Duo's GPG key for packages has expired


#1

The GPG key for the Ubuntu repo has apparently expired.

$ sudo apt-get update
Ign:1 http://pkg.duosecurity.com/Ubuntu xenial InRelease
Hit:2 http://pkg.duosecurity.com/Ubuntu xenial Release                                                    
Err:3 http://pkg.duosecurity.com/Ubuntu xenial Release.gpg                                                                           
  The following signatures were invalid: KEYEXPIRED 1536066916  KEYEXPIRED 1536066916  KEYEXPIRED 1536066916
Get:4 http://security.ubuntu.com/ubuntu xenial-security InRelease [107 kB]                                                           
Hit:5 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Get:6 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]        
Hit:7 https://repos.influxdata.com/ubuntu xenial InRelease                                    
Get:8 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]                  
Get:9 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [841 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [758 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [681 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu xenial-updates/universe i386 Packages [623 kB]
Fetched 3,226 kB in 1s (2,220 kB/s)                       
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://pkg.duosecurity.com/Ubuntu xenial Release: The following signatures were invalid: KEYEXPIRED 1536066916  KEYEXPIRED 1536066916  KEYEXPIRED 1536066916
W: Failed to fetch http://pkg.duosecurity.com/Ubuntu/dists/xenial/Release.gpg  The following signatures were invalid: KEYEXPIRED 1536066916  KEYEXPIRED 1536066916  KEYEXPIRED 1536066916
W: Some index files failed to download. They have been ignored, or old ones used instead.

Looking at the keys specifically…

$ sudo apt-key list | grep expired:
pub   1024D/15D32EFC 2013-09-05 [expired: 2018-09-04]
$ apt-key adv --keyserver keys.gnupg.net --recv-keys  15D32EFC
Executing: /tmp/tmp.Gfq9yuPry9/gpg.1.sh --keyserver
keys.gnupg.net
--recv-keys
15D32EFC
gpg: requesting key 15D32EFC from hkp server keys.gnupg.net
gpg: key 15D32EFC: "Duo Security Package Signing <dev@duosecurity.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

#2

That’s right, the updated key now resides in http://pkg.duosecurity.com. Add the new key with:

curl http://pkg.duosecurity.com/APT-GPG-KEY-DUO | apt-key add

#3

Hi Matt,
Yes, the key we previously used to sign our RPM packages expired today. Please see our Duo Unix documentation for more information. It looks like you’re already all set, but you can also reference this article in the Knowledge Base to see steps for importing the RPM key.

Just so you’re aware, we called this change out in our product release notes here in the Community: https://community.duo.com/t/duo-release-notes-for-august-31-2018. You may want to subscribe to those updates for awareness of future changes.

Thanks for reporting this and for following up to your post!


#4

for those scripting this across dozens or more servers and not wanting to run imports where you don’t have to, this might help you:

apt-key list | grep 15D32EFC | grep expired && curl http://pkg.duosecurity.com/APT-GPG-KEY-DUO | apt-key add