New FydeOS Help is now live! This page is for archiving purposes only. The content won't be updated and maintained.

Solution to GPG error when updating packages in Linux (beta)

Error

When executing sudo apt-get update in the Linux subsystem of FydeOS, you may encounter an error message similar to the following:

W: GPG error: https://deb-mirror.fydeos.com/cros-packages/79 buster Release: The following signatures were invalid: EXPKEYSIG 6494C6D6997C215E Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
...
Updating from such a repository can't be done securely, and is therefore disabled by default.

This error prevents the Linux subsystem from updating packages through this source.

Reason

The source used in FydeOS’s Linux subsystem is https://deb-mirror.fydeos.com/cros-packages, this source is the official Google source https://storage.googleapis.com/cros-packages mirror address. The reason for the above error is that Google recently experienced a problem in the process of replacing the key, which caused apt to fail to verify the signature of each package in the source, so the above error will also occur when using Google’s source.

For details of the bug, see Issue 1045292: crostini signing keys expired.

Solution

It can be solved by updating the public key used for verification, or skipping verification.

Update public key

The first method you should try is to update the public key, so that the process of verifying the package signature goes smoothly.

Run this command to update the public key:

sudo apt-key adv --refresh-keys --keyserver keyserver.ubuntu.com

After the command is executed successfully, try sudo apt-get update again.

Skip verification

If the above apt-key command fails to execute, or after successful execution, sudo apt-get update still shows GPG error, you can try to modify file /etc/apt/sources.list.d/cros.list with root permissions (sudo) in the Linux subsystem, add [trusted = yes] in front of the FydeOS source address, the specific change is (omitting the version number and other content in the second half of the URL):

deb https://deb-mirror.fydeos.com/cros-packages/......

Change into:

deb [trusted=yes] https://deb-mirror.fydeos.com/cros-packages/......

After this change, you will still see a GPG error when sudo apt-get update, but this source will not be disabled, and you can still update the package from this source.