Problem: Invalid GPG Key Signature

When updating your package lists in Kali Linux using sudo apt update, you may see an error like this:

Err:1 http://kali.mirror.rafal.ca/kali kali-rolling InRelease
  The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository <devel@kali.org>

This error happens because the GPG key used to sign the repository has expired.

What is a GPG Key?

A GPG (GNU Privacy Guard) key is a cryptographic key used to secure and verify data. In the context of Linux package management, GPG keys are used to sign software packages and repositories. This ensures that the packages you download are genuine and have not been tampered with. When you update your package lists or install new software, your system uses these keys to verify the authenticity of the packages.

Why Do GPG Keys Expire?

GPG keys have an expiration date as a security measure. Here’s why:

1. Security Enhancements: Over time, cryptographic algorithms can become vulnerable as computing power increases and new vulnerabilities are discovered. Expiration dates ensure that keys are periodically replaced with newer, more secure ones.
2. Key Compromise: If a key is compromised (i.e., unauthorized parties gain access to it), having an expiration date limits the duration of potential misuse.
3. Administrative Control: Expiration dates enforce good key management practices, requiring administrators to periodically review and update their keys. This helps in maintaining the overall security of the system.

When a GPG key expires, the system will no longer trust the signatures created with that key. This is why you might see errors during package updates until the key is replaced with a new, valid one.

Solution: Update the GPG Key

Follow these easy steps to fix the GPG error:

1. Open Terminal: Open your terminal. If you are using a virtual machine or directly on the system, you should see a command prompt like this:

┌──(kali㉿vbox)-[~]
└─$

2. Download the New Key: Type the following command and press Enter. This will download the new GPG key:shwget https://archive.kali.org/archive-key.asc

wget https://archive.kali.org/archive-key.asc

You should see a message that the key file has been saved successfully.

3. Add the New Key to the Trusted Keyring: Type these commands one by one and press Enter after each. This will add the new key to the trusted keyring:

sudo mkdir -p /etc/apt/keyrings
sudo gpg --dearmor -o /etc/apt/keyrings/kali-archive-keyring.gpg archive-key.asc

The first command creates a directory for the keyring (if it doesn’t already exist). The second command adds the key to this directory.

4. Update the Sources List: Open the file where your sources list is stored. Type this command and press Enter:

sudo nano /etc/apt/sources.list.d/kali.list

This opens the file in a text editor called nano.

5. Edit the File: Look for a line that starts with deb. Add this text to that line:

deb [signed-by=/etc/apt/keyrings/kali-archive-keyring.gpg] http://http.kali.org/kali kali-rolling main non-free contrib

Use the arrow keys to move the cursor. After you add the text, press Ctrl + O to save the file, and Ctrl + X to exit the text editor.

6. Update Package Lists: Type this command and press Enter to update your package lists:

sudo apt update

Now, your system should update without any GPG errors!

By following these steps, anyone should be able to fix the GPG key issue and securely update their Kali Linux packages.