Page MenuHomePhabricator

debian signing keyid E84AFDD2 has expired
Closed, ResolvedPublic


When running apt-get update:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: jessie-mediawiki InRelease: The following signatures were invalid: KEYEXPIRED 1469117939  KEYEXPIRED 1469117939  KEYEXPIRED 1469117939
W: Failed to fetch  The following signatures were invalid: KEYEXPIRED 1469117939  KEYEXPIRED 1469117939  KEYEXPIRED 1469117939

Our wiki says sudo apt-key advanced --keyserver --recv-keys 664C383A3566A3481B942F007A322AC6E84AFDD2 which fetches keyid E84AFDD2 which hasn't been updated recently and expired July 21:

$ sudo apt-key advanced --list-sigs E84AFDD2
pub   2048R/E84AFDD2 2014-07-22 [expired: 2016-07-21]
uid                  MediaWiki releases repository <>
 sig 3        E84AFDD2 2014-07-22  MediaWiki releases repository <>

There have been complains from users:

Setting a key expiry time is good security practice. It just requires access to the private key to update. See

And then the updated key needs to be re-uploaded to

Event Timeline

Adding Filippo because it looks like he created it:

Date: Tue Jul 22 16:22:56 2014 +0000
From: git@palladium.eqiad.wmnet
Subject: [Ops] [puppet-private] (eb244a4) filippo: add releases debian repository keyring

initial key (could be changed before general availability)

pub   2048R/E84AFDD2 2014-07-22 [expires: 2016-07-21]
      Key fingerprint = 664C 383A 3566 A348 1B94  2F00 7A32 2AC6 E84A FDD2
uid                  MediaWiki releases repository <>
sub   2048R/C91579E3 2014-07-22 [expires: 2016-07-21]

A       files/releases/secring.gpg

We should probably update (or add a new page and link to it from [[]]) after we figure out who knows what/should do what when this happens again :)

Dzahn triaged this task as High priority.Jul 27 2016, 2:33 AM

sigh, thanks for letting us know! Looks like a good occasion to switch to 4k pgp key too, I'm going to generate a new one and post the details + instructions

Change 301346 had a related patch set uploaded (by Filippo Giunchedi):
releases: update public keyring

Change 301346 merged by Filippo Giunchedi:
releases: update public keyring

the new key is this:

pub   4096R/22250DD7 2016-07-27 [expires: 2019-06-12]
      Key fingerprint = A6FD 76E2 A61C 5566 D196  D2C0 90E9 F83F 2225 0DD7
uid                  MediaWiki releases repository <>

I've also updated the instructions on wikitech/parsoid and added a reminder to ops calendar, do you know where else the key might need to be updated?

fgiunchedi claimed this task.

resolving, key updated on wikitech/