What should I do when I got the KEYEXPIRED error message after an apt-get update?

Solution 1:

To find any expired repository keys and their IDs, use apt-key as follows:

LANG=C apt-key list | grep expired

You will get a result similar to the following:

pub   4096R/BE1DB1F1 2011-03-29 [expired: 2014-03-28]

The key ID is the bit after the / i.e. BE1DB1F1 in this case.

To update the key, run

sudo apt-key adv --recv-keys --keyserver keys.gnupg.net BE1DB1F1

Note: Updating the key will obviously not work if the package maintainer has not (yet) uploaded a new key. In that case there is little you can do other than contacting the maintainer, filing a bug against your distribution etc.

One liner to update all expired keys: (thanks to @ryanpcmcquen)

for K in $(apt-key list | grep expired | cut -d'/' -f2 | cut -d' ' -f1); do sudo apt-key adv --recv-keys --keyserver keys.gnupg.net $K; done

Solution 2:

You need to get the newer key and add it, at which point apt will detect it and not complain. This shouldn't normally happen, but it sometimes does. What you really need is to know the hex code of the key you need to add; once you have that, it's pretty much downhill from there.

Some examples:

  • adding keys for backports: the first few lines are what you're after, although you'll need to have the key it wants.

  • adding keys ala Ubuntu

Solution 3:

On the Debian Wiki about SecureAPT, I've found that I should remove the line containing non-us from /etc/apt/sources.list.

I actually did that and it worked.

Solution 4:

I had similar error, but problem was in system time. The year was 1961 :)

I corrected system date/time and after that could update without a pro

Solution 5:

It might also happen when the date is not correct.

Check the date with


If it's misconfigured, do the following to set your timezone and date auto synchronization.

apt-get install ntp ntpdate && service ntp stop
dpkg-reconfigure tzdata
service ntp start