Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4091
Views
0
Helpful
3
Replies

Duo's GPG key for packages has expired

Go to solution
mattlqx
Level 1
Level 1

‎09-04-2018 01:20 PM

The GPG key for the Ubuntu repo has apparently expired.

$ sudo apt-get update
Ign:1 http://pkg.duosecurity.com/Ubuntu xenial InRelease
Hit:2 http://pkg.duosecurity.com/Ubuntu xenial Release                                                    
Err:3 http://pkg.duosecurity.com/Ubuntu xenial Release.gpg                                                                           
  The following signatures were invalid: KEYEXPIRED 1536066916  KEYEXPIRED 1536066916  KEYEXPIRED 1536066916
Get:4 http://security.ubuntu.com/ubuntu xenial-security InRelease [107 kB]                                                           
Hit:5 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Get:6 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]        
Hit:7 https://repos.influxdata.com/ubuntu xenial InRelease                                    
Get:8 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]                  
Get:9 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [841 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [758 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [681 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu xenial-updates/universe i386 Packages [623 kB]
Fetched 3,226 kB in 1s (2,220 kB/s)                       
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://pkg.duosecurity.com/Ubuntu xenial Release: The following signatures were invalid: KEYEXPIRED 1536066916  KEYEXPIRED 1536066916  KEYEXPIRED 1536066916
W: Failed to fetch http://pkg.duosecurity.com/Ubuntu/dists/xenial/Release.gpg  The following signatures were invalid: KEYEXPIRED 1536066916  KEYEXPIRED 1536066916  KEYEXPIRED 1536066916
W: Some index files failed to download. They have been ignored, or old ones used instead.

Looking at the keys specifically…

$ sudo apt-key list | grep expired:
pub   1024D/15D32EFC 2013-09-05 [expired: 2018-09-04]
$ apt-key adv --keyserver keys.gnupg.net --recv-keys  15D32EFC
Executing: /tmp/tmp.Gfq9yuPry9/gpg.1.sh --keyserver
keys.gnupg.net
--recv-keys
15D32EFC
gpg: requesting key 15D32EFC from hkp server keys.gnupg.net
gpg: key 15D32EFC: "Duo Security Package Signing <dev@duosecurity.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dooley
Level 3
Level 3
In response to mattlqx

‎09-04-2018 01:44 PM

Hi Matt,
Yes, the key we previously used to sign our RPM packages expired today. Please see our Duo Unix documentation for more information. It looks like you’re already all set, but you can also reference this article in the Knowledge Base to see steps for importing the RPM key.

Just so you’re aware, we called this change out in our product release notes here in the Community: https://community.duo.com/t/duo-release-notes-for-august-31-2018. You may want to subscribe to those updates for awareness of future changes.

Thanks for reporting this and for following up to your post!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mattlqx
Level 1
Level 1

‎09-04-2018 01:27 PM

That’s right, the updated key now resides in http://pkg.duosecurity.com. Add the new key with:

curl http://pkg.duosecurity.com/APT-GPG-KEY-DUO | apt-key add
0 Helpful

Go to solution
Dooley
Level 3
Level 3
In response to mattlqx

‎09-04-2018 01:44 PM

Hi Matt,
Yes, the key we previously used to sign our RPM packages expired today. Please see our Duo Unix documentation for more information. It looks like you’re already all set, but you can also reference this article in the Knowledge Base to see steps for importing the RPM key.

Just so you’re aware, we called this change out in our product release notes here in the Community: https://community.duo.com/t/duo-release-notes-for-august-31-2018. You may want to subscribe to those updates for awareness of future changes.

Thanks for reporting this and for following up to your post!

0 Helpful

Go to solution
barryking93
Level 1
Level 1
In response to Dooley

‎09-07-2018 03:38 PM

for those scripting this across dozens or more servers and not wanting to run imports where you don’t have to, this might help you:

apt-key list | grep 15D32EFC | grep expired && curl http://pkg.duosecurity.com/APT-GPG-KEY-DUO | apt-key add

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents