Ошибка gpg kali linux

Invalid signature for Kali Linux repositories : «The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository»

Note that if you haven’t updated your Kali installation in some time (tsk2), you will like receive a GPG error about the repository key being expired ( ED444FF07D8D0BF6 ). Fortunately, this issue is quickly resolved by running the following as root:

wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add 

The easiest solution is to retrieve the latest key and store it in place where apt will find it:

sudo wget https://archive.kali.org/archive-key.asc -O /etc/apt/trusted.gpg.d/kali-archive-keyring.asc 

In some cases (like when you install a distro on android, ex: rootfs . ), you can’t find wget and you can’t even install it ( apt install wget doesn’t work).

if this key cannot be ultimately trusted, please follow trog.qgl.org/20091030/… to trust it ultimately.

Download the key of the kali package repository with this command:

wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add 

This is built in. If you already use Kali’s repos, you don’t need to get it from an external source:

$ sudo apt install kali-archive-keyring 

I’m using a system that adds Kali to a Debian base, so I had to specify the release. You can check that as follows:

$ apt policy kali-archive-keyring Installed: 2015.2 Candidate: 2015.2 Version table: 2018.1 1 1 http://http.kali.org/kali kali-rolling/main amd64 Packages 1 http://http.kali.org/kali kali-rolling/main i386 Packages *** 2015.2 100 100 /var/lib/dpkg/status $ sudo apt install kali-archive-keyring/kali-rolling 

This way, you don’t have to blindly trust that you’re importing the right key in order to prevent a man-in-the-middle attack since the new key is signed by the old one within the repository.

Update: Here’s an /etc/apt/sources.list.d/kali.list and /etc/apt/preferences.d/kali-repos.pref, designed to be secondary to another distribution (like Debian), that’ll avoid this issue in the future.

If you don’t already have this repository and therefore can’t get this update, you have two choices:

1: Go to https://http.kali.org/kali/pool/main/k/kali-archive-keyring/, download the .deb file, and install it via dpkg -i kali-archive-keyring*.deb

2: Add it via the repository anyway (it’s «insecure» until you add it, though you’re at least protected by the HTTPS download in the prior step):

$ sudo apt update -oAcquire::AllowInsecureRepositories=true $ sudo apt install kali-archive-keyring Reading package lists. Done Building dependency tree Reading state information. Done The following NEW packages will be installed: kali-archive-keyring 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 7,008 B of archives. After this operation, 17.4 kB of additional space will be used. Do you want to continue? [Y/n] WARNING: The following packages cannot be authenticated! kali-archive-keyring Install these packages without verification? [y/N] y … 

You’re now synced with the first part of this answer. Consider using the kali.list and kali-repos.pref I linked there so you don’t repeat this problem.

Источник

Error in Kali Linux ‘The following signatures were invalid’ (SOLVED)

How to solve ‘An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error’ in Kali Linux

If you use the apt command, for example, to update package information, or if you install a new package, you can face with an error:

apt update Get:1 http://mirrors.dotsrc.org/kali kali-rolling InRelease [30.5 kB] Err:1 http://mirrors.dotsrc.org/kali kali-rolling InRelease The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository Reading package lists… Done Building dependency tree Reading state information… Done All packages are up to date. W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://mirrors.dotsrc.org/kali kali-rolling InRelease: The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository W: Failed to fetch http://http.kali.org/kali/dists/kali-rolling/InRelease  The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository W: Some index files failed to download. They have been ignored, or old ones used instead.

If this problem occurs, then to solve it, run the following command:

sudo apt-get -y install kali-archive-keyring

If the problem persists, then try the following commands:

wget 'https://archive.kali.org/archive-key.asc' cat archive-key.asc | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/kali.gpg --import sudo chmod 644 /etc/apt/trusted.gpg.d/kali.gpg

Reason and description of the problem

All packages that are installed into the system from official repositories have a cryptographic signature that ensures that the package was created by the official Kali Linux maintainer and that thereafter no changes were made to it.

