The following signatures were invalid: EXPKEYSIG F8F2C31744774B28 Mattermost Build <dev-ops@mattermost.com>

can’t sudo apt update mattermost.

Get:5 https://deb.packages.mattermost.com jammy InRelease [3956 B]
Err:5 https://deb.packages.mattermost.com jammy InRelease
  The following signatures were invalid: EXPKEYSIG F8F2C31744774B28 Mattermost Build <dev-ops@mattermost.com>
Fetched 3956 B in 2s (2469 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.packages.mattermost.com jammy InRelease: The following signatures were invalid: EXPKEYSIG F8F2C31744774B28 Mattermost Build <dev-ops@mattermost.com>
W: Failed to fetch https://deb.packages.mattermost.com/dists/jammy/InRelease  The following signatures were invalid: EXPKEYSIG F8F2C31744774B28 Mattermost Build <dev-ops@mattermost.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.

How to fix this please?

I just went through this. I found two different documents. Here are the steps I did from my history:

sudo rm /usr/share/keyrings/mattermost-archive-keyring.gpg

curl -o- https://deb.packages.mattermost.com/repo-setup.sh | sudo bash -s mattermost

sudo rm /etc/apt/sources.list.d/mattermost_stable.list
sudo rm /etc/apt/trusted.gpg.d/mattermost.gpg

(as root) sudo curl -s https://deb.packages.mattermost.com/pubkey.gpg | gpg --dearmor > /usr/share/keyrings/mattermost-archive-keyring.gpg

(as root) echo "deb [signed-by=/usr/share/keyrings/mattermost-archive-keyring.gpg] https://deb.packages.mattermost.com stable main" > /etc/apt/sources.list.d/mattermost.list```
1 Like

however.

  1. why does mattermostmost keep this key in /usr/share/keyrings/mattermost-archive-keyring.gpg instead of /etc/apt/trusted.gpg.d/ folder?
  2. does anything else besides apt use this keyring? (as for apt the gpg --dearmor is totally unnecessary step there. apt can use ascii key files for repo signatures just as well.)
  3. But why not just use deb https://deb.packages.mattermost.com jammy main in mattermost.list? seems to work fine… for sudo apt update at least.

anyway, thanks for help and inspired by this, on my case just as normal, non-root user…

curl -s https://deb.packages.mattermost.com/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/mattermost-archive-keyring.gpg

…was enough, to fix this. To overwrite original, old, already existing expired key. Repos and everything else was already in place.