 8F6F EF0F 382A 1A7B 6500 uid [ unknown] Debian Stable Release Key (9/stretch) < debian-rele...@lists.debian.org> /etc/apt/trusted.gpg.d/000-wazuh-expired.asc -------------------------------------------- pub rsa4096 2016-08-01 [SC] [expired: 2019-08-01] 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 uid [ expired] Wazuh.com (Wazuh Signing Key) <supp...@wazuh.com> pub rsa4096 2016-08-01 [SC] [expires: 2027-05-15] 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 uid [ unknown] Wazuh.com (Wazuh Signing Key) <supp...@wazuh.com> sub rsa4096 2016-08-01 [E] [expires: 2027-05-15] /etc/apt/trusted.gpg.d/001-wazuh-updated.asc -------------------------------------------- pub rsa4096 2016-08-01 [SC] [expires: 2027-05-15] 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 uid [ unknown] Wazuh.com (Wazuh Signing Key) <supp...@wazuh.com> sub rsa4096 2016-08-01 [E] [expires: 2027-05-15] ``` Note: it's possible to use `apt-key del 96B3EE5F29111145`, but this unfortunately also deleted my updated key, which was slightly frustrating.