To verify the packets, each user must have a public key. In case of changing keys for signing packages, it is also necessary to change the public key in user systems. Supporters of the Kali Linux distribution know in advance when keys need to be updated, so even before changing keys, a new public key is added to the user’s systems during the next update. Therefore, for users, changing keys, usually, runs smoothly and unnoticed.

Nevertheless, there are possible situations when the system has not been updated for a long time (i.e., it does not ‘know’ about the changed keys), and new packages in the official repositories have already been signed with a new key. In this situation, the above error occurs.

By the two commands that are given to solve the problem, we download the public key from the official Kali Linux website and add it to the system as a trusted one.

Then there’s even more theory about packet authentication.

Validating Package Authenticity

System upgrades are very sensitive operations and you really want to ensure that you only install official packages from the Kali repositories. If the Kali mirror you are using has been compromised, a computer cracker could try to add malicious code to an otherwise legitimate package. Such a package, if installed, could do anything the cracker designed it to do including disclose passwords or confidential information. To circumvent this risk, Kali provides a tamper-proof seal to guarantee — at install time — that a package really comes from its official maintainer and hasn’t been modified by a third party.

The seal works with a chain of cryptographic hashes and a signature. The signed file is the Release file, provided by the Kali mirrors. It contains a list of the Packages files (including their compressed forms, Packages.gz and Packages.xz, and the incremental versions), along with their MD5, SHA1, and SHA256 hashes, which ensures that the files haven’t been tampered with. These Packages files contain a list of the Debian packages available on the mirror along with their hashes, which ensures in turn that the contents of the packages themselves haven’t been altered either.

The trusted keys are managed with the apt-key command found in the apt package. This program maintains a keyring of GnuPG public keys, which are used to verify signatures in the Release.gpg files available on the mirrors. It can be used to add new keys manually (when non-official mirrors are needed). Generally however, only the official Kali keys are needed. These keys are automatically kept up-to-date by the kali-archive-keyring package (which puts the corresponding keyrings in /etc/apt/trusted.gpg.d). However, the first installation of this particular package requires caution: even if the package is signed like any other, the signature cannot be verified externally. Cautious administrators should therefore check the fingerprints of imported keys before trusting them to install new packages:

Источник

Ошибка gpg kali linux

Ошибка выглядит приблизительно так:
root@kali:~# sudo apt-get update
Игн:1 http://dl.google.com/linux/chrome/deb stable InRelease
Сущ:2 http://dl.google.com/linux/chrome/deb stable Release
Пол:4 http://kali.mirror.garr.it/mirrors/kali kali-rolling InRelease [30,5 kB]
Ошк:4 http://kali.mirror.garr.it/mirrors/kali kali-rolling InRelease
Следующие подписи неверные: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository
Чтение списков пакетов… Готово
W: Произошла ошибка при проверке подписи. Репозиторий не обновлён и будут использованы предыдущие индексные файлы. Ошибка GPG: http://kali.mirror.garr.it/mirrors/kali kali-rolling InRelease: Следующие подписи неверные: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository
W: Не удалось получить http://http.kali.org/kali/dists/kali-rolling/InRelease Следующие подписи неверные: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository
W: Некоторые индексные файлы не скачались. Они были проигнорированы или вместо них были использованы старые версии.

Windows build number: Microsoft Windows [Version 10.0.21332.1010] Your Distribution version: Kali GNU/Linux Rolling 2019.2 (recently installed). Whether the issue is on WSL 2 and/or WSL 1: Linux version 5.4.72-microsoft-standard-WSL2 (oe-user@oe-host) (gcc version 8.2.0 (GCC)) #1 SMP Wed Oct 28 23:40:43 UTC 2020 

Get:1 http://kali.download/kali kali-rolling InRelease [30.5 kB] Err:1 http://kali.download/kali kali-rolling InRelease The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository Fetched 30.5 kB in 1s (32.3 kB/s) Reading package lists. Done Building dependency tree Reading state information. Done All packages are up to date. W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://kali.download/kali kali-rolling InRelease: The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository W: Failed to fetch http://http.kali.org/kali/dists/kali-rolling/InRelease The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository W: Some index files failed to download. They have been ignored, or old ones used instead.